2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6361 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6361

Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 4th percentile

CWECWE 122VNDGoogleVNDHeapTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6360 — Google Chrome: Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6360

Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6358 — Google Chrome: Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6358

Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6318 — Google Chrome: Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6318

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6317 — Google Chrome: Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6317

Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6316 — Google Chrome: Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6316

Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6315 — Google Chrome: Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6315

Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
728 × 90 / responsive · programmatic ad slot
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6314 — Google Chrome: Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6314

Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 10th percentile

CWECWE 787VNDGoogleTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6311 — Google Chrome: Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6311

Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 8th percentile

CWECWE 457VNDGoogleVNDUninitializedTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6310 — Google Chrome: Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6310

Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 11th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6309 — Google Chrome: Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6309

Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 11th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6306 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6306

Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile

CWECWE 122VNDGoogleVNDHeapTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6305 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6305

Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile

CWECWE 787CWECWE 122VNDGoogleVNDHeapTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6304 — Google Chrome: Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6304

Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 11th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6303 — Google Chrome: Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6303

Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6302 — Google Chrome: Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6302

Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6301 — Google Chrome: Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6301

Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 10th percentile

CWECWE 843VNDGoogleVNDTypeTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6300 — Google Chrome: Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6300

Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6299 — Google Chrome: Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6299

Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.8
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-6297 — Google Chrome: Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6297

Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.3 (HIGH) · EPSS 1th percentile

CWECWE 416VNDGoogleTYPVulnerability
8.3
CVSS v3.1
92
Edit Score
2026-04-15
2026-04-15 20:16Z
CRIT

CVE-2026-6296 — Google Chrome: Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6296

Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 9.6 (CRITICAL) · EPSS 8th percentile

CWECWE 122VNDGoogleVNDHeapTYPVulnerability
9.6
CVSS v3.1
98
Edit Score
2026-04-15
2026-04-15 20:16Z
HIGH

CVE-2026-35569 — Apostrophecms Apostrophecms: Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-35569

ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML contex CVSSv3.1 8.7 (HIGH) · EPSS 10th percentile

CWECWE 79CWECWE 116VNDApostrophecmsTYPVulnerability
8.7
CVSS v3.1
94
Edit Score
2026-04-15
2026-04-15 20:16Z
CRIT

CVE-2025-41118 — Grafana Pyroscope: The database supports various storage backends, including Tencent Cloud Object Storage (COS).

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2025-41118

Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, su CVSSv3.1 9.1 (CRITICAL) · EPSS 25th percentile

CWECWE 732VNDGrafanaVNDPyroscopeTYPVulnerability
9.1
CVSS v3.1
96
Edit Score
2026-04-15
2026-04-15 18:17Z
HIGH

CVE-2026-6290 — Rapid7 Velociraptor: versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-6290

Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook. CVSSv3.1 8.0 (HIGH)

CWECWE 863VNDRapid7VNDVelociraptorTYPVulnerability
8.0
CVSS v3.1
90
Edit Score
2026-04-15
2026-04-15 17:17Z
CRIT

CVE-2026-20186 — Cisco Identity_services_engine: A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker

NVD (auto-promoted CVEs)·nvd.nist.govCVE-2026-20186

A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exp CVSSv3.1 9.9 (CRITICAL) · EPSS 92th percentile

