CVE-2026-8878
Analyzed Analyzed - Analysis Complete
Securly Chrome Extension Sensitive Data Exposure via Weakly Obfuscated Hashes

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: CERT/CC

Description
Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-22
NVD
CVE-2026-8878
EUVD
EUVD-2026-34163
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
securly securly 3.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-326 The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Detection Guidance

This vulnerability involves publicly accessible endpoints in the Securly Chrome Extension version 3.0.7 that allow unauthenticated access to sensitive data, including SHA-1 hashes obfuscated with a simple Caesar cipher.

To detect this vulnerability on your network or system, you can scan for the presence of the Securly Chrome Extension version 3.0.7 and attempt to access its exposed endpoints without authentication.

Since the vulnerability involves HTTP endpoints exposing sensitive data, network traffic monitoring tools like Wireshark or tcpdump can be used to capture and analyze traffic to identify unencrypted requests to these endpoints.

Suggested commands include:

  • Using curl to test access to known endpoints: curl http://localhost:<port>/<endpoint>
  • Using nmap to scan for open HTTP ports on the system: nmap -p 80,8080 <target-ip>
  • Using tcpdump to capture HTTP traffic: sudo tcpdump -i <interface> tcp port 80 -w capture.pcap
  • Using Wireshark to analyze captured traffic for unencrypted sensitive data.
Compliance Impact

The vulnerability exposes sensitive data through publicly accessible endpoints without authentication, which could lead to unauthorized access to protected information.

Such exposure and inadequate protection of sensitive data may result in non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls to safeguard personal and sensitive information.

Executive Summary

Version 3.0.7 of the Securly Chrome Extension has multiple publicly accessible endpoints that allow anyone to access sensitive data without authentication.

The sensitive data exposed are SHA-1 hashes that are only lightly obfuscated using a simple Caesar cipher, which can be easily reversed to reveal the original hash values and thus the protected data.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive information because the exposed SHA-1 hashes can be easily decoded.

Attackers could recover protected data by reversing the weak obfuscation, potentially leading to data breaches or misuse of sensitive information.

Mitigation Strategies

Immediate mitigation steps include:

  • Disable or uninstall version 3.0.7 of the Securly Chrome Extension until a patched version is available.
  • Restrict network access to the exposed endpoints to prevent unauthenticated access.
  • Monitor network traffic for suspicious access to the vulnerable endpoints.
  • Apply any available updates or patches from the vendor addressing this vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8878. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart