- CVE-2026-6757: invalid pointer in wasm debug frames; add DebugEnvironments::onPopWasm to clean up the debug environment on pop - CVE-2026-6761: privilege escalation; enforce prefs for dom TCP and UDP sockets at the parent-process IPC entry points - CVE-2026-6764: out-of-bounds read; validate HID report length in Dualshock4Remapper::ProcessTouchData - CVE-2026-6771: CSP 'strict-dynamic' mitigation bypass; treat XSLT as parser-created so 'strict-dynamic' no longer auto-allows it - CVE-2026-8963: Web Speech spoofing; cancel SpeechSynthesis on navigation by overriding DisconnectFromOwner - CVE-2026-8965: information disclosure; pass the right sanitization kind through SanitizeInlineStyle (conditional CSS) - CVE-2026-8971: Networking JAR same-origin bypass; reject jar entry names containing an embedded NUL