logo

Opera GX Universal CSS Injection Flaw Enabled Zero-Click XSLeak Attacks

ID: 692bedeb-7ff3-546b-96f1-5dc8c3d5e726

STIX ID: report--692bedeb-7ff3-546b-96f1-5dc8c3d5e726

Feed Name: Cyber Press

Threat Score
75/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

Author: Lucas Martin

...
...

A critical zero-click vulnerability in Opera GX’s GX Mods feature allowed attacker-controlled CSS from automatically installed .crx mods to be applied browser-wide and exfiltrate users' Gmail addresses via a trigram-based CSS exfiltration technique; the issue was reported through Bugcrowd in February 2026 and patched by Opera on May 8, 2026.

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.