Vulnerability intelligence

CVE-2026-11645 is an out-of-bounds read and write vulnerability found in the V8 JavaScript engine of Google Chrome. This flaw allows a remote attacker to execute arbitrary code within the browser's sandbox by enticing a user to visit a specially crafted HTML page. The vulnerability affects Google Chrome versions prior to 149.0.7827.103, as well as other Chromium-based browsers that utilize the V8 engine. Google has confirmed that an exploit for CVE-2026-11645 exists and is being actively used in the wild.

CVE-2026-20245 is a command injection vulnerability found in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage. This flaw arises from insufficient validation of user-supplied input, allowing an authenticated attacker with netadmin privileges to upload a specially crafted file. Upon successful exploitation, the attacker can execute arbitrary commands as root on the affected system. Cisco has observed limited instances of this vulnerability being exploited in the wild, with some cases resulting in configuration changes being pushed to edge devices. It is noted that the required netadmin privileges can be obtained either through valid credentials or by leveraging other vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127.

CVE-2026-7473 describes a vulnerability affecting Arista EOS platforms that have a tunnel decapsulation configuration enabled. This includes configurations such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface. The core issue is that the affected switch will incorrectly decapsulate and forward unexpected tunneled packets if their destination IP matches the configured decapsulation IP. This vulnerability arises because the switch fails to verify the tunnel protocol type, which can lead to the processing of non-configured tunnel traffic. This issue has been reported as being actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities Catalog.

CVE-2026-20245 is a command injection vulnerability found in the command-line interface (CLI) of Cisco Catalyst SD-WAN Manager, previously known as SD-WAN vManage. This flaw arises from insufficient validation of user-supplied input, allowing an authenticated attacker with netadmin privileges to upload a specially crafted file. Upon successful exploitation, the attacker can execute arbitrary commands as root on the affected system. Cisco has observed limited instances of this vulnerability being exploited in the wild, with some cases resulting in configuration changes being pushed to edge devices. It is noted that the required netadmin privileges can be obtained either through valid credentials or by leveraging other vulnerabilities, such as CVE-2026-20182 or CVE-2026-20127.

CVE-2026-7473 describes a vulnerability affecting Arista EOS platforms that have a tunnel decapsulation configuration enabled. This includes configurations such as VXLAN (Virtual Extensible LAN), decap-groups, or a GRE (Generic Routing Encapsulation) tunnel interface. The core issue is that the affected switch will incorrectly decapsulate and forward unexpected tunneled packets if their destination IP matches the configured decapsulation IP. This vulnerability arises because the switch fails to verify the tunnel protocol type, which can lead to the processing of non-configured tunnel traffic. This issue has been reported as being actively exploited in the wild and is included in CISA's Known Exploited Vulnerabilities Catalog.

CVE-2026-11645 is an out-of-bounds read and write vulnerability found in the V8 JavaScript engine of Google Chrome. This flaw allows a remote attacker to execute arbitrary code within the browser's sandbox by enticing a user to visit a specially crafted HTML page. The vulnerability affects Google Chrome versions prior to 149.0.7827.103, as well as other Chromium-based browsers that utilize the V8 engine. Google has confirmed that an exploit for CVE-2026-11645 exists and is being actively used in the wild.