CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
A flaw was found in ansible-core where the ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field, leading to arbitrary code execution on the machine of a user who installs the role.
HCL Digital Experience is affected by an OS command injection vulnerability in the Digital Asset Management API. An attacker may execute arbitrary operating system commands, typically inheriting the privileges of the vulnerable application, which could possibly lead to a complete system takeover and data compromise.
W wersjach Graphite przed 1.3.15 występuje problem z niedoborem całkowitym oraz wynikowym zapisem poza dozwolonym zakresem. Problem ten występuje w akcjach Graphite, ponieważ slotat nie zapewnia, że przesunięcie mieści się w dozwolonym zakresie mapy slotów.
In Moby (Docker Engine) before 29.5.1 and moby/moby v2 before v2.0.0-beta.14, when a compressed archive is uploaded to a container, the daemon resolves decompression binaries (e.g., xz, unpigz) from the container's filesystem instead of the host. A malicious container image with trojanized decompression binaries can achieve arbitrary code execution with full daemon privileges (host root UID and unrestricted capabilities).
Use after free in PDFium in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
Use after free in PDFium in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
Use after free in PDFium in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
Use after free in PDFium in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to potentially exploit heap corruption via a crafted PDF file.
Use after free in PDFium in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file.
Inappropriate implementation in LiveCaption in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to potentially perform out of bounds memory access via malicious network traffic.
Insufficient validation of untrusted input in Reader Mode in Google Chrome on Android prior to version 149.0.7827.53 allowed a local attacker to bypass navigation restrictions via a malicious file.
Inappropriate implementation in ImageCapture in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker who compromised the renderer process to perform privilege escalation via a crafted HTML page.
Inappropriate implementation in WebView in Google Chrome on Android prior to version 149.0.7827.53 allowed a remote attacker to perform privilege escalation via a crafted HTML page.
An out of bounds read in DevTools in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Insufficient validation of untrusted input in Reading List in Google Chrome on iOS prior to version 149.0.7827.53 allows a remote attacker who convinced a user to engage in specific UI gestures to perform privilege escalation via a crafted HTML page.
Inappropriate implementation in Extensions in Google Chrome prior to version 149.0.7827.53 allowed an attacker in a privileged network position to execute arbitrary code inside a sandbox via a crafted Chrome Extension.
Inappropriate implementation in Autofill in Google Chrome prior to version 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted HTML page.
Wykorzystanie po zwolnieniu pamięci w TabStrip w Google Chrome przed wersją 149.0.7827.53 umożliwia zdalnemu atakującemu wykonanie dowolnego kodu za pomocą spreparowanej strony HTML.
Przepełnienie całkowitej liczby całkowitej w GPU w Google Chrome przed wersją 149.0.7827.53 umożliwia zdalnemu atakującemu, który przejął proces renderowania, potencjalne wykonanie ucieczki z piaskownicy za pomocą spreparowanej strony HTML.
Niewystarczająca walidacja nieufnych danych wejściowych w API dostępu do pamięci w Google Chrome przed wersją 149.0.7827.53 umożliwiała zdalnemu atakującemu, który przejął proces renderowania, wyciek danych między źródłami za pomocą spreparowanej strony HTML.

