CVE-2026-11255

Insufficient validation of untrusted input in Storage Access API in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. Chromium security severity: Low...

CVE-2026-10917

Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: High...

CVE-2026-11121

The CVE-2026-11121 entry concerns Google Chrome's Skia: insufficient validation of untrusted input in Chrome prior to 149.0.7827.53 allows a remote attacker who has compromised the renderer process to leak cross-origin data via a crafted HTML page. Affected component is Skia within Chrome; root c...

CVE-2026-11113

Insufficient validation of untrusted input in ANGLE in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-11098

CVE-2026-11098 describes insufficient validation of untrusted input in the GPU component of Google Chrome, leading to cross-origin data leakage when a renderer is compromised. Affected software: Google Chrome (GPU pipeline) prior to version 149.0.7827.53. Root cause: insufficient input validation...

CVE-2026-11046

Insufficient validation of untrusted input in Media in Google Chrome prior to 149.0.7827.53 allowed a remote attacker who had compromised the renderer process to execute arbitrary code inside a sandbox via a crafted HTML page. Chromium security severity: Medium...

CVE-2026-11027

CVE-2026-11027 affects Google Chrome prior to 149.0.7827.53. The issue is due to insufficient validation of untrusted input in Glic , allowing a remote attacker who has compromised the renderer process to leak cross-origin data via a crafted HTML page. The provided documents do not include explic...

flatpak: Flatpak: Arbitrary file deletion on host via improper cache file path validation

A flaw was found in Flatpak, a Linux application sandboxing and distribution framework. The caching mechanism for ld.so dynamic linker/loader improperly removes outdated cache files without adequately verifying that the application-controlled path to the outdated cache is within the designated...

matrix-sdk-ui: Incomplete edit validation

Impact The message edit validation logic in the matrix-sdk-ui crate before 0.16.1 is missing a check: when replacing an encrypted event, the replacement event itself is not required to be encrypted. This enables a malicious homeserver administrator or an actor with equivalent power to impersonate...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

CVE-2026-10856

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths...

CVE-2026-10856 Open redirect in MISP dashboard button widget URL handling

A URL validation flaw in the MISP dashboard button widget allowed a crafted relative-looking URL to be accepted as a local path while being interpreted by browsers as an external URL. The validation rejected URLs containing an explicit scheme, host, or user component, but did not reject paths...

EUVD-2025-210065

The HCL BigFix Cloud Lifecycle Management is affected by Lack Of Input Validation. It may leads to an information exposure vulnerability. This low-level flaw allows unauthorized access...

ownCloud Guests - User Enumeration

ownCloud Guests before 0.12.5 contains an unauthenticated user enumeration vulnerability caused by insufficient validation of the token in showPasswordForm at /apps/guests/register/email/token, letting unauthenticated attackers enumerate valid guest users, exploit requires no authentication. id:...

CVE-2026-20230

A vulnerability in Cisco Unified Communications Manager Unified CM and Cisco Unified Communications Manager Session Management Edition Unified CM SME could allow an unauthenticated, remote attacker to conduct server-side request forgery SSRF attacks through an affected device. This vulnerability ...

CVE-2026-6657 CORS Origin Validation Bypass in jupyter-server

A vulnerability in jupyter-server versions 1.12.0 through 2.17.0 allows an attacker to bypass CORS origin validation when the alloworiginpat configuration is used. The issue arises from the use of re.match for validating the Origin header, which only anchors at the start of the string. This allow...

CVE-2026-35076

The bac-scanresult method allows a remote attacker with user privileges to delete arbitrary local files due to insufficient validation of user-controlled input...

CVE-2026-42789

A flaw was found in Erlang OTP's publickey module. This vulnerability CWE-295, related to improper certificate validation, allows a non-Certificate Authority CA certificate to be accepted as an intermediate issuer. A remote attacker, holding an end-entity certificate issued by a trusted CA, can...

net/url: Incorrect parsing of IPv6 host literals in net/url

The Go standard library function net/url.Parse insufficiently validated the host/authority component and accepted some invalid URLs by effectively treating garbage before an IP-literal as ignorable. The function should have rejected this as invalid...

EUVD-2026-34077

The ugw-logstop method allows a remote attacker with user privileges to terminate arbitrary processes due to insufficient validation of user-supplied input...