Total CVEs

143,377

Critical Severity

4,061

High Severity

14,648

Last 7 Days

1,373
Quick preset (or use dates below)
Clear Filters
๐Ÿ“… Showing Year: 2026 (January 1 - December 31, 2026) View All Years โ†’
Showing 17,901 - 17,920 of 39,782 CVEs
CVE-2026-7348 HIGH - 8.8

Use after free in Codecs in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7347 HIGH - 8.1

Use after free in Chromoting in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code via malicious network traffic. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7346 HIGH - 8.1

Inappropriate implementation in Tint in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7345 HIGH - 8.3

Insufficient validation of untrusted input in Feedback in Google Chrome prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7344 HIGH - 8.8

Use after free in Accessibility in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7343 CRITICAL - 9.8

Use after free in Views in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7342 HIGH - 8.8

Use after free in WebView in Google Chrome on Android prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7341 HIGH - 8.8

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7340 MEDIUM - 4.3

Integer overflow in ANGLE in Google Chrome on Windows prior to 147.0.7727.138 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7339 HIGH - 8.8

Heap buffer overflow in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Medium)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7338 HIGH - 7.5

Use after free in Cast in Google Chrome prior to 147.0.7727.138 allowed an attacker on the local network segment to potentially exploit heap corruption via malicious network traffic. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7337 HIGH - 8.8

Type Confusion in V8 in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7336 HIGH - 8.8

Use after free in WebRTC in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7335 HIGH - 8.8

Use after free in media in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7334 HIGH - 8.8

Use after free in Views in Google Chrome on Mac prior to 147.0.7727.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD
CVE-2026-7333 CRITICAL - 9.6

Use after free in GPU in Google Chrome prior to 147.0.7727.138 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

Vendor: google
Product: chrome
Published: Apr 28, 2026
Source: NVD

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.

Published: Apr 28, 2026
Source: NVD
CVE-2026-42167 HIGH - 8.1

mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER requests with an expansion such as %U, and the SQL backend allows commands (e.g., COPY TO PROGRAM).

Vendor: ProFTPD
Product: ProFTPD
Published: Apr 28, 2026
Source: NVD
CVE-2026-40296 MEDIUM - 5.4

PhpSpreadsheet is a pure PHP library for reading and writing spreadsheet files. The HTML writer skips htmlspecialchars escaping when a cell's formatted value differs from the original value. When a cell has a custom number format containing the text placeholder @ along with any additional liter...

Vendor: composer
Product: phpoffice/phpspreadsheet
Published: Apr 28, 2026
Source: GitHub
CVE-2026-35579 HIGH - 7.5

CoreDNS is a DNS server written in Go. In versions prior to 1.14.3, the gRPC, QUIC, DoH, and DoH3 transport implementations incorrectly handle TSIG authentication. For gRPC and QUIC, the server checks whether the TSIG key name exists in the configuration but never calls dns.TsigVerify() to validate ...

Vendor: go
Product: github.com/coredns/coredns
Published: Apr 28, 2026
Source: GitHub