CVE-2026-8878 - Vulnerability Details

Description

Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.

Published: 2026-06-03

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability allows an attacker to use publicly accessible endpoints in the Securly Chrome Extension to retrieve SHA‑1 hash values that are only weakly obfuscated with a Caesar cipher. This obfuscation can be reversed with negligible effort, exposing original hash values and potentially revealing sensitive data such as password digests. The result is a loss of confidentiality and an increased risk of credential compromise.

Affected Systems

The Securly Chrome Extension, specifically version 3.0.7, is impacted. Users installed with or using this version should review the extension’s presence in their browsers.

Risk and Exploitability

The exposed endpoints can be accessed without any authentication, suggesting an attack vector that merely requires network connectivity to the extension’s enabled services. The EPSS score of < 1% indicates a very low exploitation probability, and the CVSS score of 7.5 indicates moderate to high severity, while the vulnerability is not listed in the CISA KEV catalog. The nature of the flaw—unauthenticated access to hashed credentials—indicates a high risk to data confidentiality and integrity.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Securly

Securly Chrome Extension

affected

Version	Status	Constraints
`0`	affected	≤ 3.0.7

Configuration 1 [-]

cpe:2.3:a:securly:securly:3.0.7:*:*:*:*:chrome:*:*

No data.

Vendor Product Confidence Versions

Securly

Securly Chrome Extension

100%

Version	Status	Scheme	Platform
`[0,3.0.7]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest update of the Securly Chrome Extension that removes or secures the vulnerable endpoints.
If no update is available, uninstall or disable the extension to eliminate the exposure.
Implement proper storage and handling of hash values, ensuring they are protected using standard cryptographic hashing mechanisms and accessed only through authenticated channels.

Generated by OpenCVE AI on June 4, 2026 at 21:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00211.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://kb.cert.org/vuls/id/595768

History

Fri, 05 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Securly securly Chrome Extension
Vendors & Products		Securly securly Chrome Extension

Thu, 04 Jun 2026 20:15:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-200 CWE-284

Thu, 04 Jun 2026 18:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Securly Securly securly
Weaknesses		CWE-326
CPEs		cpe:2.3:a:securly:securly:3.0.7:::::chrome::
Vendors & Products		Securly Securly securly

Thu, 04 Jun 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}` ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 03 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-200 CWE-284

Wed, 03 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that are inadequately obfuscated using a simple Caesar cipher, which can be easily reversed to recover the original hash values and access the protected data.
Title		CVE-2026-8878
References		https://kb.cert.org/vuls/id/595768

Subscriptions

Securly Securly Securly Chrome Extension

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-06-03T18:09:04.115Z

Updated: 2026-06-04T14:18:55.977Z

Reserved: 2026-05-18T20:27:44.651Z

Link: CVE-2026-8878

Vulnrichment

Updated: 2026-06-04T14:18:52.823Z

NVD

Status : Analyzed

Published: 2026-06-03T19:16:39.387

Modified: 2026-06-04T18:42:06.257

Link: CVE-2026-8878

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-05T10:11:26Z

Weaknesses

CWE-326
Inadequate Encryption Strength

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object