CVE-2026-8876
Analyzed Analyzed - Analysis Complete
Hardcoded AES Passphrases in Securly Chrome Extension

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: CERT/CC

Description
Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in securly.min.js. These keys decrypt crisis alert keyword data and intervention site data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-8876
EUVD
EUVD-2026-34162
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
securly securly 3.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Version 3.0.7 of the Securly Chrome Extension contains hardcoded, plaintext AES passphrases in the securly.min.js file.

These passphrases are used to decrypt sensitive data such as crisis alert keyword data and intervention site data.

Impact Analysis

Because the AES passphrases are hardcoded and stored in plaintext, an attacker who accesses the extension's code can decrypt sensitive information.

This could lead to unauthorized access to crisis alert keyword data and intervention site data, potentially exposing sensitive or confidential information.

Compliance Impact

The vulnerability in version 3.0.7 of the Securly Chrome Extension involves hardcoded, plaintext AES passphrases that decrypt sensitive data such as crisis alert keyword data and intervention site data. This exposure of sensitive information could lead to unauthorized access or disclosure of personal or protected data.

Such unauthorized access or disclosure may impact compliance with data protection regulations like GDPR or HIPAA, which require adequate protection of sensitive personal data and mandate controls to prevent unauthorized access.

However, the provided context and resources do not explicitly discuss the direct impact on compliance with these standards.

Detection Guidance

This vulnerability involves hardcoded, plaintext AES passphrases in the securly.min.js file of the Securly Chrome Extension version 3.0.7. Detection can focus on identifying the presence of this version of the extension and inspecting the securly.min.js file for embedded plaintext AES keys.

Additionally, monitoring network traffic for unencrypted HTTP requests fetching JSON files containing crisis alert keywords and filtering rules can help detect exploitation attempts or the vulnerability in use.

  • Use browser extension management commands or interfaces to verify the installed version of the Securly Chrome Extension.
  • Inspect the extension files, particularly securly.min.js, for hardcoded AES keys by searching for typical AES key patterns or keywords.
  • Capture network traffic using tools like tcpdump or Wireshark and filter for HTTP requests to detect unencrypted JSON file downloads related to the extension.
  • Example tcpdump command to capture HTTP traffic: tcpdump -i <interface> -A 'tcp port 80 and host <target-host>'
Mitigation Strategies

Immediate mitigation steps include removing or disabling the vulnerable version 3.0.7 of the Securly Chrome Extension to prevent exposure of hardcoded AES keys.

Ensure that any updates or patches provided by the vendor are applied promptly to replace the vulnerable extension version with a secure one.

Monitor network traffic to detect and block unencrypted HTTP requests related to the extension, enforcing HTTPS usage to protect sensitive data in transit.

Consider restricting installation of unapproved or outdated browser extensions through enterprise policies.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8876. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart