CVE-2026-8879
Securly Chrome Extension Content Script Bypass
Publication date: 2026-06-03
Last updated on: 2026-06-03
Assigner: CERT/CC
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| securly | chrome_extension | 3.0.7 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in version 3.0.7 of the Securly Chrome Extension. The extension dynamically registers a script named content13.min.js at runtime using chrome.scripting.registerContentScripts(), instead of declaring it in the manifest.json file. Because the script is not declared statically, it bypasses the Chrome Web Store's static security review process.
The dynamically registered script runs on all URLs and immediately hides all page content, creates a full-page overlay, and pauses all videos. The content is only restored when the service worker confirms that the page passes filtering. If Securly's servers are unreachable, the pages remain hidden indefinitely.
How can this vulnerability impact me? :
This vulnerability can impact users by causing all web page content to be hidden indefinitely if the Securly service worker cannot confirm that the page passes filtering or if Securly's servers are unreachable. This means users may be unable to view or interact with web pages, as the extension creates a full-page overlay and pauses all videos.