Chrome V8 Has an Actively Exploited RCE. Your Framework Decides How Much V8 Your Users Run.

The Engine Under Every Website

CISA added CVE-2026-11645 to the Known Exploited Vulnerabilities catalog this week. It's an out-of-bounds read and write vulnerability in Chrome's V8 JavaScript engine — CVSS 8.8, actively exploited in the wild. A malicious HTML page can achieve remote code execution inside Chrome's sandbox. Federal agencies must patch by June 23, 2026.

V8 is the JavaScript engine in Chrome, Edge, Brave, Opera, and every Chromium-based browser. It processes every byte of JavaScript that every website sends to the browser. The more JavaScript a framework ships to the client, the more V8 code paths are exercised, and the larger the engine's active attack surface for that page visit.

9KB vs. 463KB: The Framework Delta

Astro ships 9KB of JavaScript to the browser by default. Most Astro pages ship zero — JavaScript is opt-in per component. Next.js ships 463KB of JavaScript as its baseline runtime. React hydration, router, and framework code execute on every page load regardless of whether the page needs interactivity.

This isn't a performance argument. It's a security argument. Each kilobyte of JavaScript triggers V8 parsing, compilation, and execution. V8 vulnerabilities like CVE-2026-11645 exploit flaws in these exact code paths. A page that sends zero JavaScript to the browser exercises zero V8 parsing paths for that page's code. The attack surface is measurably smaller.

Static HTML Is Immune to JavaScript Engine Bugs

This is the security dimension that traditional vulnerability counting misses. WordPress has 11,334 CVEs in its own codebase. But a WordPress page also ships jQuery, React (in Gutenberg), and dozens of plugin scripts — each exercising V8 on every page load. The browser-side attack surface compounds the server-side attack surface. Framework choice determines both.