CVE-2026-2345

Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers

CVSS 3.6 LOWEPSS 0.1%CWE-346

Vexday Risk Score

8Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 3.6EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

11 feb 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

Productos afectados

Proctorio · Secure Exam Proctor Extension

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://www.hckrt.com/hacktivity/46b61f36-b685-4667-aebf-82a67ad69ad6