CVE-2026-11023

Inappropriate implementation in WebAppInstalls in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-11022

CVE-2026-11022 involves Google Chrome’s DevTools within the Chromium engine. The issue is “insufficient validation of untrusted input” in DevTools, before version 149.0.7827.53, allowing a remote attacker who has exploited the renderer process to bypass the same-origin policy via a crafted HTML p...

CVE-2026-11023

CVE-2026-11023 affects Google Chrome (Chrome/Chromium) prior to 149.0.7827.53. The issue is an inappropriate implementation in WebAppInstalls that, when a renderer process is compromised, enables bypass of the same-origin policy via a crafted HTML page. Root cause: questionable handling in WebApp...

CVE-2026-11016

CVE-2026-11016 : Google Chrome suffers from insufficient validation of untrusted input in the Network component. The vulnerability allows a remote attacker who has compromised the renderer process to bypass the same-origin policy via a crafted HTML page, under Chrome versions prior to 149.0.7827....

CVE-2026-11016

Insufficient validation of untrusted input in Network in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-10996

Inappropriate implementation in Workers in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-10996

The CVE-2026-10996 entry concerns Google Chrome’s Web Workers where an improper implementation allows a remote attacker to bypass the Same Origin Policy via a crafted HTML page. Affected product: Google Chrome (Workers). Root cause: incorrect Worker implementation enabling cross-origin bypass. Im...

CVE-2026-10980

The vulnerability CVE-2026-10980 affects Google Chrome DevTools and involves insufficient validation of untrusted input in DevTools. The issue allows a remote attacker who has compromised the renderer process to bypass the same-origin policy via a crafted HTML page, with the impact described as h...

CVE-2026-10980

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: High...

CVE-2026-10937

Inappropriate implementation in Passwords in Google Chrome prior to 149.0.7827.53 allowed a remote attacker to bypass same origin policy via a crafted HTML page. Chromium security severity: High...

CVE-2026-10937

The CVE-2026-10937 entry concerns Google Chrome (Chromium-based) with an inappropriate implementation in Passwords that enables a remote attacker to bypass the same-origin policy via a crafted HTML page. Affected software: Chrome prior to version 149.0.7827.53 (production/stable channel). Impact:...

CVE-2026-10922

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. Chromium security severity: High...

CVE-2026-10922

CVE-2026-10922 involves insufficient validation of untrusted input in Chrome/DevTools. The issue allows a remote attacker to bypass the same-origin policy if a user is induced to perform specific UI gestures, via malicious network traffic. Affected software is Google Chrome (DevTools) with versio...

CVE-2026-10922

Insufficient validation of untrusted input in DevTools in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass same origin policy via malicious network traffic. Chromium security severity: High...

CVE-2026-10912

CVE-2026-10912: Insufficient validation of untrusted input in Extensions in Google Chrome before 149.0.7827.53 allowed a remote attacker who had renderer access to bypass the same-origin policy via a crafted HTML page. Affected software: Google Chrome (Extensions). Root cause: insufficient input ...

CVE-2026-10912

Insufficient validation of untrusted input in Extensions in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to bypass same origin policy via a crafted HTML page. Chromium security severity: High...

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Summary The serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a...

CVE-2026-43515

Improper Authorization vulnerability when multiple method constraints define an HTTP method for the same extension in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.21, from 10.1.0-M1 through 10.1.54, from 9.0.0.M1 through 9.0.117, from 8.5.0 through 8.5.100, from...

CVE-2026-43985

Tautulli (Python-based Plex monitoring) before v2.17.1 exposes the admin-changing endpoint /configUpdate without enforcing POST or anti-CSRF checks. In default form/JWT modes, the SameSite=Lax cookie permits top-level cross-site requests, enabling an attacker to coerce a logged-in admin to submit...

CVE-2026-43985 Taultulli has CSRF in /configUpdate via missing anti-CSRF and method restriction that allows admin credential takeover

Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Versions prior to 2.17.1 expose configUpdate as a state-changing administrator endpoint, but the route does not enforce POST and does not use any anti-CSRF token. In the default form and JWT-based authentication mode,...