CVE-2026-8874
Description
Securly Chrome Extension v3.0.7 downloads sensitive filtering rules over unencrypted HTTP, allowing attackers to intercept and modify them.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Securly Chrome Extension v3.0.7 downloads sensitive filtering rules over unencrypted HTTP, allowing attackers to intercept and modify them.
Vulnerability
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. This inconsistent implementation of TLS, while other endpoints correctly use HTTPS, allows for interception of sensitive data [1].
Exploitation
An attacker with network visibility can intercept the unencrypted HTTP traffic to download the JSON files containing crisis alert keywords and filtering rules. This allows for the modification of these rules before they are processed by the extension [1].
Impact
Successful exploitation allows an attacker to modify content blocking rules for student users, potentially leading to the bypass of safety policies or the introduction of malicious content. It can also lead to the theft of configuration information or a Denial of Service (DoS) [1].
Mitigation
No patched version has been disclosed in the available references. Users are advised to monitor for updates from the vendor. The extension is used in K-12 school-managed Chromebooks, highlighting the potential impact on student safety [1].
AI Insight generated on Jun 3, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=3.0.7
Patches
0No patches discovered yet.
Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
1News mentions
0No linked articles in our index yet.