By vendor

Securly vulnerabilities

Known CVEs affecting Securly products, prioritized by severity, with SEC.co remediation and detection guidance.

7 published vulnerabilities

  • CVE-2026-8878HIGH 7.5

    The Securly Chrome Extension version 3.0.7 contains a serious security flaw where multiple web endpoints can be accessed by anyone on the internet without authentication. These endpoints expose sensitive data in the form of SHA-1 password hashes. The hashes are protected only by a Caesar cipher—an extremely weak encryption method dating back centuries—making them trivial to decrypt. An attacker can recover the original hash values, which could then be used in further attacks or to compromise user accounts.

  • CVE-2026-8879HIGH 7.5

    The Securly Chrome Extension version 3.0.7 contains a critical availability issue where a content script (content13.min.js) is loaded dynamically at runtime instead of being declared upfront in the extension's manifest file. This hidden script blanks out all web pages and displays a full-page overlay while it waits for Securly's servers to verify whether the page is safe. If Securly's servers cannot be reached or become unresponsive, affected users see nothing but a blank page with no way to access content—effectively breaking browsing until the service recovers or the extension is disabled.

  • CVE-2026-8881HIGH 7.5

    The Securly Chrome Extension version 3.0.7 uses weak cryptographic practices to encrypt data. Specifically, it relies on MD5—a hash algorithm broken for over two decades—combined with a single-iteration key derivation process to generate encryption keys. This means an attacker with network access could potentially recover encrypted data without needing valid credentials, as modern computing power can reverse the weak key derivation quickly.

  • CVE-2026-8888HIGH 7.5

    The Securly Chrome Extension version 3.0.7 has a vulnerability that allows attackers on the network path between a user and Securly's servers to inject malicious patterns into configuration files. When the extension processes these patterns as regular expressions, it can trigger a computational flaw that freezes the browser during all web activity. This requires the attacker to be positioned to intercept traffic (such as on a shared network or through DNS hijacking) but does not require user interaction or authentication.

  • CVE-2026-8889HIGH 7.5

    Securly's Chrome Extension version 3.0.7 relies on SHA-1 hashing—a cryptographically weak algorithm—to validate URLs against two critical blocklists: the Internet Watch Foundation (IWF) CSAM database and CIPA compliance rules. SHA-1's collision vulnerabilities mean an attacker could craft a malicious URL that hashes to the same value as a legitimate blocked URL, potentially bypassing content filtering controls that organizations depend on for legal compliance and child safety.

  • CVE-2026-8876HIGH 7.3

    Securly version 3.0.7 of their Chrome Extension contains hardcoded encryption keys embedded directly in the minified JavaScript file. These keys are meant to protect sensitive data like crisis alert keywords and intervention site configurations, but because they're hardcoded and visible in the browser extension code, anyone with access to the extension can decrypt that data. This is a classic case of storing secrets where they shouldn't be stored—effectively rendering the encryption useless.

  • CVE-2026-8874HIGH 7.1

    Securly Chrome Extension version 3.0.7 downloads security configuration files—specifically crisis alert keywords and filtering rules—over plain HTTP instead of the encrypted HTTPS protocol. While the same extension correctly uses HTTPS for other sensitive data (IWF and CIPA filtering data), this inconsistency leaves downloaded crisis alert configurations vulnerable to interception and modification by network-positioned attackers. An attacker on the same network could intercept these files and inject malicious keywords or rules, potentially disrupting the extension's security functionality or causing it to behave unexpectedly.