CVE-2026-8881

Vulnerability

Version 3.0.7 of the Securly Chrome Extension utilizes EVP_BytesToKey with MD5 and a single iteration for AES encryption. MD5 has been known to be broken since 2004, and a single iteration offers no key stretching, rendering the encryption weak [1].

Exploitation

An attacker could exploit this weakness by leveraging the known vulnerabilities in MD5 and the lack of key stretching to derive the encryption key used by the extension. This would likely involve analyzing network traffic or the extension's code to understand the encryption process and then applying cryptanalytic techniques to recover the plaintext data [1].

Impact

Successful exploitation could lead to the compromise of sensitive data, such as crisis alert keywords and intervention site data, which are encrypted using the weak cryptographic method. This could potentially allow an attacker to steal configuration information or modify content blocking rules [1].

Mitigation

Version 3.0.7 is affected. Information regarding a fixed version or a release date for a patch is not yet available in the provided references. Users are advised to monitor for updates from the vendor. The extension is part of the Securly classroom management platform [1].