CWE-693— Protection Mechanism Failure
The product does not use or incorrectly uses a protection mechanism that provides sufficient defense against directed attacks against the product.— MITRE CWE catalog
588 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-693page 12 of 12
- CVE-2026-5896MEDIUMCVSS 6.1EG 6.12026-04-08
Policy bypass in Audio in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass sandbox download restrictions via a crafted HTML page. (Chromium security severity: L…
- CVE-2026-5900MEDIUMCVSS 4.3EG 4.32026-04-08
Policy bypass in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass of multi-download protections via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-5903MEDIUMCVSS 6.5EG 6.52026-04-08
Policy bypass in IFrameSandbox in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to bypass navigation restrictions via a crafted HTML page. (Chromium security severity:…
- CVE-2026-5911MEDIUMCVSS 4.3EG 4.32026-04-08
Policy bypass in ServiceWorkers in Google Chrome prior to 147.0.7727.55 allowed a remote attacker to bypass content security policy via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-59207MEDIUMCVSS 6.5EG 6.52026-07-09
n8n is an open source workflow automation platform. Prior to 2.27.4 and 2.28.1, the AI Agents feature did not enforce the Allowed HTTP Request Domains restriction configured on credentials when an MCP tool was pointed at an arbitrary URL, …
- CVE-2026-59223MEDIUMCVSS 4.3EG 4.32026-07-09
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, WEB_FETCH_FILTER_LIST matching compared configured host entries against URL strings and non-label-boundary suffixes, allowing path-based…
- CVE-2026-59854MEDIUMCVSS 4.9EG 4.92026-07-09
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses …
- CVE-2026-60086MEDIUMCVSS 5.3EG 5.32026-07-10
PraisonAI before 4.6.78 contains a prompt injection defense bypass vulnerability where the injection defense only blocks threats classified as CRITICAL, requiring three or more detector families to match simultaneously. Attackers can craft…
- CVE-2026-61437HIGHCVSS 7.8EG 7.82026-07-10
PraisonAI (pip package praisonaiagents) before 1.6.78 contains an unsafe dynamic module loading vulnerability in AgentFlow._resolve_pydantic_class (src/praisonai-agents/praisonaiagents/workflows/workflows.py). When a workflow step uses a s…
- CVE-2026-6763MEDIUMCVSS 6.5EG 6.52026-04-21
Mitigation bypass in the File Handling component. This vulnerability was fixed in Firefox 150, Firefox ESR 140.10, Thunderbird 150, and Thunderbird 140.10.
- CVE-2026-6774MEDIUMCVSS 5.4EG 5.42026-04-21
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 150 and Thunderbird 150.
- CVE-2026-7909LOWCVSS 3.1EG 3.12026-05-06
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-7913HIGHCVSS 7.8EG 7.82026-05-06
Insufficient policy enforcement in DevTools in Google Chrome on Android prior to 148.0.7778.96 allowed a local attacker to perform privilege escalation via a malicious file. (Chromium security severity: High)
- CVE-2026-7932MEDIUMCVSS 4.4EG 4.42026-05-06
Insufficient policy enforcement in Downloads in Google Chrome prior to 148.0.7778.96 allowed a local attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-7937LOWCVSS 3.1EG 3.12026-05-06
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to bypass navigation restrictions via a crafted Chrome Extension. (Chromium secur…
- CVE-2026-7946MEDIUMCVSS 4.3EG 4.32026-05-06
Insufficient policy enforcement in WebUI in Google Chrome on Linux, Mac, Windows, ChromeOS prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromiu…
- CVE-2026-7952MEDIUMCVSS 4.2EG 4.22026-05-06
Insufficient policy enforcement in Extensions in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass discretionary access control via a crafted HTML page. (Chromium security sev…
- CVE-2026-7959LOWCVSS 3.1EG 3.12026-05-06
Inappropriate implementation in Navigation in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass site isolation via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-7963HIGHCVSS 8.3EG 8.32026-05-06
Inappropriate implementation in ServiceWorker in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium security se…
