[notpushkin]

Whoa!

Completely unrelated but somehow unsurprising:

Zero-day CSS: CVE-2026-2441 exists in the wild - https://news.ycombinator.com/item?id=47062748 - February 2026 (233 comments)

[rebane2001]

I do actually have a CSS CVE[0] in Chrome, but it was in the changelog as "in Animation" instead of "in CSS", so no fun stories/headlines for me :c

[0] https://chromereleases.googleblog.com/2025/06/stable-channel...

[notpushkin]

Wait, does it mean you can commit actual CSS crimes now?

[magicalist]

That was in the C++ implementation of the CSS interface that gets exposed to JS, though, there wasn't an exploit from CSS.

[carra]

I don't think it's that unrelated. If you make a system way more complex than it should be (clearly the case with CSS) it's obvious the risk of vulnerabilities increases exponentially.