CVE-2026-8879

Vulnerability

Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script using chrome.scripting.registerContentScripts() at runtime. This script is not declared in manifest.json, allowing it to bypass Chrome Web Store static security reviews. It is designed to run on all URLs [1].

Exploitation

An attacker with the ability to make Securly's servers unreachable could exploit this vulnerability. When the extension cannot confirm the page passes filtering with its service worker, the page content remains hidden indefinitely, effectively causing a denial of service [1].

Impact

Successful exploitation can lead to a denial of service (DoS) by indefinitely hiding all page content for users of the Securly Chrome Extension. This impacts the usability of web pages for students in managed environments [1].

Mitigation

No specific patch version or release date is mentioned in the available references. Users are advised to monitor Securly for updates. As of the publication of this advisory, there are no known workarounds or indicators of compromise. The extension is widely used in K-12 school-managed Chromebooks [1].