Google patched two actively exploited Chrome zero-days: CVE-2026-3909 (out-of-bounds write in Skia graphics library enabling code execution) and CVE-2026-3910 (V8 JavaScript engine vulnerability). Both were discovered by Google and fixed within days, with limited technical details withheld until majority of users are patched.
A CSP bypass vulnerability in Microsoft Edge (CVE-2017-0135) where attackers could abuse the XSS filter's default mode to disable meta-tag-based CSP policies by appending malicious meta elements as URL parameters, causing the filter to neuterase the legitimate CSP declaration and allow script execution.
A Medium-severity XSS vulnerability in an article embedding feature that exploits the Referer header value being reflected in the response body without proper sanitization. The attack succeeds only in Internet Explorer due to its lack of URL encoding in the Referer header, allowing script injection via a malicious referrer URL.
CVE-2019-17004 is a semi-universal XSS vulnerability in Firefox for iOS that allowed attackers to execute JavaScript on arbitrary origins by exploiting insufficient checks on JavaScript execution via Location response headers, originating from the bookmarklets functionality. The vulnerability was also found in Brave for iOS and both vendors patched it after responsible disclosure.