219119 matches found
CVE-2026-11190
Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. Chromium security severity: Medium...
CVE-2026-11135
Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-11135
CVE-2026-11135 describes insufficient policy enforcement in Chrome Autofill, allowing a remote attacker to bypass discretionary access control via a crafted HTML page. Affected software is Google Chrome (Chromium) prior to 149.0.7827.53. Root cause: incomplete enforcement of policy in Autofill fu...
CVE-2026-11135
Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. Chromium security severity: Medium...
CVE-2026-11135
Insufficient policy enforcement in Autofill in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass discretionary access control via a crafted HTML page. Chromium security severity: Medium...
CVE-2025-8873
CVE-2025-8873 affects Arista EOS with IPsec enabled: a specially crafted packet can stop dataplane processing of all IPsec traffic, with control plane detecting and resetting the IPsec pipeline; after reset, IPsec traffic may not resume. Non-IPsec traffic is unaffected. Affected EOS releases incl...
CVE-2026-10997
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. Chromium security severity: Medium...
CVE-2026-10997
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. Chromium security severity: Medium...
CVE-2026-10997
CVE-2026-10997 affects Google Chrome extensions due to insufficient policy enforcement in Extensions, allowing a user to be persuaded to install a crafted malicious extension to bypass discretionary access control. Affected software is Chrome (Chromium-based) with the specific fix in version 149....
CVE-2026-10997
Insufficient policy enforcement in Extensions in Google Chrome prior to 149.0.7827.53 allowed an attacker who convinced a user to install a malicious extension to bypass discretionary access control via a crafted Chrome Extension. Chromium security severity: Medium...
Malicious code in arjson (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 00290c05e0c41a8f51d38c629ade5b3fe76f2a89302db8daac669b0c80d13197 package.json declares "preinstall": "./.github/scripts/precheck", which on npm install executes a 976KB UPX-packed Linux ELF binary shipped under...
Malicious code in wdb-core (npm)
--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 146faaf0d97c6a533a969bc3f3f117811f9317dc865ed4ab37f1679842ddeaae This package was compromised as part of the IronWorm campaign. This campaign executes a malicious binary payload during installation via a...
CVE-2026-48523
A flaw was found in PyJWT, a Python library for handling JSON Web Tokens JWT. An attacker with control over a registered JSON Web Key JWK private key can bypass security checks by signing a token with a forbidden algorithm while claiming to use an allowed one. This allows the attacker to have the...
CVE-2024-27891 On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports.
On affected platforms running Arista EOS with MACsec and egress ACLs configured on the same interfaces, the ACL policies may not be enforced for packets egressing on those ports. This can cause outgoing packets to incorrectly be allowed or denied...
CVE-2024-6858
In Arista EOS, CVE-2024-6858 affects multiple EOS releases (EOS 4.31.x, 4.30.x, 4.29.x, 4.28.x) where 802.1X is enabled and a fallback VLAN with an EAPOL-capable device can allow multi-auth unauthenticated hosts access to a switch port. Root cause: improper authentication handling when using dot1...
Shopware: Admin API ACL Bypass in Order State Transition Endpoints
Summary This is a vertical authorization bypass in the Admin API affecting order state transition features /api/action/order/orderId/state/transition and similar transaction/delivery transition routes. The root cause is that the transition action routes do not declare required server-side ACL...
GHSA-8V9P-G828-V98F Shopware: Admin Account Takeover via User Recovery Hash Exposure
Summary A low-privilege admin user with userrecovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim unauthenticated endpoint, reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password another...
Shopware: Admin Account Takeover via User Recovery Hash Exposure
Summary A low-privilege admin user with userrecovery:read ACL can take over any admin account. The attacker triggers password recovery for the victim unauthenticated endpoint, reads the recovery hash from the Admin API search endpoint, then uses the hash to reset the victim's password another...
GHSA-GV8P-48FR-4FXG Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses the...
Shopware: Privilege Escalation via Sync API Integration Admin Flag Bypass
Summary A non-admin API user with integration:create ACL privilege can escalate to full administrator by creating an integration with admin: true through the Sync API POST /api/action/sync. The regular integration endpoint POST /api/integration correctly blocks this, but the Sync API bypasses the...