Opera GX Universal CSS Injection Flaw Enabled Zero-Click XSLeak Attacks
ID: 692bedeb-7ff3-546b-96f1-5dc8c3d5e726
STIX ID: report--692bedeb-7ff3-546b-96f1-5dc8c3d5e726
Feed Name: Cyber Press
Threat Score
A critical zero-click vulnerability in Opera GX’s GX Mods feature allowed attacker-controlled CSS from automatically installed .crx mods to be applied browser-wide and exfiltrate users' Gmail addresses via a trigram-based CSS exfiltration technique; the issue was reported through Bugcrowd in February 2026 and patched by Opera on May 8, 2026.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.
