CVE-2026-8874
Analyzed Analyzed - Analysis Complete
Insecure HTTP Fetch in Securly Chrome Extension 3.0.7

Publication date: 2026-06-03

Last updated on: 2026-06-05

Assigner: CERT/CC

Description
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-05
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-8874
EUVD
EUVD-2026-34161
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
securly securly 3.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-319 The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8874 is a vulnerability in version 3.0.7 of the Securly Chrome Extension where it downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP using the Fetch API.

This means that sensitive data is transmitted without encryption, exposing it to interception or manipulation by attackers on the same network.

Other endpoints in the extension correctly use HTTPS, so this vulnerability is due to inconsistent implementation of TLS encryption.

Impact Analysis

An attacker on the same network could intercept or manipulate the unencrypted JSON data being downloaded by the extension.

  • They could alter filtering rules, potentially bypassing or changing content filtering.
  • They could expose details related to student activity monitoring, compromising privacy.
Detection Guidance

This vulnerability can be detected by monitoring network traffic for unencrypted HTTP requests made by the Securly Chrome Extension version 3.0.7, specifically requests fetching JSON files containing crisis alert keywords and filtering rules.

You can use network traffic analysis tools such as Wireshark or tcpdump to capture and inspect HTTP traffic from the extension.

  • Use tcpdump to capture HTTP traffic on your network interface: tcpdump -i <interface> -A 'tcp port 80 and host <target-device-ip>'
  • Use Wireshark to filter HTTP requests and look for JSON file downloads from the Securly Chrome Extension.
  • Check browser developer tools (Network tab) for any HTTP (not HTTPS) requests fetching JSON files related to crisis alert keywords or filtering rules.
Mitigation Strategies

Immediate mitigation steps include preventing the Securly Chrome Extension version 3.0.7 from downloading JSON files over unencrypted HTTP to avoid interception or manipulation.

  • Update the Securly Chrome Extension to a version that enforces HTTPS for all data fetching endpoints.
  • If an update is not available, block HTTP traffic from the extension using network firewall rules or browser policies.
  • Monitor network traffic to detect any unencrypted HTTP requests and alert on such activity.
Compliance Impact

The vulnerability in the Securly Chrome Extension involves downloading sensitive JSON files over unencrypted HTTP, exposing data to interception or manipulation. This exposure of potentially sensitive data during transmission could lead to non-compliance with data protection standards and regulations such as GDPR and HIPAA, which require secure handling and transmission of personal and sensitive information.

Specifically, the inconsistent use of TLS encryption means that sensitive monitoring details and filtering rules could be exposed to attackers, violating principles of data confidentiality and integrity mandated by these regulations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8874. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart