██████╗██╗   ██╗██████╗ ██████╗     ██████╗██╗  ██╗
 ██╔════╝╚██╗ ██╔╝██╔══██╗██╔══██╗   ██╔════╝╚██╗██╔╝
 ██║      ╚████╔╝ ██████╔╝██████╔╝ ● ██║      ╚███╔╝ 
 ██║       ╚██╔╝  ██╔══██╗██╔══██╗   ██║      ██╔██╗ 
 ╚██████╗   ██║   ██████╔╝██║  ██║   ╚██████╗██╔╝ ██╗
  ╚═════╝   ╚═╝   ╚═════╝ ╚═╝  ╚═╝    ╚═════╝╚═╝  ╚═╝
────────────────────────────────── STAY SHARP ───

Chrome Flaw Lets Hackers Execute Code via PAC Scripts

Today's cybersecurity digest — CVEs, headline news, quantum computing, and something weird. May 30, 2026

Share

cybr.cx Daily Digest — May 30, 2026


Critical Vulnerabilities

CVE-2026-9887 — Google Chrome < 148.0.7778.216 (CVSS 8.8 | HIGH)
The most serious of today's Chrome trio: a use-after-free in Chrome's Proxy component allows a remote attacker to execute arbitrary code via a malicious PAC (Proxy Auto-Configuration) script. Given how many enterprise environments auto-deploy PAC scripts through network policy, the lateral-movement potential here is significant. Update to 148.0.7778.216 immediately.

CVE-2026-10002 — Google Chrome < 148.0.7778.216 (CVSS 8.8 | HIGH)
A use-after-free in PDFium — Chrome's built-in PDF renderer — enables heap corruption via a crafted PDF. Drive-by delivery via email attachment or browser redirect is trivially achievable. Another strong reason to prioritise today's Chrome patch cycle.

CVE-2026-10019 — Google Chrome < 148.0.7778.216 (CVSS 8.8 | HIGH)
An integer overflow in ANGLE (Chrome's graphics abstraction layer) leaks cross-origin data through a crafted HTML page. Cross-origin data leakage can feed session hijacking or credential theft chains. Same fix: ship 148.0.7778.216.

CVE-2025-11993 — WooCommerce Infinite Scroll and Ajax Pagination ≤ 1.8 (CVSS 8.8 | HIGH)
PHP Object Injection via the import_settings function, reachable by any authenticated user with Subscriber-level access or above — no capability checks enforced. A successful exploit can chain to Remote Code Execution depending on available gadget classes in the environment. WooCommerce store operators should update or remove the plugin now.

CVE-2026-10062 / CVE-2026-10063 — TRENDnet TEW-432BRP 3.10B20 (CVSS 8.8 | HIGH)
Two remotely exploitable stack-based buffer overflows in this consumer router — one in the routing configuration handler (formSetRoute) and one in the WPS handler (formWPS). Public exploits exist. The vendor's response is essentially "it's been EOL since 2009" — which is accurate, but doesn't help the long tail of devices still running on home and small-business networks. If you're doing asset discovery for remote workers, flag this one.

CVE-2026-10066 — Shibby Tomato ≤ 1.28 (CVSS 8.8 | HIGH)
Stack-based buffer overflow in the UPS service handler (tomatoups.cgi) of the abandoned Shibby Tomato router firmware, exploitable remotely. Like the TRENDnet issues above, no patch is coming — the project is dead. Migrate to an actively maintained firmware fork or replace the hardware.


Headline News

Google's DBSC Rollout Closes a Long-Running Cookie Theft Window
Google has begun broadly rolling out Device Bound Session Credentials (DBSC) in Chrome for Windows, a mechanism that cryptographically ties session cookies to the specific device that created them. This directly targets the infostealer-to-session-hijack pipeline that has become one of the most reliable initial access techniques in use today — particularly relevant given the volume of credential-harvesting malware targeting browser session stores. Because DBSC binds authentication tokens to hardware-backed keys, stolen cookies lose their replay value the moment they leave the originating machine. The catch: rollout is currently Windows-only, leaving macOS, Linux, and mobile users outside the protection envelope for now. Practitioners managing hybrid fleets should treat this as a partial control, not a complete mitigation, and continue monitoring for infostealer activity on non-Windows endpoints.

California Pursues 23andMe Over 2023 Genetic Data Breach
California has filed suit against 23andMe over the 2023 breach that exposed sensitive genetic and personal information belonging to millions of users — a case that carries particular weight given the nature of the data involved. Unlike leaked passwords or card numbers, genetic data cannot be rotated or revoked; exposure is permanent and the downstream risks — insurance discrimination, familial re-identification, targeted social engineering — compound over time. The lawsuit arrives as 23andMe navigates an already precarious corporate situation, raising serious questions about long-term custodianship of some of the most sensitive personal data in existence. For practitioners advising on third-party risk and data retention policies, this case reinforces why genetic and biometric data categories warrant their own threat modelling tracks, not just a row in the standard data classification matrix.


Schrödinger's Feed

MIT has announced plans for a new Quantum Systems Laboratory, framed as a regional hub open to government, academic, and industry researchers — and positioned explicitly to accelerate next-generation quantum technology development. It's a strategic signal: the race to build fault-tolerant quantum systems is now being treated as infrastructure-level national priority, not just academic curiosity. From a security standpoint, the acceleration of quantum hardware capability continues to compress the timeline that practitioners and standards bodies are working against for post-quantum cryptography migration. If you haven't inventoried your organisation's cryptographic dependencies and mapped them against NIST's finalised PQC standards, a federally-backed quantum lab opening its doors is a reasonable prompt to start.


/dev/random

Notes from the Mistral AI Now Summit in Paris made the rounds this week, offering a ground-level view of how Europe's most prominent AI lab presents itself on home turf — part technical showcase, part cultural statement, with a distinctly Gallic confidence that the future of AI need not be entirely Californian. What's notable from a security perspective is how rapidly these events have shifted from "look at what we can generate" to "here's how enterprises are deploying this in production," which is a polite way of saying the attack surface is expanding faster than most blue teams are tracking. Whether Mistral's sovereign-AI pitch translates into genuinely more auditable, more controllable systems remains an open question. For now: croissants, large language models, and the eternal optimism of a product launch.