Google — community ground truth

3 notable / known-exploited Google CVEs the community has triaged.

ⓘ Not an exhaustive list — we focus on the findings that matter (exploited / notable). For every Google CVE, see NVD ↗.

CVE-2014-0497CVSS 9.8KEVEPSS 100%
Integer underflow in Adobe Flash Player before 11.7.700.261 and 11.8.x through 12.0.x before 12.0.0.44 on Windows and Mac OS X, and before 11.2.202.336 on Linux, allows remote attackers to execute arbitrary code via unspecified vectors.
CVE-2016-1646CVSS 8.8KEVEPSS 45%
The Array.prototype.concat implementation in builtins.cc in Google V8, as used in Google Chrome before 49.0.2623.108, does not properly consider element data types, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via crafted JavaScript code.
CVE-2026-3910CVSS 8.8KEVEPSS 2%
Inappropriate implementation in V8 in Google Chrome prior to 146.0.7680.75 allowed a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. (Chromium security severity: High)