EUVD-2026-34657

Type Confusion in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted XML file. Chromium security severity: Medium...

EUVD-2026-34630

Inappropriate implementation in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to inject arbitrary scripts or HTML UXSS via a crafted XML file. Chromium security severity: Medium...

EUVD-2026-34484

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. Chromium security severity: Medium...

EUVD-2026-34469

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11196

Type Confusion in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11035

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11020

Inappropriate implementation in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to leak cross-origin data via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11196

Google Chrome/Chromium contains a Type Confusion in XML handling that could allow a remote attacker to read potentially sensitive data from a process’s memory via a crafted XML file. Affected versions are before 149.0.7827.53; upgrading to 149.0.7827.53 or later mitigates the issue. The descripti...

CVE-2026-11196

Type Confusion in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11196

Type Confusion in XML in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted XML file. Chromium security severity: Medium...

CVE-2026-11169

CVE-2026-11169 concerns an improper XML handling in Google Chrome before version 149.0.7827.53 . The flaw is an incorrect implementation in Chrome’s XML processing, enabling a remote attacker to perform a UXSS-style attack by delivering a crafted XML file that injects arbitrary scripts or HTML. T...

CVE-2026-11035

This CVE concerns Google Chrome on Android via a flawed implementation in Custom Tabs. Prior to version 149.0.7827.53, an attacker could achieve local privilege escalation by supplying a crafted XML file. Affected component: Custom Tabs in Chrome for Android; root cause: inappropriate/incorrect i...

CVE-2026-11035

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. Chromium security severity: Medium...

CVE-2026-41401

A flaw was found in libyang. This heap use-after-free write vulnerability, specifically within the lydparsersetdataflags function, occurs when the software incorrectly updates metadata list pointers during the freeing of non-head default metadata entries. A remote attacker can exploit this by...

PT-2026-46564

Inappropriate implementation in Custom Tabs in Google Chrome on Android prior to 149.0.7827.53 allowed a local attacker to perform privilege escalation via a crafted XML file. Chromium security severity: Medium...

Important: Red Hat Security Advisory: expat security update

An update for expat is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the...

libexpat: denial of service via crafted XML input

A flaw was found in libexpat. When processing a specially crafted XML input containing a specific pattern of attributes, the parsing time increases quadratically due to checks for attribute name collisions. This consumes excessive CPU resources and eventually results in a denial of service...

ALSA-2026:22721 Important: expat security update

Expat is a C library for parsing XML documents. Security Fixes: libexpat: denial of service via crafted XML input CVE-2026-45186 For more details about the security issues, including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE pages listed in the...

CVE-2026-41401

libyang before 5.2.6 contains a heap use-after-free write vulnerability in lydparsersetdataflags that incorrectly updates metadata list pointers when freeing non-head default metadata entries. Attackers can trigger this vulnerability by submitting crafted YANG XML documents with specific metadata...

CVE-2026-7310

CVE-2026-7310: A heap-based buffer overflow exists in the XML parser functionality of HiDraw. An authenticated attacker with local access can trigger this via a specially crafted XML file, potentially causing memory corruption and arbitrary code execution. Reported impacts include application cra...