#browser-security
10 articles
Technology and enterprise sectors were the primary targets in a recent wave of browser-security threats, with 14 articles published between April 11 and May 20, 2026. The threat actor Pushpaganda was observed exploiting vulnerabilities including CVE-2026-8954, CVE-2026-8959, CVE-2026-8573, CVE-2026-8577, and CVE-2026-7896. The severity mix across these incidents comprised five critical, four high, three medium, and one informational alert, with impacts reported globally and across Australia, Canada, New Zealand, and the United Kingdom.
CRITICALCVE-2026-8959: Firefox Sandbox Escape via Win32 Boundary Flaw
CVE-2026-8959 (CVSS 9.6) allows sandbox escape through incorrect boundary conditions in Firefox's Widget:Win32 component. Fixed in Firefox 151, ESR 140.11, and Thunderbird 151.
HIGHChrome 148.0.7778.168 Patches Integer Overflows, Sandbox Escape Risk
CVE-2026-8573 (CVSS 8.3) and CVE-2026-8577 (CVSS 8.8) in Chrome 148 on Windows allow sandbox escape and RCE via crafted video or HTML pages. Update now.
CRITICALChrome 148 Patches 79 Flaws, 14 Critical Including Heap Overflow
Google's Chrome 148 update fixes 79 vulnerabilities, 14 critical — including heap buffer overflow CVE-2026-8509 ($43K bounty) and integer overflow CVE-2026-8510 in Skia ($25K...
MEDIUMMalwarebytes Blocks Suspicious Yahoo Mail Redirects to Opaque Domains
Malwarebytes blocks background connections from Yahoo Mail to domains like cook.howduhtable.com — third-party infrastructure with poor reputation and opaque redirect chains.
CRITICALChrome 148 Patches 127 Flaws, Three Critical Use-After-Free Bugs
Google's Chrome 148 fixes 127 vulnerabilities including three critical-severity bugs (CVE-2026-7896, CVE-2026-7897, CVE-2026-7898) — integer overflow in Blink and use-after-free...
HIGHAI Browser Extensions Steal Emails, Passwords via Prompt Injection
Unit 42 finds 30+ malicious AI browser extensions exfiltrating email content, credentials, and API keys via prompt injection and DOM scraping. Affects Chrome, Edge users.
CRITICALChrome 147, Firefox 150 Patch Critical Code Execution Flaws
Google and Mozilla ship Chrome 147 and Firefox 150 to fix critical and high-severity vulnerabilities enabling arbitrary code execution. Users urged to update immediately.
HIGH108 Malicious Chrome Extensions Hijack Browsers, Steal Google and Telegram Data
Socket identified 108 malicious Chrome extensions that infected 20,000 users, stealing Google and Telegram session cookies and injecting ads via a shared command-and-control server.
MEDIUMPushpaganda Campaign Exploits Google Discover to Hijack Browser Notifications
A threat operation dubbed Pushpaganda is abusing Google Discover with AI-generated clickbait to trick users into enabling malicious browser notifications, which then deliver phishing and scam content.
MEDIUMPushpaganda Campaign Uses AI-Generated Clickbait to Hijack Browser Notifications
A campaign dubbed Pushpaganda uses AI-generated clickbait to trick users into enabling malicious browser notifications, delivering a persistent stream of scams and fake alerts directly to the desktop.
Stay Updated
Get the latest cybersecurity news delivered to your inbox.