Export limit exceeded: 15024 CVEs match your query. Please refine your search to export 10,000 CVEs or fewer.
Search
Search Results (15024 CVEs found)
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-7345 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-30 | 8.3 High |
| Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-5911 | 4 Apple, Google, Linux and 1 more | 4 Macos, Chrome, Linux Kernel and 1 more | 2026-04-30 | 4.3 Medium |
| Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-50053 | 3 Google, Nebelhorn, Wordpress | 3 Android, Blappsta Mobile App Plugin, Wordpress | 2026-04-28 | 7.1 High |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in nebelhorn Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App yournewsapp allows Reflected XSS.This issue affects Blappsta Mobile App Plugin – Your native, mobile iPhone App and Android App: from n/a through <= 0.8.8.8. | ||||
| CVE-2026-6920 | 3 Google, Linux, Microsoft | 4 Android, Chrome, Linux Kernel and 1 more | 2026-04-28 | 9.6 Critical |
| Out of bounds read in GPU in Google Chrome on Android prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2026-6921 | 3 Google, Linux, Microsoft | 4 Android, Chrome, Linux Kernel and 1 more | 2026-04-28 | 8.3 High |
| Race in GPU in Google Chrome on Windows prior to 147.0.7727.117 allowed a remote attacker to potentially perform a sandbox escape via a crafted video file. (Chromium security severity: Medium) | ||||
| CVE-2025-43201 | 2 Apple, Google | 4 Apple Music, Music, Music Classical and 1 more | 2026-04-28 | 6.2 Medium |
| This issue was addressed with improved checks. This issue is fixed in Apple Music Classical 2.3 for Android. An app may be able to unexpectedly leak a user's credentials. | ||||
| CVE-2026-6919 | 3 Google, Linux, Microsoft | 4 Android, Chrome, Linux Kernel and 1 more | 2026-04-27 | 9.6 Critical |
| Use after free in DevTools in Google Chrome prior to 147.0.7727.117 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) | ||||
| CVE-2025-12474 | 2 Google, Libjxl Project | 2 Libjxl, Libjxl | 2026-04-24 | 4.4 Medium |
| A specially-crafted file can cause libjxl's decoder to read pixel data from uninitialized (but allocated) memory. This can be done by causing the decoder to reference an outside-image-bound area in a subsequent patches. An incorrect optimization causes the decoder to omit populating those areas. | ||||
| CVE-2024-54317 | 1 Google | 1 Web Stories | 2026-04-23 | 6.5 Medium |
| Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Google Web Stories web-stories allows Stored XSS.This issue affects Web Stories: from n/a through <= 1.37.0. | ||||
| CVE-2009-1690 | 3 Apple, Google, Redhat | 4 Iphone Os, Safari, Chrome and 1 more | 2026-04-23 | N/A |
| Use-after-free vulnerability in WebKit, as used in Apple Safari before 4.0, iPhone OS 1.0 through 2.2.1, iPhone OS for iPod touch 1.1 through 2.2.1, Google Chrome 1.0.154.53, and possibly other products, allows remote attackers to execute arbitrary code or cause a denial of service (memory corruption and application crash) by setting an unspecified property of an HTML tag that causes child elements to be freed and later accessed when an HTML error occurs, related to "recursion in certain DOM event handlers." | ||||
| CVE-2009-3932 | 1 Google | 1 Chrome | 2026-04-23 | N/A |
| The Gears plugin in Google Chrome before 3.0.195.32 allows user-assisted remote attackers to cause a denial of service (memory corruption and plugin crash) or possibly execute arbitrary code via unspecified use of the Gears SQL API, related to putting "SQL metadata into a bad state." | ||||
| CVE-2009-3933 | 2 Google, Webkit | 2 Chrome, Webkit | 2026-04-23 | N/A |
| WebKit before r50173, as used in Google Chrome before 3.0.195.32, allows remote attackers to cause a denial of service (CPU consumption) via a web page that calls the JavaScript setInterval method, which triggers an incompatibility between the WTF::currentTime and base::Time functions. | ||||
| CVE-2009-3268 | 1 Google | 1 Chrome | 2026-04-23 | N/A |
| Google Chrome 1.0.154.48 and earlier allows remote attackers to cause a denial of service (CPU consumption) via an automatically submitted form containing a KEYGEN element, a related issue to CVE-2009-1828. | ||||
| CVE-2009-2816 | 4 Apple, Fedoraproject, Google and 1 more | 5 Iphone Os, Safari, Fedora and 2 more | 2026-04-23 | N/A |
| The implementation of Cross-Origin Resource Sharing (CORS) in WebKit, as used in Apple Safari before 4.0.4 and Google Chrome before 3.0.195.33, includes certain custom HTTP headers in the OPTIONS request during cross-origin operations with preflight, which makes it easier for remote attackers to conduct cross-site request forgery (CSRF) attacks via a crafted web page. | ||||
| CVE-2009-2935 | 1 Google | 1 Chrome | 2026-04-23 | N/A |
| Google V8, as used in Google Chrome before 2.0.172.43, allows remote attackers to bypass intended restrictions on reading memory, and possibly obtain sensitive information or execute arbitrary code in the Chrome sandbox, via crafted JavaScript. | ||||
| CVE-2009-2973 | 1 Google | 1 Chrome | 2026-04-23 | N/A |
| Google Chrome before 2.0.172.43 does not prevent SSL connections to a site with an X.509 certificate signed with the (1) MD2 or (2) MD4 algorithm, which makes it easier for man-in-the-middle attackers to spoof arbitrary HTTPS servers via a crafted certificate, a related issue to CVE-2009-2409. | ||||
| CVE-2009-2974 | 1 Google | 1 Chrome | 2026-04-23 | N/A |
| Google Chrome 1.0.154.65, 1.0.154.48, and earlier allows remote attackers to (1) cause a denial of service (application hang) via vectors involving a chromehtml: URI value for the document.location property or (2) cause a denial of service (application hang and CPU consumption) via vectors involving a series of function calls that set a chromehtml: URI value for the document.location property. | ||||
| CVE-2009-2999 | 1 Google | 1 Android | 2026-04-23 | N/A |
| The com.android.phone process in Android 1.5 CRBxx allows remote attackers to cause a denial of service (application restart and network disconnection) via an SMS message containing a malformed WAP Push message that triggers an ArrayIndexOutOfBoundsException exception, possibly a related issue to CVE-2009-2656. | ||||
| CVE-2009-3011 | 1 Google | 1 Chrome | 2026-04-23 | N/A |
| Google Chrome 1.0.154.48 and earlier, 2.0.172.28, 2.0.172.37, and 3.0.193.2 Beta does not properly block data: URIs in Refresh headers in HTTP responses, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors related to (1) injecting a Refresh header that contains JavaScript sequences in a data:text/html URI or (2) entering a data:text/html URI with JavaScript sequences when specifying the content of a Refresh header. NOTE: the JavaScript executes outside of the context of the HTTP site. | ||||
| CVE-2009-1754 | 1 Google | 1 Android | 2026-04-23 | N/A |
| The PackageManagerService class in services/java/com/android/server/PackageManagerService.java in Android 1.5 through 1.5 CRB42 does not properly check developer certificates during processing of sharedUserId requests at an application's installation time, which allows remote user-assisted attackers to access application data by creating a package that specifies a shared user ID with an arbitrary application. | ||||