CVE-2026-8874
Summary
| CVE | CVE-2026-8874 |
|---|---|
| State | PUBLISHED |
| Assigner | certcc |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-03 19:16:39 UTC |
| Updated | 2026-06-05 20:47:12 UTC |
| Description | Version 3.0.7 of the Securly Chrome Extension downloads JSON files containing crisis alert keywords and filtering rules over unencrypted HTTP via the Fetch API. Other endpoints in the same extension correctly fetch IWF and CIPA data over HTTPS, demonstrating an inconsistent implementation of TLS. |
Risk And Classification
Primary CVSS: v3.1 7.1 HIGH from ADP
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
EPSS: 0.000060000 probability, percentile 0.004650000 (date 2026-06-11)
Problem Types: CWE-319 | CWE-319 Cleartext Transmission of Sensitive Information | CWE-319 CWE-319 Cleartext Transmission of Sensitive Information
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 7.1 | HIGH | CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N |
CVSS v3.1 Breakdown
Attack Vector
AdjacentAttack Complexity
LowPrivileges Required
NoneUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
HighAvailability
NoneCVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Securly | Securly Chrome Extension | affected 3.0.7 custom | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| kb.cert.org/vuls/id/595768 | [email protected] | kb.cert.org | Third Party Advisory |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.