Find notable cyber news and cases, enriched with sources, timelines, and signals.

Chromium JavaScript background RCE flaw

Vulnerability
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

The unfixed Chromium flaw keeps JavaScript running after the browser is closed, creating remote code execution risk across Chromium-based browsers. A malicious site can abuse a Service Worker that never terminates, potentially turning a single visit into persistent background execution. The issue was already acknowledged as valid in December 2022, yet it was still reproducible in Chrome Dev 150 and Edge 148 when retested on May 20. Because the leaked details describe a workable path to silent browser compromise, exposure could make abuse much easier.

Related Happenings

Google Dialogflow CX Code Blocks shared-runtime isolation security flaw

Vulnerability
H score32 First: 07.07.2026 19:37 Last: 07.07.2026 19:37 Sources 1

About this happening: **Google Dialogflow CX Code Blocks** had a shared-runtime isolation flaw that could let one editable agent affect other **Code Block-enabled agents** in the same **Google Cloud pr...

Opera GX browser GX Mods auto-install CSS injection patched security flaw

Vulnerability
H score21 First: 06.07.2026 17:15 Last: 06.07.2026 17:15 Sources 1

About this happening: A **critical Opera GX browser** flaw in **GX Mods** let malicious websites auto-install a customization mod and inject CSS across every page, creating **zero-click cross-site data...

Opera GX silent mod-install XS-Leak security flaw

Vulnerability
H score19 First: 06.07.2026 10:27 Last: 06.07.2026 10:27 Sources 1

About this happening: **Opera GX** had a flaw in its **GX Mods** install path that let a **malicious website** silently install a browser add-on and leak data from visited pages, creating **no-click ex...

Chrome V8 JavaScript engine out-of-bounds read/write zero-day exploited in the wild (CVE-2026-11645)

Vulnerability
H score45 First: 09.06.2026 09:56 Last: 09.06.2026 09:56 Sources 1

About this happening: **Google** has patched **CVE-2026-11645**, a **Chrome V8 JavaScript engine** zero-day that was **exploited in the wild** and could let remote attackers run code inside the browser...

Browser-layer visibility guidance for browser-native threats

Defensive Guidance
H score22 First: 05.06.2026 17:00 Last: 05.06.2026 17:00 Sources 1

About this happening: **Security teams** are being pushed to treat **browser sessions** as the primary detection surface for **phishing**, **credential theft**, and **ClickFix**. **Browser-native attac...

Timeline

  1. 21.05.2026 21:13 1 articles · 1mo ago

    Initial report: Chromium JavaScript background RCE flaw

    Initial Disclosure

    In **December 2022**, Chromium maintainers validated a background-execution flaw that could keep a Service Worker alive after the browser was closed. By **May 20**, retesting showed the behavior still worked in **Chrome Dev 150** and **Edge 148**, indicating the weakness had not been fully fixed.

    Show sources