Ctrl + K
/ news / CVE
CVEPublished 2026-06-03Modified 2026-06-050 articles on news6 live referencesNVD data

CVE-2026-8888Securly · Securly

Vulnerability data via NVD (ingested)

CVSS v3.1
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS percentile
5
Exploit Prediction Scoring System · top 95% of all CVEs
Weaknesses (CWE)
CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')CWE-1333Inefficient Regular Expression Complexity
Description

Version 3.0.7 of the Securly Chrome Extension downloads config.json over HTTP and compiles server-provided patterns as JavaScript regular expressions via new RegExp() without complexity validation. An on-path attacker can inject specific patterns to cause catastrophic backtracking, resulting in denial of service on all browsing.

Timeline
Published 2026-06-03
Modified 2026-06-05

External references

NVDMITREExploit-DBGitHub PoCSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-8888
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product + version
product:"Securly Securly" version:"3.0.7"
Version-pinned fingerprint from NVD's first vulnerable CPE.
Shodan · banner/body mention
http.html:"Securly"
HTTP body or banner mentions "Securly" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-8888
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-8888
Censys host search filtered to this CVE id.
grep.app
CVE-2026-8888
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-8888
GitHub code search for direct mentions.
Google dork
"CVE-2026-8888" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub (8)

CVE-2026-88888 repos
beenuar/AiSOCPython
Open-source AI-powered Security Operations Center — alert fusion, purple-team drills, agent-assisted triage, MITRE ATT&CK investigation. MIT-licensed, self-hostable.
★ 1,353·updated today
0xSteph/pentest-aiPython
Offensive-security MCP server with 205 wrapped tools, 17 specialist agents, and 60 SPA-aware probes for OWASP Top 10. CLI + MCP, BYO LLM. No API key needed on MCP path.
★ 661·updated today
OpenOSINT/OpenOSINTPython
AI-powered OSINT agent with interactive REPL, MCP server, and CLI. 16 tools. Works with Claude, GPT-4, or local models. For authorized security research only.
★ 576·updated 1d ago
grisuno/LazyOwnPython
LazyOwn RedTeam/APT Framework is the first RedTeam Framework with an AI-powered C&C, featuring rootkits to conceal campaigns, undetectable malleable implants compatible with Window…
★ 199·updated 1d ago
7WaySecurity/ai_osintunknown
🤖 Curated AI OSINT resources — Google dorks, Shodan queries, GitHub dorks, and techniques to discover exposed LLM endpoints, leaked AI API keys, misconfigured vector databases, an…
★ 89·updated 1mo ago
3sk1nt4n/arguswatch-aiPython
AI-Agentic Threat Intelligence - 39 collectors, 7 AI agents, 3-link proof chain, D1-D5 exposure scoring
★ 47·updated 2mo ago
culpur/cstrikeTypeScript
CStrike v2.6 — Offensive Security Platform. 35+ tools, 9-container Docker stack, self-update system, parallel port scanning, VPN kill-switch. Dual-arch (amd64/aarch64) VM distribut…
★ 47·updated 2mo ago
LuemmelSec/ToolShellPython
★ 29·updated 4mo ago
We haven't classified any articles referencing CVE-2026-8888 yet. The external references above still apply.