CVE-2026-8874 in Chrome Extension
Summary
by MITRE • 06/03/2026
Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 06/03/2026
The Securly Chrome Extension version 3.0.7 presents a significant security vulnerability through its inconsistent use of secure communication protocols when handling critical filtering data. This flaw manifests in the extension's download mechanism for crisis alert keywords and filtering rules, which are transmitted over unencrypted HTTP connections rather than the secure HTTPS protocol that should be employed for all data transmission. The vulnerability represents a clear deviation from established security best practices and demonstrates poor implementation of secure coding principles. The Fetch API utilized by the extension correctly implements HTTPS for other endpoints such as those retrieving IWF and CIPA data, creating a stark contrast that highlights the inconsistent security posture within the same software component. This inconsistency creates a potential attack surface where malicious actors could intercept and manipulate the crisis alert data during transmission, potentially leading to unauthorized content filtering modifications or the injection of malicious keywords that could bypass security measures.
The technical implementation of this vulnerability aligns with CWE-319, which addresses the exposure of sensitive information through improper use of network protocols. The extension's behavior demonstrates a failure to enforce mandatory encryption for all network communications, particularly when dealing with security-critical data that could impact content filtering policies. The use of unencrypted HTTP for downloading filtering rules creates a man-in-the-middle attack vector where attackers positioned between the user and the Securly servers could modify the downloaded JSON files containing crisis alert keywords. This represents a critical weakness in the extension's security architecture since the downloaded data directly influences how content is filtered and blocked on user devices. The vulnerability's impact is amplified by the fact that these crisis alert keywords likely contain sensitive information about security threats or content that requires immediate filtering action, making the data particularly valuable to adversaries seeking to disrupt security operations.
The operational impact of this vulnerability extends beyond simple data interception to potentially compromise the integrity of the entire filtering system. When crisis alert keywords are transmitted over unencrypted channels, there exists a risk that attackers could inject false alerts or modify existing rules to either block legitimate content or allow malicious content through security filters. This could result in significant security breaches where the extension's primary purpose of protecting users from inappropriate content becomes compromised. The inconsistent implementation also suggests broader security flaws in the extension's design philosophy, indicating that developers may not have consistently applied security measures across all network communication pathways. This pattern of behavior could lead to additional vulnerabilities in other components that might be similarly exposed due to the lack of comprehensive security testing and protocol enforcement throughout the codebase.
The security implications of this vulnerability align with several ATT&CK techniques including T1071.004 for application layer protocol usage and T1566 for credential access through social engineering. The inconsistent TLS implementation creates opportunities for attackers to exploit the weakest link in the security chain, potentially allowing them to manipulate filtering rules that could be used for further attacks or to gain unauthorized access to user data. Organizations relying on Securly for content filtering may experience compromised security postures, as the unencrypted transmission of crisis alert data creates a backdoor for malicious actors to influence filtering decisions. The vulnerability also violates fundamental security principles outlined in NIST SP 800-53 and ISO 27001 standards, which mandate the use of encrypted communications for sensitive data transmission. Mitigation strategies should include immediate implementation of HTTPS enforcement for all data downloads, comprehensive security testing to identify similar inconsistencies, and regular security audits to ensure consistent application of encryption protocols throughout the extension's functionality.