CVE & CISA-KEV Catalog

362,600 CVEs1,630 actively exploited (KEV)AboutAPI
Active:
  • CVSS -·EPSS -·No fix yet

    HTML::Gumbo versions before 0.19 for Perl disclose heap memory via type confusion. Support for the <template> element was added to libgumbo 0.10.0 in 2015, but the walk_tree function in lib/HTML/Gumbo.xs was not updated to support it. The element was treated as a text-node, where strlen() over-reads the heap block that the pointer addresses. Any caller that runs parse() with the default format => 'string', or with format => 'tree', on input containing a <template> element serializes the over-read bytes into the returned result, disclosing bounded heap contents. format => 'callback' reaches a croak on the unhandled node type and is unaffected.

    Published 2026-07-01

  • CVSS 6.5 v3·EPSS -·No fix yet

    Type Confusion in CSS in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to obtain potentially sensitive information from process memory via a crafted HTML page. (Chromium security severity: Low)

    Published 2026-06-30

  • CVSS 6.5 v3·EPSS -·No fix yet

    Type Confusion in Bluetooth in Google Chrome on Windows prior to 150.0.7871.47 allowed an attacker on the local network segment to obtain potentially sensitive information from process memory via a malicious peripheral. (Chromium security severity: Low)

    Published 2026-06-30

  • CVSS 8.8 v3·EPSS -·No fix yet

    Heap buffer overflow in V8 in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: Medium)

    Published 2026-06-30

  • CVSS 9.6 v3·EPSS -·No fix yet

    Type Confusion in ANGLE in Google Chrome prior to 150.0.7871.47 allowed a remote attacker to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Medium)

    Published 2026-06-30

  • CVSS 8.3 v3·EPSS -·No fix yet

    Type Confusion in Chrome Tabs in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: High)

    Published 2026-06-30

  • CVSS 9.8 v3·EPSS -·No fix yet

    Type Confusion in Dawn in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security severity: Critical)

    Published 2026-06-30

  • CVSS 7.5 v3·EPSS -·No fix yet

    An unauthenticated attacker can crash the worklist server with a single crafted query when the server has a valid Called AE Title / storage directory, the expected lockfile, and at least one matching worklist record.

    Published 2026-06-30

  • CVSS 8.8 v3·EPSS 0.3%·Fix available

    A type confusion issue was addressed with improved checks. This issue is fixed in Safari 26.5.2, iOS 26.5.2 and iPadOS 26.5.2, macOS Tahoe 26.5.2. Processing maliciously crafted web content may lead to memory corruption.

    Published 2026-06-29

  • CVSS 8.4 v4·EPSS 0.1%·No fix yet

    In AzeoTech DAQFactory versions 21.1 and prior, a Type Confusion vulnerability can be exploited by an attacker using specially crafted .ctl files which can result in code execution.

    Published 2026-06-18

  • CVSS 8.8 v3·EPSS 0.2%·No fix yet

    In ParsePayloads of AudioSdpParser.cpp, there is a possible memory corruption due to type confusion. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

    Published 2026-06-16

  • CVSS 5.4 v3·EPSS 0.3%·Fix available

    JIT miscompilation in the DOM: Core & HTML component. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Firefox ESR 115.37, Thunderbird 152, and Thunderbird 140.12.

    Published 2026-06-16

  • CVSS 5.4 v3·EPSS 0.3%·Fix available

    Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152, Firefox ESR 140.12, Thunderbird 152, and Thunderbird 140.12.

    Published 2026-06-16

  • CVSS 8.8 v3·EPSS 0.4%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-15

  • CVSS 5.4 v4·EPSS 0.2%·Fix available

    LibreOffice Calc can import tracked changes from a spreadsheet document. A heap buffer overflow existed when a document reused the same change identifier for two different kinds of change. The importer then treated one change object as a different, larger type and wrote past the end of its allocation. In fixed versions records with a duplicate identifier are rejected.

    Published 2026-06-15

  • CVSS 5.4 v4·EPSS 0.1%·Fix available

    LibreOffice can import documents in the OOXML format (DOCX). A heap buffer overflow existed when replaying deferred parser events for a text box element. A handler object was assumed to be of one type and written to at that type's field layout, but it could be a smaller object, so the write landed past the end of the allocation. In fixed versions the type is checked before the write.

