CVE-2026-8874
Insecure HTTP Fetch in Securly Chrome Extension 3.0.7
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| securly | chrome_extension | to 3.0.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the Securly Chrome Extension involves downloading sensitive JSON files over unencrypted HTTP, exposing data to interception or manipulation. This exposure of potentially sensitive data during transmission could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require secure handling and transmission of personal and sensitive information.
Specifically, the inconsistent use of TLS encryption means that sensitive monitoring details and filtering rules could be exposed to attackers, violating principles of data confidentiality and integrity mandated by these regulations.
Can you explain this vulnerability to me?
CVE-2026-8874 is a vulnerability in version 3.0.7 of the Securly Chrome Extension where it downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP using the Fetch API.
This means that sensitive data is transmitted without encryption, exposing it to interception or manipulation by attackers on the same network.
Other endpoints in the extension correctly use HTTPS, so this vulnerability is due to inconsistent implementation of TLS encryption.
How can this vulnerability impact me? :
An attacker on the same network could intercept or manipulate the unencrypted JSON data being downloaded by the extension.
- They could alter filtering rules, potentially bypassing or changing content filtering.
- They could expose details related to student activity monitoring, compromising privacy.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring network traffic for unencrypted HTTP requests made by the Securly Chrome Extension version 3.0.7, specifically requests fetching JSON files containing crisis alert keywords and filtering rules.
You can use network traffic analysis tools such as Wireshark or tcpdump to capture and inspect HTTP traffic from the extension.
- Use tcpdump to capture HTTP traffic on your network interface: tcpdump -i <interface> -A 'tcp port 80 and host <target-device-ip>'
- Use Wireshark to filter HTTP requests and look for JSON file downloads from the Securly Chrome Extension.
- Check browser developer tools (Network tab) for any HTTP (not HTTPS) requests fetching JSON files related to crisis alert keywords or filtering rules.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include preventing the Securly Chrome Extension version 3.0.7 from downloading JSON files over unencrypted HTTP to avoid interception or manipulation.
- Update the Securly Chrome Extension to a version that enforces HTTPS for all data fetching endpoints.
- If an update is not available, block HTTP traffic from the extension using network firewall rules or browser policies.
- Monitor network traffic to detect any unencrypted HTTP requests and alert on such activity.