Based on the provided sources, the following table outlines the top 20 browser and web-centric vulnerabilities identified in late 2025 and early 2026. These vulnerabilities primarily affect Chromium (Chrome, Edge, Opera), WebKit (Safari), and Firefox, with a heavy emphasis on zero-day exploits used in the wild.
| Rank | CVE ID | Affected Browser / Component | Vulnerability Type | Critical Details & Status |
|---|---|---|---|---|
| 1 | CVE-2025-6554 | Chrome / Chromium (V8 Engine) | Type Confusion | Actively Exploited. Allows remote attackers to perform arbitrary read/write via crafted HTML. Rated CVSS 8.1,. |
| 2 | CVE-2025-14174 | Safari / WebKit (ANGLE/Metal) | Memory Corruption | Actively Exploited. Linked to highly targeted mercenary spyware attacks against iOS/macOS users. Also affected Chrome,,. |
| 3 | CVE-2025-43529 | Safari / WebKit | Use-After-Free | Actively Exploited. Allows arbitrary code execution via maliciously crafted web content. Discovered by Google TAG,,. |
| 4 | CVE-2026-1862 | Chrome / Chromium (V8/Wasm) | Type Confusion | High Severity. A memory corruption flaw in the V8 JavaScript/WebAssembly engine allowing out-of-bounds read/write,. |
| 5 | CVE-2026-1861 | Chrome / Chromium (libvpx) | Heap Buffer Overflow | High Severity. Found in the library used to decode VP8/VP9 video; exploitation can lead to browser crashes or code execution via malformed video streams,. |
| 6 | CVE-2025-12036 | Chrome / Chromium (V8 Engine) | Inappropriate Implementation | Critical. Enables remote code execution. Identified by Google’s AI-driven “Big Sleep” project just days before patching,. |
| 7 | CVE-2026-0891 | Firefox | Memory Safety Bug | Suspected Exploited. Patched in early 2026; enables attackers to escape browser isolation/sandboxing,. |
| 8 | CVE-2026-0892 | Firefox | Memory Safety Bug | Suspected Exploited. Addressed alongside 0891; involves memory management flaws allowing code execution on the host system,. |
| 9 | CVE-2025-12725 | Chrome / Chromium (WebGPU) | Out-of-Bounds Write | High Severity (CVSS 8.8). Exploits the graphics processing interface to overwrite critical system memory,. |
| 10 | CVE-2026-0628 | Chrome / Chromium (WebView) | Unknown | High Severity. Specific to WebView implementations; highlighted in January 2026 patch cycles. |
| 11 | CVE-2025-55182 | React / Next.js (Server Components) | Insecure Deserialization | Critical (CVSS 10.0). While a framework issue, it impacts web environments globally (39% of cloud envs), allowing unauthenticated RCE via malicious HTTP requests,. |
| 12 | CVE-2025-43536 | Safari / WebKit | Use-After-Free | High impact vulnerability allowing unexpected process crashes via malicious web content. |
| 13 | CVE-2025-43541 | Safari / WebKit | Type Confusion | Processing crafted web content may lead to unexpected browser crashes. |
| 14 | CVE-2025-43501 | Safari / WebKit | Buffer Overflow | Memory handling issue that can lead to process crashes when processing malicious content. |
| 15 | CVE-2025-43531 | Safari / WebKit | Race Condition | Addressed with improved state handling to prevent unexpected process crashes. |
| 16 | CVE-2025-43535 | Safari / WebKit | Use-After-Free | Discovered by Google’s Big Sleep AI; leads to process crashes via memory corruption. |
| 17 | CVE-2025-12727 | Chrome / Chromium (V8 Engine) | Inappropriate Implementation | High Severity (CVSS 8.8). Another critical V8 flaw patched in late 2025. |
| 18 | CVE-2025-46282 | Safari / WebKit | Permissions Check | Allowed web apps to access sensitive user data due to insufficient permission checks. |
| 19 | CVE-2025-43526 | Safari | URL Validation | On Macs with Lockdown Mode, file URLs could access restricted Web APIs. |
| 20 | CVE-2025-43511 | Safari / WebKit (Web Inspector) | Use-After-Free | Processing malicious content via Web Inspector could lead to unexpected process crashes. |
Key Trends in Browser Security (2026)
• V8 Engine as a Primary Target: The V8 JavaScript and WebAssembly engine in Chromium remains the most frequent target for high-severity exploits. Type confusion vulnerabilities (like CVE-2025-6554 and CVE-2026-1862) are particularly dangerous because they allow attackers to manipulate memory references in the Just-In-Time (JIT) compiler,.
• AI in Vulnerability Discovery: Several vulnerabilities in this list, including CVE-2025-12036 and CVE-2025-43535, were discovered by “Big Sleep,” Google’s AI-driven cybersecurity research initiative. This marks a shift where AI is proactively identifying flaws before they can be exploited in the wild,.
• Targeted Mercenary Spyware: The WebKit vulnerabilities (CVE-2025-43529 and CVE-2025-14174) were explicitly linked to sophisticated attacks against high-profile individuals (journalists, diplomats) using mercenary spyware. These exploits often serve as the entry point for broader device compromise on iOS and macOS,.
• WebAssembly (WASM) Obfuscation: Beyond specific CVEs, researchers have highlighted that defenses are struggling to detect fingerprinting and malicious logic when it is obfuscated via WASM (WebAssembly). Standard detection tools often fail against “greedy” WASM translation strategies, leaving a blind spot in browser security,.