    Published 2026-06-15

  • CVSS 4.3 v3·EPSS 0.2%·No fix yet

    A flaw was found in 389 Directory Server. A type confusion in the SSO token extended operation handler causes partial stack address information to be disclosed in LDAP responses to authenticated users.

    Published 2026-06-09

  • CVSS 8.4 v3·EPSS 0.3%·Fix available

    Out-of-bounds read in Windows Hyper-V allows an unauthorized attacker to execute code locally.

    Published 2026-06-09

  • CVSS 8.1 v3·EPSS 0.5%·Fix available

    Use after free in Universal Plug and Play (upnp.dll) allows an unauthorized attacker to execute code over a network.

    Published 2026-06-09

  • CVSS 7.8 v3·EPSS 0.3%·Fix available

    Access of resource using incompatible type ('type confusion') in Windows Kernel-Mode Drivers allows an authorized attacker to elevate privileges locally.

    Published 2026-06-09

  • CVSS 8.4 v3·EPSS 0.4%·Fix available

    Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally.

    Published 2026-06-09

  • CVSS 7.8 v3·EPSS 0.4%·Fix available

    Integer underflow (wrap or wraparound) in Microsoft Office Excel allows an unauthorized attacker to execute code locally.

    Published 2026-06-09

  • CVSS 5.3 v3·EPSS 0.3%·No fix yet

    The Helpfulcrowd Product Reviews plugin for WordPress is vulnerable to Authorization Bypass via PHP Type Juggling in versions up to, and including, 1.2.9. This is due to the `helpfulcrowd_validate_token()` function using a loose comparison operator (`!=`) instead of a strict comparison (`!==`) when validating the `token` parameter, while the corresponding REST route `/wp-json/helpfulcrowd/v1/update-settings` is registered with a `permission_callback` of `__return_true`, making it reachable by unauthenticated users; submitting a JSON boolean `true` as the `token` value causes PHP's loose comparison to evaluate as equal to the non-empty base64-encoded secret string, bypassing the check entirely. This makes it possible for unauthenticated attackers to invoke `helpfulcrowd_settings_endpoint()`

    Published 2026-06-09

  • CVSS 7.3 v3·EPSS 0.3%·No fix yet

    A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

    Published 2026-06-09

  • CVSS 6.5 v3·EPSS 0.2%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 8.8 v3·EPSS 0.3%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 8.8 v3·EPSS 0.4%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 8.8 v3·EPSS 0.4%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 8.8 v3·EPSS 0.4%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 9.6 v3·EPSS 0.3%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 8.8 v3·EPSS 0.4%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 8.8 v3·EPSS 0.4%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-06-05

  • CVSS 4.4 v3·EPSS 0.2%·Fix available

    OP-TEE is a Trusted Execution Environment (TEE) designed as companion to a non-secure Linux kernel running on Arm; Cortex-A cores using the TrustZone technology. Starting in version 4.3.0 and prior to version 4.11.0, a type confusion vulnerability exists in OP-TEE OS when processing an FFA_MEM_SHARE request from the normal world. This only applies when OP-TEE is configured as an SPMC for S-EL0 SPs, that is, with `CFG_CORE_SEL1_SPMC=y` and `CFG_SECURE_PARTITION=y`. Version 4.11.0 fixes the issue.

    Published 2026-06-03

  • CVSS 7.3 v3·EPSS 0.3%·Fix available

    Cpanel::JSON::XS versions before 4.41 for Perl allow type confusion via duplicate object keys when dupkeys_as_arrayref is enabled. decode_hv() collapses duplicate object keys into an array reference under dupkeys_as_arrayref. The branch reached for a duplicate key tests `SvTYPE (old_value) != SVt_RV && SvTYPE (SvRV (old_value)) != SVt_PVAV`, which evaluates SvRV(old_value) before establishing that old_value is a reference. When the existing value is a plain scalar rather than an array reference, a non-reference scalar is dereferenced as a reference. A caller decoding untrusted JSON with dupkeys_as_arrayref enabled is crashed, and the incompatible access follows a pointer taken from attacker controlled scalar contents.

    Published 2026-06-03

  • CVSS 4.3 v3·EPSS 0.3%·Fix available

    JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 151.0.3.

    Published 2026-06-02

  • CVSS 4.5 v3·EPSS 0.1%·No fix yet

    NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. Prior to 0.24.14, aio->prov_data is stored as nni_quic_conn* during dialing, but read as ex_quic_conn* during dialer close. This type confusion causes invalid object interpretation and leads to close-path hang/crash behavior. This vulnerability is fixed in 0.24.14.

