COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-11645

CVE-2026-11645

Severity
high · on CISA KEV actively exploited
Source
CISA-KEV · kev
Published
2026-06-09
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-11645
⚡ RCE ⌖ exploited in the wild shame 65/100 rceexploited-in-wildransomwaresupply-chain

Google Chromium V8 allows remote code execution via crafted HTML pages, enabling sandbox escape and arbitrary code execution.

This vulnerability allows remote attackers to execute arbitrary code inside the browser sandbox via crafted HTML pages, posing a significant risk to DIB organizations relying on Chromium-based browsers for sensitive data handling. The active exploitation status and potential for sandbox escape mean vendors must prioritize patching and users should verify browser integrity to prevent unauthorized access to classified or sensitive information.

Shame score — Active exploitation of a remote code execution vulnerability in a widely used browser engine indicates a critical security oversight.

Players implicated

Google · vendorChromium V8 · product

Description

Google Chromium V8 out-of-bounds read and write vulnerability that could allow a remote attacker to execute arbitrary code inside a sandbox via a crafted HTML page. This vulnerability could affect multiple web browsers that utilize Chromium, including, but not limited to, Google Chrome, Microsoft Edge, and Opera.

Affected FedRAMP products 2 in the catalog

ProductProviderStatusMatch
Google Services (Google Cloud Platform Products and underlying Infrastructure) Google Authorized vendor-exact · 0.90
Google Workspace Google Authorized vendor-exact · 0.90