Google released emergency Chrome patches for two actively exploited zero-days: CVE-2026-3909 (out-of-bounds write in Skia graphics library) and CVE-2026-3910 (inappropriate implementation in V8 JavaScript engine). Both vulnerabilities are being actively exploited in the wild, marking Chrome's third zero-day under attack in 2026.
Google released patches for two high-severity zero-day vulnerabilities in Chrome affecting the Skia graphics library and V8 engine that were actively exploited in the wild. CVE-2026-3909 is an out-of-bounds write in Skia with CVSS 8.8 triggered via crafted HTML.
Google released emergency patches for two actively exploited Chrome zero-days: CVE-2026-3909 (out-of-bounds write in Skia graphics library enabling code execution) and CVE-2026-3910 (inappropriate V8 JavaScript engine implementation). Both vulnerabilities were discovered and patched by Google within two days of discovery.
This opinion piece critiques Brave's decision to enable Media Router (Casting) by default on desktop without explicit user consent, arguing that automatic device discovery via SSDP/UPnP expands attack surface and contradicts the browser's privacy-first branding.
A CORS misconfiguration in Twitter's niche platform allowed attackers to bypass origin validation by leveraging subdomain prefix matching (niche.co.evil.net) to steal private user data including images, emails, and CSRF tokens synced from Facebook, Instagram, and Twitter. The vulnerability was exploited via a simple JavaScript POC that exfiltrated sensitive information when visited by logged-in users.
A CORS misconfiguration vulnerability where the server's origin validation logic uses flawed regex/string matching that accepts malformed origin headers (e.g., 'private1com' instead of 'private.com'), allowing an attacker to register a lookalike domain and exfiltrate credentials and private information via a crafted CORS-enabled request.
A researcher documents discovering multiple MIME sniffing-dependent XSS vulnerabilities at Google by exploiting improper Content-Type headers and missing X-Content-Type-Options: nosniff headers, earning thousands in bounties while exploring how browsers may interpret non-HTML content as executable code.