CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-11643
High

Use after free in Proxy in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker to execute arbitrary code via malicious network traffic.

CVE-2026-11642
High

A use after free vulnerability in Web Apps in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page.

CVE-2026-11641
High

Use after free in Bluetooth in Google Chrome on Windows prior to version 149.0.7827.103 allows a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.

CVE-2026-11640
High

Integer overflow in libyuv in Google Chrome prior to version 149.0.7827.103 allowed a remote attacker who compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2026-11639
High

Use after free in Compositing in Google Chrome on Mac prior to version 149.0.7827.103 allows a remote attacker to execute arbitrary code via a crafted HTML page.

CVE-2026-11637
High

A use after free vulnerability in Views in Google Chrome on Mac prior to version 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a crafted HTML page.

CVE-2026-11636
High

A use after free vulnerability in Autofill in Google Chrome on Windows prior to version 149.0.7827.103 can be exploited by a remote attacker. The attacker can convince a user to perform specific UI gestures, potentially leading to heap corruption via a crafted HTML page.

CVE-2026-11635
High

Use after free in Bluetooth in Google Chrome on Mac prior to version 149.0.7827.103 allows a remote attacker who compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2026-11633
High

A use after free vulnerability in Bluetooth in Google Chrome on Mac prior to version 149.0.7827.103 allowed a remote attacker to execute arbitrary code via a malicious peripheral.

CVE-2026-11632
High

Use after free in TabStrip in Google Chrome prior to version 149.0.7827.103 allows a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page.

CVE-2026-11631
High

Use after free in Aura in Google Chrome on Windows prior to version 149.0.7827.103 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2026-11630
High

In Google Chrome prior to version 149.0.7827.103, there was a use after free vulnerability in the File Input component that could be exploited by a remote attacker to potentially corrupt heap memory via a crafted HTML page.

CVE-2026-11629
High

Use after free in Ozone in Google Chrome prior to version 149.0.7827.103 allows a remote attacker to potentially exploit heap corruption via a crafted HTML page.

CVE-2026-9669
High

bz2.BZ2Decompressor objects could be reused after a decompression error. If an application caught the resulting OSError and retried with the same decompressor, crafted input could cause the decompressor to resume from an invalid internal state and perform out-of-bounds writes to a stack buffer.

CVE-2026-44541
High

Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.

CVE-2026-49141
High

WACRM prior to commit 73041bf contains an authorization bypass vulnerability in the automation engine that allows authenticated attackers to access and modify contacts belonging to other tenants by supplying an arbitrary caller-controlled contact_id in the POST request body without tenant ownership verification.

CVE-2026-46484
High

Headplane, a feature-complete web UI for Headscale, was vulnerable to a path traversal and authorization bypass in the Headscale API client used for node and user rename operations prior to versions 0.6.3 and 0.7.0-beta.3. This issue has been patched in these versions.

CVE-2026-40519
High

Nginx Proxy Manager versions 2.9.14 through 2.15.1 contain an authenticated remote code execution vulnerability via OS command injection in the setupCertbotPlugins() function. This allows attackers with certificates:manage permission to execute arbitrary commands.

CVE-2026-11582
High

A flaw has been found in CodeAstro Student Attendance Management System 1.0 that allows SQL injection via manipulation of the 'Username' argument in the /attendance-php/index.php file. The attack can be performed remotely.

CVE-2026-46490
High

The samlify library for Node.js, used for SAML single sign-on, prior to version 2.13.0 improperly handled template substitution, allowing XML markup injection into attribute values. A user could add new <saml:Attribute> elements to the signed assertion, leading to privilege escalation.

PreviousPage 178 of 3362Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS