CVE-2026-8889 - Vulnerability Details

Description

Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).

Published: 2026-06-03

Score: 7.5 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Version 3.0.7 of the Securly Chrome Extension relies on SHA-1 hashing to match IWF CSAM URLs and CIPA blocklist entries. This weakness corresponds to CWE‑407, Weak Hash Function. SHA-1 is considered weak because collisions can be produced in reasonable time, which could allow an attacker to craft a hash that mimics a disallowed or blocked URL. The result would be the extension treating inappropriate content as allowed or wrongly blocking legitimate content, undermining its purpose of protecting children and other users. Based on the description, it is inferred that an attacker could potentially generate a collision that would bypass the extension’s filtering logic.

Affected Systems

The Securly Chrome Extension, version 3.0.7, is affected. No other versions or related products were mentioned in the advisory.

Risk and Exploitability

The CVSS score is 7.5 and the EPSS score is < 1%, indicating that no publicly documented exploitation has yet been reported. The likely attack requires an attacker to produce a SHA-1 collision, a computationally intensive task that may not be practical in the short term. Nonetheless, the use of a broken hash algorithm compromises policy enforcement, and the absence of a KEV listing does not negate the potential impact.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Securly

Securly Chrome Extension

affected

Version	Status	Constraints
`0`	affected	≤ 3.0.7

Configuration 1 [-]

cpe:2.3:a:securly:securly:3.0.7:*:*:*:*:chrome:*:*

No data.

Vendor Product Confidence Versions

Securly

Securly Chrome Extension

100%

Version	Status	Scheme	Platform
`[0,3.0.7]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Securly Chrome Extension to a version that replaces SHA‑1 with a modern hash algorithm such as SHA‑256.
If no updated version is available, uninstall or disable the extension to prevent the possibility of content filtering bypass.
Replace the SHA‑1 implementation in the extension’s hash verification logic with a secure hash algorithm, if custom development is possible.
Monitor Securly’s security advisories and support channels for new releases that address the hashing issue.
Consider deploying an alternative content‑filtering solution that employs secure cryptographic primitives.

Generated by OpenCVE AI on June 6, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00249.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://kb.cert.org/vuls/id/595768

History

Wed, 10 Jun 2026 19:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 05 Jun 2026 23:45:00 +0000

Type	Values Removed	Values Added
Weaknesses	CWE-327

Fri, 05 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Securly securly
Weaknesses		CWE-407
CPEs		cpe:2.3:a:securly:securly:3.0.7:::::chrome::
Vendors & Products		Securly securly
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}`

Fri, 05 Jun 2026 10:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Securly Securly securly Chrome Extension
Vendors & Products		Securly Securly securly Chrome Extension

Wed, 03 Jun 2026 20:45:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-327

Wed, 03 Jun 2026 19:00:00 +0000

Type	Values Removed	Values Added
Description		Version 3.0.7 of the Securly Chrome Extension uses deprecated SHA-1 hashing for IWF CSAM URL matching (25,020 hashes) and CIPA blocklist matching (12,352 hashes).
Title		CVE-2026-8889
References		https://kb.cert.org/vuls/id/595768

Subscriptions

Securly Securly Securly Chrome Extension

MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-06-03T18:15:15.450Z

Updated: 2026-06-10T19:00:10.351Z

Reserved: 2026-05-18T20:43:53.154Z

Link: CVE-2026-8889

Vulnrichment

Updated: 2026-06-04T19:49:17.519Z

NVD

Status : Modified

Published: 2026-06-03T19:16:39.950

Modified: 2026-06-10T19:16:38.537

Link: CVE-2026-8889

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-06T01:00:11Z

Weaknesses

CWE-407
Inefficient Algorithmic Complexity

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object