    Published 2026-05-29

  • CVSS 7.5 v3·EPSS 0.2%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-05-29

  • CVSS 8.8 v3·EPSS 0.3%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-05-29

  • CVSS 7.5 v3·EPSS 0.4%·Fix available

    free5GC is an open-source implementation of the 5G core network. Prior to 4.2.2, free5GC's NRF root SBI endpoint POST /oauth2/token contains a parser-level type-confusion bug family. The handler in NFs/nrf/internal/sbi/api_accesstoken.go reflects over models.NrfAccessTokenAccessTokenReq, special-cases only plain string and NrfNfManagementNfType fields, and treats every other field as if it were a single models.PlmnId. The parsed *models.PlmnId is then assigned with reflect.Value.Set() to whichever field name the attacker put in the form body, which panics whenever the destination field's real type is incompatible (slice, different struct, primitive). Gin recovery converts each panic into HTTP 500, but the endpoint remains remotely panicable from a single unauthenticated form-encoded reques

    Published 2026-05-27

  • CVSS 8.2 v3·EPSS 0.1%·Fix available

    Babel is a compiler for writing next generation JavaScript. From 7.12.0 to before 7.29.4 and 8.0.0-alpha.13, using Babel to compile code that was specifically crafted by an attacker can cause Babel to generate output code that executes arbitrary code. This vulnerability is fixed in 7.29.4 and 8.0.0-alpha.13.

    Published 2026-05-26

  • CVSS 7.5 v3·EPSS 1.8%·Fix available

    Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching the affected code paths — recursion, dynamic updates (`UPDATE`), zone change notifications (`NOTIFY`), or processing of `IN`-specific record types in non-`IN` data — can cause assertion failures in `named`. This issue affects BIND 9 versions 9.11.0 through 9.16.50, 9.18.0 through 9.18.48, 9.20.0 through 9.20.22, 9.21.0 through 9.21.21, 9.11.3-S1 through 9.16.50-S1, 9.18.11-S1 through 9.18.48-S1, and 9.20.9-S1 through 9.20.22-S1.

    Published 2026-05-23

  • CVSS 7.5 v3·EPSS 0.3%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information.

    Published 2026-05-21

  • CVSS 6.5 v3·EPSS 0.3%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information

    Published 2026-05-15

  • CVSS 3.1 v3·EPSS 0.2%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information

    Published 2026-05-15

  • CVSS 8.8 v3·EPSS 0.3%·Fix available

    This CVE was assigned by Chrome. Microsoft Edge (Chromium-based) ingests Chromium, which addresses this vulnerability. Please see Google Chrome Releases for more information

    Published 2026-05-15

  • CVSS -·EPSS 0.3%·Fix available

    A type confusion vulnerability in Qt SVG allows an attacker to cause an application crash via a crafted SVG image. When processing SVG marker references, the renderer retrieves a node by its id attribute and casts it to QSvgMarker* without verifying the node type. A non-marker element (such as a <line> element) that references itself as a marker triggers an out-of-bounds heap read due to the object size difference between QSvgLine and QSvgMarker, followed by an endless recursion that bypasses the marker recursion guard through incorrect virtual dispatch. The result is an application crash (denial of service). This issue affects Qt SVG: from 6.7.0 before 6.8.8, from 6.9.0 before 6.11.1.

    Published 2026-05-13

  • CVSS 8.8 v3·EPSS 0.3%·Fix available

    JIT miscompilation in the JavaScript Engine: JIT component. This vulnerability was fixed in Firefox 150.0.3.

    Published 2026-05-12

  • CVSS 8.4 v3·EPSS 4.4%·Fix available

    Access of resource using incompatible type ('type confusion') in Microsoft Office Word allows an unauthorized attacker to execute code locally.

    Published 2026-05-12

  • CVSS 7.8 v3·EPSS 0.3%·Fix available

    Use after free in Windows Win32K - GRFX allows an authorized attacker to elevate privileges locally.

    Published 2026-05-12

  • CVSS 7.8 v3·EPSS 0.3%·Fix available

    Access of resource using incompatible type ('type confusion') in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

    Published 2026-05-12

Uses NVD data but is not endorsed or certified by the NVD. EPSS scores courtesy of FIRST.org (https://www.first.org/epss). Source: CISA KEV Catalog.