CWECWE 77VNDCiscoTYPVulnerability
9.9
CVSS v3.1
100
Edit Score
to break out of the intended HTML contex\n\nCVSSv3.1 8.7 (HIGH) · EPSS 10th percentile","commentary":"Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as \"> to break out of the intended HTML context and execute arbitrary JavaScript in the browser of any authenticated user who views the affected page.","cves":["CVE-2026-35569"],"tags":["type:vulnerability","cwe:CWE-79","cwe:CWE-116","vendor:apostrophecms"],"likes_count":0,"cvss_score":8.7},{"id":"110ea6e4d36b849c","source":{"id":"nvd","name":"NVD (auto-promoted CVEs)","host":"nvd.nist.gov"},"external_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-41118","title":"CVE-2025-41118 — Grafana Pyroscope: The database supports various storage backends, including Tencent Cloud Object Storage (COS).","published_at":1776284192933,"severity":"critical","editorial_score":96,"summary":"Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).\n\nIf the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.\n\nTo exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, su\n\nCVSSv3.1 9.1 (CRITICAL) · EPSS 25th percentile","commentary":"The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. CVSS 9.1 CRITICAL.","cves":["CVE-2025-41118"],"tags":["type:vulnerability","cwe:CWE-732","vendor:grafana","vendor:pyroscope"],"likes_count":0,"cvss_score":9.1},{"id":"246a09133c55aa6e","source":{"id":"nvd","name":"NVD (auto-promoted CVEs)","host":"nvd.nist.gov"},"external_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-6290","title":"CVE-2026-6290 — Rapid7 Velociraptor: versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows","published_at":1776277045030,"severity":"high","editorial_score":90,"summary":"Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are\nthe same as the permissions they have in the org containing the notebook.\n\nCVSSv3.1 8.0 (HIGH)","commentary":"Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to.","cves":["CVE-2026-6290"],"tags":["type:vulnerability","vendor:rapid7","cwe:CWE-863","vendor:velociraptor"],"likes_count":0,"cvss_score":8},{"id":"a3d29d7d3b7cdf5d","source":{"id":"nvd","name":"NVD (auto-promoted CVEs)","host":"nvd.nist.gov"},"external_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-20186","title":"CVE-2026-20186 — Cisco Identity_services_engine: A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker","published_at":1776273423933,"severity":"critical","editorial_score":100,"summary":"A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials.\r\n\r\nThis vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exp\n\nCVSSv3.1 9.9 (CRITICAL) · EPSS 92th percentile","commentary":"A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. CVSS 9.9 CRITICAL.","cves":["CVE-2026-20186"],"tags":["type:vulnerability","vendor:cisco","cwe:CWE-77"],"likes_count":0,"cvss_score":9.9}],"sponsors":{"feed-top":[{"id":"sp-demo-welcome","sponsor":"news","tagline":"The portal itself — self-promo until real sponsors land","body":"Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com","cta":"Subscribe to news","href":"https://news.acadenix.com/?subscribe=1"}]},"tagCategories":{"vendor":{"label":"Vendor","short":"VND","hue":210},"os":{"label":"OS","short":"OS","hue":30},"software":{"label":"Software","short":"SW","hue":290},"type":{"label":"Type","short":"TYP","hue":340},"stage":{"label":"Kill Chain","short":"STG","hue":38},"tactic":{"label":"MITRE Tactic","short":"TAC","hue":268},"technique":{"label":"Technique","short":"TEC","hue":150},"surface":{"label":"Surface","short":"SRF","hue":188},"exploit":{"label":"Exploitation","short":"EXP","hue":18},"status":{"label":"Status","short":"STA","hue":0},"cwe":{"label":"CWE","short":"CWE","hue":54}},"stageLabels":{"recon":"Recon","initial-access":"Initial Access","execution":"Execution","persistence":"Persistence","privesc":"PrivEsc","defense-evasion":"Defense Evasion","cred-access":"Credential Access","discovery":"Discovery","lat-movement":"Lateral Movement","collection":"Collection","c2":"Command & Control","exfil":"Exfiltration","impact":"Impact"},"tacticLabels":{"TA0043":"Reconnaissance","TA0042":"Resource Development","TA0001":"Initial Access","TA0002":"Execution","TA0003":"Persistence","TA0004":"Privilege Escalation","TA0005":"Defense Evasion","TA0006":"Credential Access","TA0007":"Discovery","TA0008":"Lateral Movement","TA0009":"Collection","TA0011":"Command and Control","TA0010":"Exfiltration","TA0040":"Impact"},"pageKind":"feed","readFilter":"all","signedIn":false,"likesUntagged":false,"sort":"newest","pageSize":25,"ssrRows":true,"page":195,"totalPages":418,"totalCount":10439};