Vulnerability research · 2026-06-03

Seven flaws in the Securly content-filtering extension.

Securly is a content filter that runs as a Chrome extension on school-managed Chromebooks. We reviewed version 3.0.7 and found seven issues in how it transports, stores, and protects its filtering data, and in how it injects code into pages. CERT/CC coordinated the disclosure as VU#595768. Securly did not respond to notification.

Summary

Note: CERT/CC VU#595768, published 2026-06-03
Product: Securly Chrome extension, version 3.0.7
CVEs: CVE-2026-8874, -8876, -8878, -8879, -8881, -8888, -8889
Reported by: Santh
Vendor: notified 2026-03-30; no response; coordination unsuccessful

Background

The extension enforces web filtering and flags crisis keywords — terms associated with self-harm and similar risks — on student devices. To do this it pulls configuration, keyword lists, and URL blocklists from Securly's servers and applies them client-side in JavaScript (securly.min.js and related scripts). Several of the issues follow from trusting that client-side data, and the network path that delivers it, more than is warranted.

Configuration delivered over plaintext HTTP

CVE-2026-8874, CVE-2026-8888.

The extension fetches some of its JSON configuration — including crisis-alert keywords and filtering rules — over unencrypted HTTP via the Fetch API, even though other endpoints use HTTPS (CVE-2026-8874). A network-adjacent attacker, on the same Wi-Fi or anywhere on the path, can read these requests and modify the responses, changing what the filter blocks or which keywords it watches for.

The same plaintext channel carries config.json, whose patterns the extension compiles into JavaScript regular expressions with new RegExp() and no complexity check (CVE-2026-8888). An attacker on the path can return a pattern that triggers catastrophic backtracking and hangs the browser tab. The transport weakness turns a server-trust assumption into a denial-of-service primitive available to anyone on the network.

Cryptography that protects nothing

CVE-2026-8876, CVE-2026-8881, CVE-2026-8889, CVE-2026-8878.

The data the extension does encrypt is not meaningfully protected.

The AES passphrases that decrypt the crisis-keyword list and intervention-site data are hardcoded in plaintext in securly.min.js (CVE-2026-8876). Anyone who reads the shipped bundle holds the keys.
Key derivation uses EVP_BytesToKey with MD5 and a single iteration (CVE-2026-8881). MD5 is unfit for the purpose, and one iteration provides no stretching, so the derived key is only as strong as a passphrase that is itself public.
URL matching for the IWF CSAM list (25,020 hashes) and the CIPA blocklist (12,352 hashes) uses SHA-1 (CVE-2026-8889), which has been unsuitable for collision resistance for years.
Several endpoints serve sensitive data without authentication, with SHA-1 values "obfuscated" by a Caesar cipher (CVE-2026-8878). A rotation cipher is not access control.

Taken together, the encryption and obfuscation provide no confidentiality. The internal keyword lists — which include the terms used to detect self-harm among minors — can be recovered by anyone who installs the extension.

An undeclared content script

CVE-2026-8879.

The extension dynamically registers content13.min.js as a content script that is not declared in manifest.json. Because it is not in the manifest, it is not visible to the Chrome Web Store review process. It runs on all URLs. If Securly's servers become unreachable, the script hides all page content indefinitely, turning a backend outage into a full-page denial of service in the student's browser.

Impact

The extension is deployed on K-12 school-managed Chromebooks, so the affected population is students. The plaintext-HTTP issues let a network-adjacent attacker read and alter filtering behavior or hang the browser. The cryptographic and access-control issues expose the internal keyword and blocklist data, including the sensitive crisis-detection terms. The undeclared content script can blank out the browser on a backend failure. The net effect: an attacker on the same network can read, alter, or disable the filtering a deployment relies on, and the data the extension tries to keep confidential is not protected.

Disclosure

The issues were reported to CERT/CC, which notified Securly on 2026-03-30. Securly did not respond, and coordination was unsuccessful. CERT/CC published VU#595768 on 2026-06-03. Pending a fix, CERT/CC's guidance is to restrict the extension on untrusted networks, route managed devices through a school VPN, and watch for abnormal filtering behavior.

Note: CERT/CC VU#595768.

Closing

Filtering software on managed school devices sits in a position of high trust and handles sensitive data about minors. It should be held to the same standard as any other security product.