Filtered by vendor Google
Subscriptions
Filtered by product Android
Subscriptions
Total
9065 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-59403 | 2 Flocksafety, Google | 6 Bravo Edge Ai Compute Device, Collins, Falcon and 3 more | 2025-11-24 | 9.8 Critical |
| The Flock Safety Android Collins application (aka com.flocksafety.android.collins) 6.35.31 for Android lacks authentication. It is responsible for the camera feed on Falcon, Sparrow, and Bravo devices, but exposes administrative API endpoints on port 8080 without authentication. Endpoints include but are not limited to: /reboot, /logs, /crashpack, and /adb/enable. This results in multiple impacts including denial of service (DoS) via /reboot, information disclosure via /logs, and remote code execution (RCE) via /adb/enable. The latter specifically results in adb being started over TCP without debugging confirmation, providing an attacker in the LAN/WLAN with shell access. | ||||
| CVE-2025-59405 | 2 Flocksafety, Google | 6 Bravo Edge Ai Compute Device, Falcon, Flock Safety and 3 more | 2025-11-24 | 7.5 High |
| The Flock Safety Peripheral com.flocksafety.android.peripheral application 7.38.3 for Android (installed on Falcon and Sparrow License Plate Readers and Bravo Edge AI Compute Devices) contains a cleartext DataDog API key within in its codebase. Because application binaries can be trivially decompiled or inspected, attackers can recover the OAuth secret without special privileges. This secret is intended to remain confidential and should never be embedded directly in client-side software. | ||||
| CVE-2025-12908 | 1 Google | 2 Android, Chrome | 2025-11-21 | 5.4 Medium |
| Insufficient validation of untrusted input in Downloads in Google Chrome on Android prior to 140.0.7339.80 allowed a remote attacker to perform domain spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2024-11919 | 1 Google | 2 Android, Chrome | 2025-11-17 | 4.3 Medium |
| Inappropriate implementation in Intents in Google Chrome on Android prior to 129.0.6668.58 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-13102 | 1 Google | 2 Android, Chrome | 2025-11-17 | 4.3 Medium |
| Inappropriate implementation in WebApp Installs in Google Chrome on Android prior to 134.0.6998.35 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2025-12729 | 1 Google | 2 Android, Chrome | 2025-11-14 | 4.2 Medium |
| Inappropriate implementation in Omnibox in Google Chrome on Android prior to 142.0.7444.137 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-11209 | 1 Google | 2 Android, Chrome | 2025-11-13 | 8.2 High |
| Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-11213 | 1 Google | 2 Android, Chrome | 2025-11-13 | 6.3 Medium |
| Inappropriate implementation in Omnibox in Google Chrome on Android prior to 141.0.7390.54 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform domain spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-12435 | 1 Google | 2 Android, Chrome | 2025-11-13 | 5.4 Medium |
| Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-12447 | 1 Google | 2 Android, Chrome | 2025-11-13 | 4.2 Medium |
| Incorrect security UI in Omnibox in Google Chrome on Android prior to 142.0.7444.59 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low) | ||||
| CVE-2023-21282 | 1 Google | 1 Android | 2025-11-04 | 8.8 High |
| In TRANSPOSER_SETTINGS of lpp_tran.h, there is a possible out of bounds write due to an incorrect bounds check. This could lead to remote code execution with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2020-0279 | 1 Google | 1 Android | 2025-11-04 | 6.5 Medium |
| In the AAC parser, there is a possible out of bounds read due to a missing bounds check. This could lead to remote information disclosure with no additional execution privileges needed. User interaction is needed for exploitation.Product: AndroidVersions: Android-11Android ID: A-131430997 | ||||
| CVE-2019-9283 | 1 Google | 1 Android | 2025-11-04 | 6.5 Medium |
| In AAC Codec, there is a possible resource exhaustion due to improper input validation. This could lead to remote denial of service with no additional execution privileges needed. User interaction is needed for exploitation. Product: AndroidVersions: Android-10Android ID: A-112663564 | ||||
| CVE-2023-45866 | 7 Apple, Bluproducts, Canonical and 4 more | 17 Ipados, Iphone Os, Iphone Se and 14 more | 2025-11-04 | 6.3 Medium |
| Bluetooth HID Hosts in BlueZ may permit an unauthenticated Peripheral role HID Device to initiate and establish an encrypted connection, and accept HID keyboard reports, potentially permitting injection of HID messages when no user interaction has occurred in the Central role to authorize such access. An example affected package is bluez 5.64-0ubuntu1 in Ubuntu 22.04LTS. NOTE: in some cases, a CVE-2020-0556 mitigation would have already addressed this Bluetooth HID Hosts issue. | ||||
| CVE-2023-52160 | 6 Debian, Fedoraproject, Google and 3 more | 7 Debian Linux, Fedora, Android and 4 more | 2025-11-04 | 6.5 Medium |
| The implementation of PEAP in wpa_supplicant through 2.10 allows authentication bypass. For a successful attack, wpa_supplicant must be configured to not verify the network's TLS certificate during Phase 1 authentication, and an eap_peap_decrypt vulnerability can then be abused to skip Phase 2 authentication. The attack vector is sending an EAP-TLV Success packet instead of starting Phase 2. This allows an adversary to impersonate Enterprise Wi-Fi networks. | ||||
| CVE-2024-50302 | 4 Debian, Google, Linux and 1 more | 11 Debian Linux, Android, Linux Kernel and 8 more | 2025-11-04 | 5.5 Medium |
| In the Linux kernel, the following vulnerability has been resolved: HID: core: zero-initialize the report buffer Since the report buffer is used by all kinds of drivers in various ways, let's zero-initialize it during allocation to make sure that it can't be ever used to leak kernel memory via specially-crafted report. | ||||
| CVE-2018-9466 | 1 Google | 1 Android | 2025-11-03 | 8.8 High |
| In the xmlSnprintfElementContent function of valid.c, there is a possible out of bounds write. This could lead to remote escalation of privilege in an unprivileged app with no additional execution privileges needed. User interaction is needed for exploitation. | ||||
| CVE-2024-9956 | 1 Google | 2 Android, Chrome | 2025-11-03 | 7.8 High |
| Inappropriate implementation in WebAuthentication in Google Chrome on Android prior to 130.0.6723.58 allowed a local attacker to perform privilege escalation via a crafted HTML page. (Chromium security severity: Medium) | ||||
| CVE-2025-41110 | 3 Ghost Robotics, Ghostrobotics, Google | 4 Vision 60, Vision 60, Vision 60 Firmware and 1 more | 2025-10-30 | 8.8 High |
| Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment. | ||||
| CVE-2022-22265 | 2 Google, Samsung | 2 Android, Exynos | 2025-10-30 | 5 Medium |
| An improper check or handling of exceptional conditions in NPU driver prior to SMR Jan-2022 Release 1 allows arbitrary memory write and code execution. | ||||