Subscribe, build a custom feed, or pitch a sponsorship at hello@acadenix.com
Latest intel// live feed
CVE-2026-6361 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed
Heap buffer overflow in PDFium in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 4th percentile
CVE-2026-6360 — Google Chrome: Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in FileSystem in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially exploit object corruption via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 7th percentile
CVE-2026-6358 — Google Chrome: Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed
Use after free in XR in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile
CVE-2026-6318 — Google Chrome: Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile
CVE-2026-6317 — Google Chrome: Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Cast in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile
CVE-2026-6316 — Google Chrome: Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Forms in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 33th percentile
CVE-2026-6315 — Google Chrome: Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed
Use after free in Permissions in Google Chrome on Android prior to 147.0.7727.101 allowed a remote attacker who convinced a user to engage in specific UI gestures to execute arbitrary code via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 30th percentile
CVE-2026-6314 — Google Chrome: Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a
Out of bounds write in GPU in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the GPU process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 10th percentile
CVE-2026-6311 — Google Chrome: Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a
Uninitialized Use in Accessibility in Google Chrome on Windows prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 8th percentile
CVE-2026-6310 — Google Chrome: Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Dawn in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 11th percentile
CVE-2026-6309 — Google Chrome: Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Viz in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 11th percentile
CVE-2026-6306 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
CVE-2026-6305 — Google Chrome: Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote
Heap buffer overflow in PDFium in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted PDF file. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 9th percentile
CVE-2026-6304 — Google Chrome: Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Graphite in Google Chrome prior to 147.0.7727.101 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.3 (HIGH) · EPSS 11th percentile
CVE-2026-6303 — Google Chrome: Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Codecs in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile
CVE-2026-6302 — Google Chrome: Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Video in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile
CVE-2026-6301 — Google Chrome: Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker
Type Confusion in Turbofan in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 10th percentile
CVE-2026-6300 — Google Chrome: Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in CSS in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile
CVE-2026-6299 — Google Chrome: Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote
Use after free in Prerender in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to execute arbitrary code via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.8 (HIGH) · EPSS 15th percentile
CVE-2026-6297 — Google Chrome: Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker
Use after free in Proxy in Google Chrome prior to 147.0.7727.101 allowed an attacker in a privileged network position to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 8.3 (HIGH) · EPSS 1th percentile
CVE-2026-6296 — Google Chrome: Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote
Heap buffer overflow in ANGLE in Google Chrome prior to 147.0.7727.101 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical) CVSSv3.1 9.6 (CRITICAL) · EPSS 8th percentile
CVE-2026-35569 — Apostrophecms Apostrophecms: Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO
ApostropheCMS is an open-source Node.js content management system. Versions 4.28.0 and prior contain a stored cross-site scripting vulnerability in SEO-related fields (SEO Title and Meta Description), where user-controlled input is rendered without proper output encoding into HTML contexts including <title> tags, <meta> attributes, and JSON-LD structured data. An attacker can inject a payload such as "></title><script>alert(1)</script> to break out of the intended HTML contex CVSSv3.1 8.7 (HIGH) · EPSS 10th percentile
CVE-2025-41118 — Grafana Pyroscope: The database supports various storage backends, including Tencent Cloud Object Storage (COS).
Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS). If the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API. To exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, su CVSSv3.1 9.1 (CRITICAL) · EPSS 25th percentile
CVE-2026-6290 — Rapid7 Velociraptor: versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows
Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are the same as the permissions they have in the org containing the notebook. CVSSv3.1 8.0 (HIGH)
CVE-2026-20186 — Cisco Identity_services_engine: A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker
A vulnerability in Cisco Identity Services Engine (ISE) could allow an authenticated, remote attacker to execute arbitrary commands on the underlying operating system of an affected device. To exploit this vulnerability, the attacker must have at least Read Only Admin credentials. This vulnerability is due to insufficient validation of user-supplied input. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected device. A successful exp CVSSv3.1 9.9 (CRITICAL) · EPSS 92th percentile