How is CVE-2026-8879 exploited?

Network reachability (required): The vulnerability is reachable over the network; any browser running the affected extension that loses connectivity to Securly's filtering servers triggers the denial-of-service condition. Authentication (not-required): No authentication is required; the denial-of-service condition is triggered without any credentials or account access. Victim interaction (not-required): No victim interaction is required; the content script runs automatically on every page load without any user action. Attack complexity (info): Attack complexity is low; exploiting the condition requires no special timing, race conditions, or environmental setup beyond making Securly's servers unreachable.

What is the impact of CVE-2026-8879?

All web page content in the affected browser is hidden and rendered inaccessible for the duration of the outage or server-unreachability condition. Videos and interactive content are paused and cannot be resumed until the filtering server responds. Users lose access to every URL visited in the browser, not just specific sites, because the script runs on all URLs. Persistent or repeated server unavailability causes a sustained, browser-wide denial of web access with no user-side recovery option.

Back to search

HIGHCVE-2026-8879Published 2026-06-03Modified 2026-06-04CNA certcc

CVE-2026-8879: CVE-2026-8879

Version 3.0.7 of the Securly Chrome Extension dynamically registers content13.min.js as a content script via chrome.scripting.registerContentScripts() at runtime. This script is NOT declared in manifest.json and bypasses Chrome Web Store static security review. It runs on all URLs and immediately hides all page content, creates a full-page overlay, pauses all videos, and only restores content when the service worker confirms the page passes filtering. If Securly's servers are unreachable, pages remain indefinitely hidden.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in the Securly Chrome Extension version 3.0.7 and earlier. The extension dynamically registers a content script (content13.min.js) at runtime without declaring it in the extension manifest, bypassing Chrome Web Store static review; the script hides all page content and blocks rendering until Securly's filtering servers respond. An attacker or network condition that makes those servers unreachable causes pages to remain permanently hidden, denying users access to all web content in the affected browser. No fix version is currently published; HarborGuard is tracking the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-8879 is available across every HarborGuard environment; the CVE is matched against customer images and extension-bundling pipelines within minutes of ingestion from upstream feeds, including custom-built container images that bundle or distribute the Securly Chrome Extension. Coverage applies to any image layer where the affected extension artifact is present.

Available

Triage

Findings are triaged using the CVSS v3.1 score of 7.5 (HIGH), weighted against each customer organization's compliance policy to determine urgency and escalation path. Routing to the appropriate team inbox within each customer org is available automatically based on configured policy.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerability is reachable over the network; any browser running the affected extension that loses connectivity to Securly's filtering servers triggers the denial-of-service condition.
AuthenticationNot required
No authentication is required; the denial-of-service condition is triggered without any credentials or account access.
Victim interactionNot required
No victim interaction is required; the content script runs automatically on every page load without any user action.
Attack complexityDetail
Attack complexity is low; exploiting the condition requires no special timing, race conditions, or environmental setup beyond making Securly's servers unreachable.

Blast Radius

All web page content in the affected browser is hidden and rendered inaccessible for the duration of the outage or server-unreachability condition.
Videos and interactive content are paused and cannot be resumed until the filtering server responds.
Users lose access to every URL visited in the browser, not just specific sites, because the script runs on all URLs.
Persistent or repeated server unavailability causes a sustained, browser-wide denial of web access with no user-side recovery option.

How HarborGuard Handles This

Available on HarborGuard: scanning for CVE-2026-8879 is active across customer pipelines, matching any image or artifact that bundles the Securly Chrome Extension at version 3.0.7 or earlier. Because no upstream fix exists at this time, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix is published. In the interim, compensating controls available for consideration include network-policy isolation to prevent distribution of the affected extension version, egress filtering to flag or block images containing the artifact, and feature-flag gating to exclude the extension from managed browser deployments until a patched version is available. For customers with auto-remediation enabled, the full rebuild, regression-test run, and PR-open workflow will activate without manual intervention once an upstream fix lands.

See how HarborGuard automates this

Affected packages

Securly / Securly Chrome Extension
≤ 3.0.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

kb.cert.org

Metrics

Get notified