CVE-2026-8879
Analyzed Analyzed - Analysis Complete
Securly Chrome Extension Content Script Bypass

Publication date: 2026-06-03

Last updated on: 2026-06-04

Assigner: CERT/CC

Description
Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-03
Last Modified
2026-06-04
Generated
2026-06-24
AI Q&A
2026-06-04
EPSS Evaluated
2026-06-22
NVD
CVE-2026-8879
EUVD
EUVD-2026-34165
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
securly securly 3.0.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-829 The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify any direct impact of CVE-2026-8879 on compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in version 3.0.7 of the Securly Chrome Extension. The extension dynamically registers a script named content13.min.js at runtime using chrome.scripting.registerContentScripts(), instead of declaring it in the manifest.json file. Because the script is not declared statically, it bypasses the Chrome Web Store's static security review process.

The dynamically registered script runs on all URLs and immediately hides all page content, creates a full-page overlay, and pauses all videos. The content is only restored when the service worker confirms that the page passes filtering. If Securly's servers are unreachable, the pages remain hidden indefinitely.

Impact Analysis

This vulnerability can impact users by causing all web page content to be hidden indefinitely if the Securly service worker cannot confirm that the page passes filtering or if Securly's servers are unreachable. This means users may be unable to view or interact with web pages, as the extension creates a full-page overlay and pauses all videos.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8879. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart