CVE-2019-25718
Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the
CVSS
8.4
Alto
EPSS
0.1%
p2
KEV
—
Exploit Today
1
0-100
Publicado: 1 jun 2026 · Última mod.: 30 jun 2026 · CWE-451
0.1%EPSS · 30 días0.1%
2026-06-302026-07-16
Dräger Infinity Explorer C700 contains a privilege escalation vulnerability that allows attackers to break out of kiosk mode and access the underlying operating system through a specific dialog interaction. Attackers can exploit this kiosk escape to take control of the operating system and cause the device to display incorrect or no information from the connected Delta Family patient monitor.
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2026-38616.5 MED22.4%
——7LINE client for iOS versions prior to 26.3.0 contains a vulnerability in the in-app browser where opening a crafted web page can repeatedly trigger OS-level dialogs due to insufficient safeguards when handling arbitrary URL schemes, potentially causing the iOS device to become temporarily inoperable.9dCVE-2026-450646.1 MED21.2%
——6Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0-BETA1 until 6.4.40, 7.4.12, and 8.0.12, UrlSanitizer::parse() passes Unicode explicit-direction BiDi formatting characters through into sanitized href and src attributes, allowing sanitized content to display a link destination that visually differs from the actual destination and enabling phishing-style visual spoofing. This issue is fixed in versions 6.4.40, 7.4.12, and 8.0.12.2dCVE-2026-138926.5 MED20.2%
——6Inappropriate implementation in Chrome for iOS in Google Chrome on iOS prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Medium)16dCVE-2026-487606.1 MED17.8%
——5Symfony is a PHP framework for web and console applications and a set of reusable PHP components. From 6.1.0 until 6.4.41, 7.4.13, and 8.0.13, UrlSanitizer::parse() rejected raw BiDi formatting characters but not percent-encoded forms and used an ASCII-only whitespace check, allowing sanitized URLs to retain visual-spoofing characters that downstream consumers could decode or display. This issue is fixed in versions 6.4.41, 7.4.13, and 8.0.13.2dCVE-2026-139856.5 MED16.9%
——5Inappropriate implementation in MediaCapture in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who had compromised the renderer process to perform UI spoofing via a crafted HTML page. (Chromium security severity: Medium)15dCVE-2026-45150—16.6%
——5Zen is a firefox-based browser. Prior to 1.19.13b, Zen Browser did not provide a persistent, clearly visible security notification when a webpage entered fullscreen mode, allowing an attacker-controlled page to hide the real browser UI and origin information, imitate a trusted website UI, and combine with long-domain URL eliding to spoof a trusted origin for phishing and credential theft. This issue is fixed in version 1.19.13b.1d