CVE-2026-2345 LOW

CVE-2026-2345: Insufficient Origin Validation in Proctorio Chrome Extension postMessage Handlers

Vendor Proctorio
Product Secure Exam Proctor Extension
Weakness CWE-346 · Origin validation
Published February 11, 2026
Last update February 11, 2026

CVSS base score

3.6/10
Attack vector Local
Attack complexity High
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

Proctorio Chrome Extension is a browser extension used for online proctoring. The extension contains multiple window.addEventListener('message', ...) handlers that do not properly validate the origin of incoming messages. Specifically, an internal messaging bridge processes messages based solely on the presence of a fromWebsite property without verifying the event.origin attribute.

Key dates

02Disclosure timeline

February 11, 2026 CVE published
February 11, 2026 Record updated