CVE Vulnerability Catalog

Translated CVE descriptions from NVD NIST - in English

CISA KEV catalog updated: (v2026.07.10)

CVE-2026-13031
High

Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.

CVE-2026-13030
Medium

Uninitialized use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-13029
High

A use after free vulnerability in Web Authentication in Google Chrome prior to version 149.0.7827.197 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.

CVE-2026-13028
Critical

A use-after-free vulnerability in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

CVE-2026-13027
High

Use-After-Free vulnerability in the FileSystem component in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue was rated as High severity in Chromium security.

CVE-2026-13026
High

A Use-After-Free vulnerability in the Digital Credentials component in Google Chrome on Mac prior to version 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue is rated as High severity in Chromium.

CVE-2026-13025
High

A race condition in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.

CVE-2026-13024
Medium

Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.

CVE-2026-13023
Medium

Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.

CVE-2026-13022
Medium

An inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.

CVE-2026-13021
Medium

An inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)

CVE-2026-12760
Medium

A DoS vulnerability in Tapo C200 v3 camera stems from improper handling of fragmented IPv4 packets. An unauthenticated adjacent attacker can send crafted packets causing excessive resource consumption and device instability.

CVE-2025-60471
Medium

A use-after-free vulnerability was found in the GPAC/MP4Box library before version 26.02.0 in the gf_filter_pid_reconfigure_task_discard function in filter_pid.c. An attacker can cause a Denial of Service (DoS) by supplying a crafted media file.

CVE-2026-55611
Unknown

The AnythingLLM application has a vulnerability that allows managers or admins to delete parsed files of other users in any workspace, even if they are not members. The issue arises from a lack of ownership checks during file deletion, enabling attackers to manipulate file IDs.

CVE-2026-54699
High

Warp, an agentic development environment, contains an OS command injection vulnerability in the WSL URL-opening fallback. Versions from 0.2024.03.12.08.02.stable_01 to 0.2026.05.06.15.42.stable_01 are affected when Warp cannot open a URL through wslview and falls back to a Windows command processor path.

CVE-2026-54686
Medium

Warp is a development environment that from versions 0.2021.04.25.23.05.stable_00 to 0.2026.05.06.15.42.stable_01 accepted unverified terminal lifecycle hooks from the PTY stream. An attacker could spoof selected lifecycle metadata, potentially exposing sensitive information.

CVE-2026-49851
High

Mistune is a Python Markdown parser. Prior to version 3.3.0, it is vulnerable to a CPU exhaustion DoS due to quadratic complexity in the parse_link_text function. Processing many consecutive [ characters in Markdown input causes repeated scanning, leading to excessive CPU usage even with a small payload.

CVE-2026-48789
Medium

The AnythingLLM application prior to version 1.13.0 on Windows allowed the use of an encoded absolute path to the documents folder, potentially leading to access to files outside the intended documents directory.

CVE-2026-48732
HighEPSS 59%

Warp contains a command injection issue in the legacy SSH background command path in versions from 0.2023.03.21.08.02.stable_00 to 0.2026.05.06.15.42.stable_01. An attacker can exploit a remote directory to execute additional shell syntax on the remote host as the victim's authenticated SSH account.

CVE-2026-48731
High

Warp, an agentic development environment, contains a command injection issue in the Linux external editor launcher. Versions from 0.2024.02.20.08.01.stable_01 to 0.2026.05.06.15.42.stable_01 allow execution of malicious code by opening an attacker-controlled file.

PreviousPage 202 of 4563Next

Vulnerability data from NVD (NIST) · CISA KEV · EPSS