Skip to main content

Securly Chrome Extension CVE-2026-8889

| EUVDEUVD-2026-34167 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-06-03 certcc GHSA-7qqf-r2pg-xhqj
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Analysis Generated
Jun 05, 2026 - 20:53 vuln.today
CVSS changed
Jun 05, 2026 - 20:52 NVD
7.5 (HIGH)
CVE Published
Jun 03, 2026 - 18:15 nvd
UNKNOWN (no severity yet)
CVE Published
Jun 03, 2026 - 18:15 nvd
HIGH 7.5

DescriptionNVD

Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).

AnalysisAI

Information disclosure weakness in Securly Chrome Extension version 3.0.7 stems from continued reliance on the deprecated SHA-1 algorithm to hash and match 25,020 IWF CSAM URLs and 12,352 CIPA blocklist URLs. Because SHA-1 is vulnerable to collision attacks, an adversary with knowledge of the hash list could derive or guess matching URLs, exposing sensitive blocklist contents and undermining the integrity of the content-filtering mechanism. There is no public exploit identified at time of analysis and EPSS is very low (0.01%), but the issue was reported through CERT/CC (VU#595768), giving it credible vendor-coordinated provenance.

Technical ContextAI

Securly is a cloud-based web-filtering and student-safety product whose Chrome Extension enforces policy on managed Google/ChromeOS devices in K-12 environments. The extension matches browsed URLs against two embedded hash lists: the Internet Watch Foundation (IWF) CSAM URL list and a CIPA-compliance blocklist. The root cause maps to CWE-407 (Inefficient Algorithmic Complexity, often used here to denote use of a cryptographically broken primitive in a security-relevant matching path). SHA-1 has been deprecated by NIST since 2011 and is considered collision-broken since the 2017 SHAttered work; using it for sensitive set-membership checks means an attacker can pre-compute or brute-force collisions to either learn the protected URLs or craft URLs that evade matching. CPE cpe:2.3:a:securly:securly_chrome_extension covers the affected build.

RemediationAI

No vendor-released patch identified at time of analysis; the CERT/CC advisory (https://kb.cert.org/vuls/id/595768) is the primary tracking source and should be monitored for a fixed Securly Chrome Extension build that replaces SHA-1 with a collision-resistant hash such as SHA-256 (with a per-list salt or HMAC to resist precomputation). Until a fixed extension is published, administrators using Google Admin console force-install of the Securly extension should subscribe to Securly's customer advisories, pin extension auto-update to receive the fix promptly, and consider augmenting client-side filtering with Securly's network/DNS-layer enforcement so CSAM/CIPA policy does not depend solely on the client-side hash list (trade-off: requires Securly's gateway/DNS service to be in scope, which not all deployments use). Avoid attempts to redistribute or reverse the embedded hash lists, as the CSAM list is legally sensitive.

Share

CVE-2026-8889 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy