Chromium JavaScript background RCE flaw
Vulnerability
Summary
Hide ▲
Show ▼
The unfixed Chromium flaw keeps JavaScript running after the browser is closed, creating remote code execution risk across Chromium-based browsers. A malicious site can abuse a Service Worker that never terminates, potentially turning a single visit into persistent background execution. The issue was already acknowledged as valid in December 2022, yet it was still reproducible in Chrome Dev 150 and Edge 148 when retested on May 20. Because the leaked details describe a workable path to silent browser compromise, exposure could make abuse much easier.
Related Happenings
Google Dialogflow CX Code Blocks shared-runtime isolation security flaw
Vulnerability
H score32
First: 07.07.2026 19:37
Last: 07.07.2026 19:37
Sources 1
About this happening:
**Google Dialogflow CX Code Blocks** had a shared-runtime isolation flaw that could let one editable agent affect other **Code Block-enabled agents** in the same **Google Cloud pr...
Google Dialogflow CX Code Blocks shared-runtime isolation security flaw
VulnerabilityAbout this happening: **Google Dialogflow CX Code Blocks** had a shared-runtime isolation flaw that could let one editable agent affect other **Code Block-enabled agents** in the same **Google Cloud pr...
Opera GX browser GX Mods auto-install CSS injection patched security flaw
Vulnerability
H score21
First: 06.07.2026 17:15
Last: 06.07.2026 17:15
Sources 1
About this happening:
A **critical Opera GX browser** flaw in **GX Mods** let malicious websites auto-install a customization mod and inject CSS across every page, creating **zero-click cross-site data...
Opera GX browser GX Mods auto-install CSS injection patched security flaw
VulnerabilityAbout this happening: A **critical Opera GX browser** flaw in **GX Mods** let malicious websites auto-install a customization mod and inject CSS across every page, creating **zero-click cross-site data...
Opera GX silent mod-install XS-Leak security flaw
Vulnerability
H score19
First: 06.07.2026 10:27
Last: 06.07.2026 10:27
Sources 1
About this happening:
**Opera GX** had a flaw in its **GX Mods** install path that let a **malicious website** silently install a browser add-on and leak data from visited pages, creating **no-click ex...
Opera GX silent mod-install XS-Leak security flaw
VulnerabilityAbout this happening: **Opera GX** had a flaw in its **GX Mods** install path that let a **malicious website** silently install a browser add-on and leak data from visited pages, creating **no-click ex...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
Vulnerability
H score45
First: 09.06.2026 09:56
Last: 09.06.2026 09:56
Sources 1
About this happening:
**Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)
VulnerabilityAbout this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...
Browser-layer visibility guidance for browser-native threats
Defensive Guidance
H score22
First: 05.06.2026 17:00
Last: 05.06.2026 17:00
Sources 1
About this happening:
**Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Browser-layer visibility guidance for browser-native threats
Defensive GuidanceAbout this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...
Timeline
-
21.05.2026 21:13 1 articles · 1mo ago
Initial report: Chromium JavaScript background RCE flaw
Initial DisclosureIn **December 2022**, Chromium maintainers validated a background-execution flaw that could keep a Service Worker alive after the browser was closed. By **May 20**, retesting showed the behavior still worked in **Chrome Dev 150** and **Edge 148**, indicating the weakness had not been fully fixed.
Show sources
- Google accidentally exposed details of unfixed Chromium flaw — www.bleepingcomputer.com — 21.05.2026 21:13