How is CVE-2026-8888 exploited?

Network reachability (required): The attacker must be positioned on the network path between the extension and its HTTP config endpoint in order to inject a malicious response. Authentication (not-required): No credentials or account of any kind are needed; the injected response requires only network interception. Victim interaction (not-required): The extension fetches config.json automatically during normal browser operation, so no user action beyond ordinary browsing is needed. Attack complexity (info): The exploit is reliable and condition-free once on-path access is established, requiring no race conditions or special memory layout.

What is the impact of CVE-2026-8888?

Freezes or completely halts all browser activity on the affected device for as long as the malicious regex pattern is compiled and evaluated. Denies the end user access to all web browsing, effectively rendering the browser unusable until the tab or process is forcibly terminated. Repeated or persistent injection can cause a sustained denial-of-service condition across every browsing session that trigger a config refresh.

Back to search

HIGHCVE-2026-8888Published 2026-06-03Modified 2026-06-04CNA certcc

CVE-2026-8888: CVE-2026-8888

Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability exists in version 3.0.7 of the Securly Chrome Extension. The extension fetches its configuration file over unencrypted HTTP and compiles server-provided strings as JavaScript regular expressions without any complexity check, allowing an on-path attacker (anyone who can intercept the HTTP connection) to inject a pattern that causes catastrophic backtracking and freezes all browser activity. No authentication is needed, and no action is required from the end user beyond normal browsing. HarborGuard is tracking the advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle the Securly Chrome Extension at the affected version. No manual feed configuration is required to gain coverage.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing routes findings to the appropriate team inbox within each customer organization based on policy rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainer ships a remediated release.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be positioned on the network path between the extension and its HTTP config endpoint in order to inject a malicious response.
AuthenticationNot required
No credentials or account of any kind are needed; the injected response requires only network interception.
Victim interactionNot required
The extension fetches config.json automatically during normal browser operation, so no user action beyond ordinary browsing is needed.
Attack complexityDetail
The exploit is reliable and condition-free once on-path access is established, requiring no race conditions or special memory layout.

Blast Radius

Freezes or completely halts all browser activity on the affected device for as long as the malicious regex pattern is compiled and evaluated.
Denies the end user access to all web browsing, effectively rendering the browser unusable until the tab or process is forcibly terminated.
Repeated or persistent injection can cause a sustained denial-of-service condition across every browsing session that trigger a config refresh.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against images in customer registries and CI pipelines as part of continuous scanning. Because no upstream fix version has been published, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of the Securly Chrome Extension is released. In the interim, compensating controls available within customer environments include network-policy rules that block or proxy the HTTP config endpoint to prevent plain-text interception, egress filtering to enforce TLS for all extension fetches where infrastructure permits, and feature-flag or policy gating to disable the extension in high-risk network segments. Where compliance policy permits, auto-remediation will trigger a rebuild, regression run, and PR against affected workloads automatically once a fix version is published upstream.

See how HarborGuard automates this

Affected packages

Securly / Securly Chrome Extension
≤ 3.0.7

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

kb.cert.org

Metrics

Get notified