Search criteria
7 vulnerabilities by Securly
CVE-2026-8888 (GCVE-0-2026-8888)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:16 – Updated: 2026-06-03 18:18
VLAI
Title
CVE-2026-8888
Summary
Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-1333",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:18:13.249Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8888",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8888"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8888",
"datePublished": "2026-06-03T18:16:25.264Z",
"dateReserved": "2026-05-18T20:40:05.298Z",
"dateUpdated": "2026-06-03T18:18:13.249Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8889 (GCVE-0-2026-8889)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:15 – Updated: 2026-06-03 18:15
VLAI
Title
CVE-2026-8889
Summary
Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes)."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-328",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:15:15.450Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8889",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8889"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8889",
"datePublished": "2026-06-03T18:15:15.450Z",
"dateReserved": "2026-05-18T20:43:53.154Z",
"dateUpdated": "2026-06-03T18:15:15.450Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8881 (GCVE-0-2026-8881)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:13 – Updated: 2026-06-03 18:13
VLAI
Title
CVE-2026-8881
Summary
Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension uses EVP_BytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-916 Use of Password Hash With Insufficient Computational Effort",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:13:14.217Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8881",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8881"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8881",
"datePublished": "2026-06-03T18:13:14.217Z",
"dateReserved": "2026-05-18T20:32:53.054Z",
"dateUpdated": "2026-06-03T18:13:14.217Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8879 (GCVE-0-2026-8879)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:11 – Updated: 2026-06-03 18:11
VLAI
Title
CVE-2026-8879
Summary
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly\u0027s servers are unreachable, pages remain indefinitely hidden."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-829 Inclusion of Functionality from Untrusted Control Sphere",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:11:04.269Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8879",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8879"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8879",
"datePublished": "2026-06-03T18:11:04.269Z",
"dateReserved": "2026-05-18T20:29:18.234Z",
"dateUpdated": "2026-06-03T18:11:04.269Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8878 (GCVE-0-2026-8878)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:09 – Updated: 2026-06-03 18:09
VLAI
Title
CVE-2026-8878
Summary
Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-922 Insecure Storage of Sensitive Information",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:09:04.115Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8878",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8878"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8878",
"datePublished": "2026-06-03T18:09:04.115Z",
"dateReserved": "2026-05-18T20:27:44.651Z",
"dateUpdated": "2026-06-03T18:09:04.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8876 (GCVE-0-2026-8876)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:07 – Updated: 2026-06-03 18:07
VLAI
Title
CVE-2026-8876
Summary
Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
Severity
No CVSS data available.
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , ≤ 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThanOrEqual": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-321",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:07:13.200Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8876",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8876"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8876",
"datePublished": "2026-06-03T18:07:13.200Z",
"dateReserved": "2026-05-18T20:27:18.596Z",
"dateUpdated": "2026-06-03T18:07:13.200Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-8874 (GCVE-0-2026-8874)
Vulnerability from cvelistv5 – Published: 2026-06-03 18:03 – Updated: 2026-06-03 18:03
VLAI
Title
CVE-2026-8874
Summary
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS.
Severity
No CVSS data available.
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://kb.cert.org/vuls/id/595768 |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Securly | Securly Chrome Extension |
Affected:
0 , < 3.0.7
(custom)
|
{
"containers": {
"cna": {
"affected": [
{
"product": "Securly Chrome Extension",
"vendor": "Securly",
"versions": [
{
"lessThan": "3.0.7",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-319 Cleartext Transmission of Sensitive Information",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-03T18:03:04.592Z",
"orgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"shortName": "certcc"
},
"references": [
{
"url": "https://kb.cert.org/vuls/id/595768"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "CVE-2026-8874",
"x_generator": {
"engine": "VINCE 3.0.42",
"env": "prod",
"origin": "https://cveawg.mitre.org/api/cve/CVE-2026-8874"
}
}
},
"cveMetadata": {
"assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b",
"assignerShortName": "certcc",
"cveId": "CVE-2026-8874",
"datePublished": "2026-06-03T18:03:04.592Z",
"dateReserved": "2026-05-18T20:26:19.787Z",
"dateUpdated": "2026-06-03T18:03:04.592Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}