Your EDR is tuned properly. The firewall config is locked down...
The browser still remains a prime target for the "wind" of exploits.

The Unpeeling - CVE-2026-2441:

The was an actively exploited Chrome Zero-Day RCE vulnerability in the wild.

  • Exploit: This vulnerability allowed the remote execution of arbitrary code via a crafted HTML page within the browser process.
  • Results: This allowed attackers to bypass auth and render malicious content.

The Wind Damage:

  • Browsers: Google Chrome/Chromium-based browsers, including Microsoft Edge, Brave, Opera, and embedded Chromium runtimes.
  • Tools: This effects headless tools like selenium, puppeteer, containers that run automated actions and any chromium based web scrapers.

The Patchwork:

Google has patched the vulnerability and fixed it with the lateast update to 145.0.7632.75/.76 (Windows/Mac) or 145.0.7632.75 (Linux) immediately to secure your browser.

Wind Resistance:

  • Sanitize User Input: Don't trust raw user input by default, this can be like a filter preventing dangerous payloads from entering the browser.
  • Consider Using textContent or innerText Instead: This will render potentially malicious code as text. Making it harmless.
  • Content Security Policy (CSP): Can help prevent unauthorized scripts from executing via policy, 'anchoring' the browser from attacks.

Closing Thoughts:

innerHTML is a powerful tool for working with the DOM. It is helpful to developers.It comes with a trade off, an attacker can inject harmful content using this functionality.

It remains high security risk to the browser and extensions.

This shows just how insecure what we imagine is locked down can become, a zero day or CVE could only be a "gust" away.

Source: https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html