CVE-2026-1862

HIGH

Google Chrome <144.0.7559.132 - Heap Corruption

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-1862. PoCs published by XiaomingX, b1gchoi.

AI-analyzed exploit summary The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes data extraction logic for admin credentials and hashes.

Description

Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Exploits (2)

github WORKING POC 10 stars

by XiaomingX · pythonpoc

https://github.com/XiaomingX/data-cve-poc-py-v1/tree/main/2026/CVE-2026-1862

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for WordPress Quiz Maker (CVE-2025-10042), demonstrating time-based blind SQLi via crafted HTTP headers. The PoC includes data extraction logic for admin credentials and hashes.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: WordPress Quiz Maker <= 6.7.0.56

No auth needed

Prerequisites: target WordPress URL · path to quiz page · vulnerable header (default: X-Forwarded-For)

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WORKING POC 1 stars

by b1gchoi · poc

https://github.com/b1gchoi/CVE-2026-1862-exp

View Code ZIP pw:eip

This is a working PoC for CVE-2026-1862, targeting a V8 type confusion vulnerability in Google Chrome. It achieves arbitrary read/write via heap grooming and OOB access, bypassing ASLR/CFG, and is triggered via a crafted HTML/JS payload.

Classification

Working Poc 90%

Attack Type

Rce

Complexity

Complex

Reliability

Reliable

Target: Google Chrome <= 144.0.7559.110

No auth needed

Prerequisites: Victim must load crafted HTML/JS payload · Attacker-controlled server to host payload

MITRE ATT&CK

T1189 - Drive-by Compromise T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (3)

Core 3

Core References

Release Notes, Vendor Advisory

https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html

Permissions Required

https://issues.chromium.org/issues/479726070

Third Party Advisory

https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-1862

Scores

CVSS v3 8.8

EPSS 0.0058

EPSS Percentile 42.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-843

Status published

Products (1)

google/chrome < 144.0.7559.132

Published Feb 03, 2026

Tracked Since Feb 18, 2026