CVE Vulnerability Catalog
Translated CVE descriptions from NVD NIST - in English
CISA KEV catalog updated: (v2026.07.10)
Use after free in Blink in Google Chrome prior to version 149.0.7827.197 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page.
Uninitialized use in GPU in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page.
A use after free vulnerability in Web Authentication in Google Chrome prior to version 149.0.7827.197 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension.
A use-after-free vulnerability in WebGL in Google Chrome on Android prior to 149.0.7827.197 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)
Use-After-Free vulnerability in the FileSystem component in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue was rated as High severity in Chromium security.
A Use-After-Free vulnerability in the Digital Credentials component in Google Chrome on Mac prior to version 149.0.7827.197 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. The issue is rated as High severity in Chromium.
A race condition in DevTools in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page.
Insufficient validation of untrusted input in Navigation in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page.
Uninitialized Use in GPU in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted HTML page.
An inappropriate implementation in Autofill in Google Chrome prior to 149.0.7827.197 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page.
An inappropriate implementation in DeviceBoundSessionCredentials in Google Chrome prior to 149.0.7827.197 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
A DoS vulnerability in Tapo C200 v3 camera stems from improper handling of fragmented IPv4 packets. An unauthenticated adjacent attacker can send crafted packets causing excessive resource consumption and device instability.
A use-after-free vulnerability was found in the GPAC/MP4Box library before version 26.02.0 in the gf_filter_pid_reconfigure_task_discard function in filter_pid.c. An attacker can cause a Denial of Service (DoS) by supplying a crafted media file.
The AnythingLLM application has a vulnerability that allows managers or admins to delete parsed files of other users in any workspace, even if they are not members. The issue arises from a lack of ownership checks during file deletion, enabling attackers to manipulate file IDs.
Warp, an agentic development environment, contains an OS command injection vulnerability in the WSL URL-opening fallback. Versions from 0.2024.03.12.08.02.stable_01 to 0.2026.05.06.15.42.stable_01 are affected when Warp cannot open a URL through wslview and falls back to a Windows command processor path.
Warp is a development environment that from versions 0.2021.04.25.23.05.stable_00 to 0.2026.05.06.15.42.stable_01 accepted unverified terminal lifecycle hooks from the PTY stream. An attacker could spoof selected lifecycle metadata, potentially exposing sensitive information.
Mistune is a Python Markdown parser. Prior to version 3.3.0, it is vulnerable to a CPU exhaustion DoS due to quadratic complexity in the parse_link_text function. Processing many consecutive [ characters in Markdown input causes repeated scanning, leading to excessive CPU usage even with a small payload.
The AnythingLLM application prior to version 1.13.0 on Windows allowed the use of an encoded absolute path to the documents folder, potentially leading to access to files outside the intended documents directory.
Warp contains a command injection issue in the legacy SSH background command path in versions from 0.2023.03.21.08.02.stable_00 to 0.2026.05.06.15.42.stable_01. An attacker can exploit a remote directory to execute additional shell syntax on the remote host as the victim's authenticated SSH account.
Warp, an agentic development environment, contains a command injection issue in the Linux external editor launcher. Versions from 0.2024.02.20.08.01.stable_01 to 0.2026.05.06.15.42.stable_01 allow execution of malicious code by opening an attacker-controlled file.

