Cloudflare added a two-stage GNN+LLM cascade to its client-side malicious script detection, reducing false positives per unique script from 1.39% to 0.007% and opening the formerly paid Advanced features to self-serve customers.
CVE-2026-22812 (CVSS 8.8) and CVE-2026-22813 (CVSS 9.4) were disclosed in the open source AI coding agent "OpenCode". Shell commands are executed via XSS of an unauthenticated HTTP server and Markdown renderer. The PoC has been published, with over 220,000 instances exposed online.
Firefox 148 is the first browser to ship the Sanitizer API. With setHTML(), developers finally have a standard browser-level way to replace innerHTML safely and eliminate XSS with minimal code changes.