- CVE-2026-7978HIGHCVSS 8.1EG 8.12026-05-06
Inappropriate implementation in Companion in Google Chrome on Mac prior to 148.0.7778.96 allowed a remote attacker to perform OS-level privilege escalation via malicious network traffic. (Chromium security severity: Medium)
- CVE-2026-8004MEDIUMCVSS 4.3EG 4.32026-05-06
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed an attacker who convinced a user to install a malicious extension to leak cross-origin data via a crafted Chrome Extension. (Chromium security seve…
- CVE-2026-8009MEDIUMCVSS 5.0EG 5.02026-05-06
Inappropriate implementation in Cast in Google Chrome prior to 148.0.7778.96 allowed a remote attacker who had compromised the renderer process to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-8011MEDIUMCVSS 4.3EG 4.32026-05-06
Insufficient policy enforcement in Search in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-8014MEDIUMCVSS 4.3EG 4.32026-05-06
Inappropriate implementation in Preload in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
- CVE-2026-8018HIGHCVSS 8.1EG 8.12026-05-06
Insufficient policy enforcement in DevTools in Google Chrome prior to 148.0.7778.96 allowed a remote attacker to potentially perform a sandbox escape via malicious network traffic. (Chromium security severity: Low)
- CVE-2026-8401CRITICALCVSS 9.8EG 9.82026-05-12
Sandbox escape in the Profile Backup component. This vulnerability was fixed in Firefox 150.0.3, Firefox ESR 115.36, Firefox ESR 140.11, and Thunderbird 140.11.
- CVE-2026-8563MEDIUMCVSS 4.3EG 4.32026-05-14
Insufficient policy enforcement in IFrame Sandbox in Google Chrome on Windows prior to 148.0.7778.168 allowed a remote attacker to bypass navigation restrictions via a crafted HTML page. (Chromium security severity: Medium)
- CVE-2026-8571HIGHCVSS 8.3EG 8.32026-05-14
Insufficient policy enforcement in GPU in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to potentially perform a sandbox escape via a crafted HTML page. (Chromium securi…
- CVE-2026-8572LOWCVSS 3.1EG 3.12026-05-14
Insufficient policy enforcement in Network in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to leak cross-origin data via a crafted HTML page. (Chromium security severit…
- CVE-2026-8583MEDIUMCVSS 5.3EG 5.32026-05-14
Insufficient policy enforcement in WebXR in Google Chrome on Android prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to obtain potentially sensitive information from process memory via a crafted H…
- CVE-2026-8585HIGHCVSS 7.5EG 7.52026-05-14
Inappropriate implementation in Media in Google Chrome on iOS prior to 148.0.7778.168 allowed a remote attacker who had compromised the renderer process to perform an out of bounds memory read via a crafted HTML page. (Chromium security se…
- CVE-2026-8945HIGHCVSS 7.5EG 7.52026-05-19
Sandbox escape in Firefox and Firefox Focus for Android. This vulnerability was fixed in Firefox 151.
- CVE-2026-8958HIGHCVSS 8.6EG 8.62026-05-19
Information disclosure, sandbox escape in the Security: Process Sandboxing component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
- CVE-2026-8959CRITICALCVSS 9.6EG 9.62026-05-19
Sandbox escape due to incorrect boundary conditions in the Widget: Win32 component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
- CVE-2026-8962HIGHCVSS 8.1EG 8.12026-05-19
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151, Firefox ESR 140.11, Thunderbird 151, and Thunderbird 140.11.
- CVE-2026-8969HIGHCVSS 8.1EG 8.12026-05-19
Mitigation bypass in the DOM: Security component. This vulnerability was fixed in Firefox 151 and Thunderbird 151.
- CVE-2026-9115MEDIUMCVSS 4.3EG 4.32026-05-20
Insufficient policy enforcement in Service Worker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to bypass same origin policy via a crafted HTML page. (Chromium security severity: High)
- CVE-2026-9116MEDIUMCVSS 4.3EG 4.32026-05-20
Insufficient policy enforcement in ServiceWorker in Google Chrome on prior to 148.0.7778.179 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)
Map vulnerabilities like CWE-693 to your infrastructure
EchelonGraph correlates every CVE — across CWE-693 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →