logo

Opera GX Flaw Let Sites Auto-Install Mods to Steal Data

ID: b0d437df-5a75-5dd6-bd43-a101e2f8c31e

STIX ID: report--b0d437df-5a75-5dd6-bd43-a101e2f8c31e

Feed Name: Infosecurity Magazine (News)

Threat Score
65/100

Date Published: 2026-07-06

Date Updated: 2026-07-06

...
...

A critical flaw in Opera GX allowed GX Mods to auto-install without permission when a .crx file was downloaded, enabling an attacker-controlled CSS mod to inject styling across all pages and perform a zero-click XS-Leak that recovered a user's full Gmail address; the auto-install behavior also enabled a DoS that crashed the browser in Incognito. The issue was reported via Bugcrowd, patched on May 8, a $5,000 bounty was paid, and a proof-of-concept was published on July 3 (tested against Opera GX 127.0.5778.41 after the fix).

Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.