Some of the security vulnerabilities reported by Rob Wu:

• CVE-2014-3170 Google Chrome: Permission dialog spoof
• Chromium bug 424961 Google Chrome: Local file access via protocol handler
• CVE-2015-1226 Google Chrome: Bypass access checks in debugger
• CVE-2015-1298 Google Chrome: Insufficient validation in navigation
• Chromium bug 518749 Google Chrome: Use-after-free in USB API
• CVE-2015-1302 Google Chrome: Bypass of Same-Origin Policy of PDF files
• Freedesktop bug 94292 Xorg: Stack buffer overflow in XSecurityGenerateAuthorization
• CVE-2016-1635 Google Chrome: Use-after-free in app.window API
• CVE-2016-1638 Google Chrome: Bypass of app API restrictions
• CVE-2016-1655 Google Chrome: Use-after-free via content scripts
• CVE-2016-1662 Google Chrome: Use-after-free via GCCallback
• CVE-2016-1676 Google Chrome: UXSS via SchemaRegistry
• CVE-2016-1679 Google Chrome: Insecure value conversion and use-after-free
• CVE-2016-1687 Google Chrome: Leak of extension privates
• CVE-2016-1690 Google Chrome: Use-after-free in autofill agent
• CVE-2016-1698 Google Chrome: Web pages can load arbitrary extension modules
• CVE-2016-1700 Google Chrome: Use-after-free in extension views
• CVE-2016-1701 Google Chrome: Use-after-free in autofill components
• CVE-2016-5136 Google Chrome: Use-after-free in script deletion
• CVE-2016-5206 Google Chrome: Same-origin bypass in PDFium
• CVE-2016-5217 Google Chrome: Use of unvalidated data in PDFium
• CVE-2016-5219 Google Chrome: Use after free in V8
• CVE-2016-5220 Google Chrome: Local file access in PDFium
• CVE-2017-5018 Google Chrome: XSS in app launcher
• CVE-2017-5020 Google Chrome: Arbitrary code execution
• CVE-2017-5021 Google Chrome: Use-after-free in incognito icons
• CVE-2018-5105 Firefox: bypass prompts for program execution in extensions
• Firefox bug 1426363 Firefox: extension permission hiding (beta)
• CVE-2018-6035 Google Chrome: Insufficient isolation of DevTools from extensions
• CVE-2018-6045 Google Chrome: Insufficient isolation of DevTools from extensions
• CVE-2018-6046 Google Chrome: Insufficient validation of DevTools URLs
• CVE-2018-6054 Google Chrome: Use-after-free in WebUI
• CVE-2018-6070 Google Chrome: CSP bypass via extensions
• CVE-2018-6081 Google Chrome: XSS in interstitials
• CVE-2018-6089 Google Chrome: Same-origin bypass in Service Workers
• CVE-2018-6101 Google Chrome: Insufficient protection of remote debugging protocol
• CVE-2018-6112 Google Chrome: Incorrect URL handing in DevTools
• CVE-2018-6139 Google Chrome: Extension debugger restriction bypass
• CVE-2018-6140 Google Chrome: Debugger restriction bypass
• CVE-2018-6150 Google Chrome: Cross-origin information disclosure via SRI in Service Workers
• CVE-2018-6151 Google Chrome: Bad cast in DevTools
• CVE-2018-6152 Google Chrome: Local file write and dangerous check bypass in DevTools
• CVE-2018-16064 Google Chrome: Request privilege escalation in Extensions
• CVE-2018-12395 Firefox: Bypass extension permissions via domain fronting
• CVE-2018-12396 Firefox: Script execution in disallowed contexts
• CVE-2018-12397 Firefox: Missing warning for local file access
• CVE-2018-18497 Firefox: Bypass validation to load arbitrary URLs
• CVE-2019-5768 Google Chrome: Local file access via DevTools
• CVE-2020-15655 Firefox: Same-origin bypass via extension redirects
• CVE-2020-6561 Google Chrome: Cross-origin information disclosure via CSP
• CVE-2021-23953 Firefox: Cross-origin information leakage via redirected PDF requests
• CVE-2021-23984 Firefox: Popup title spoofing by extensions
• CVE-2021-21228 Google Chrome: Enterprise policy bypass by extensions
• CVE-2022-22754 Firefox: Extension permission confirmation bypass
• CVE-2022-34471 Firefox: Missing version verification in add-on update process
• CVE-2023-28160 Firefox: Local path disclosure through a redirect
• Chromium bug 1042963 Google Chrome: Extension CSP validator bypass
• CVE-2023-2314 Google Chrome: CSRF in DevTools server
• CVE-2024-0751 Firefox: Privilege escalation through devtools extension