Opera: Critical Opera GX Vulnerability Lets Attackers Inject CSS Across Every Webpage

Opera: Critical Opera GX Vulnerability Lets Attackers Inject CSS Across Every Webpage

Critical Zero-Click Vulnerability in Opera GX Exposes Users to Data Exfiltration

A severe security flaw in Opera GX has been uncovered, allowing attackers to exploit the browser’s GX Mods feature for universal CSS injection, enabling cross-site data exfiltration without user interaction. Researcher zhero_web_security disclosed the vulnerability in 2026, demonstrating a zero-click attack chain that leverages automatic mod installation to compromise victims.

How the Attack Works

GX Mods Opera GX’s customization tool for themes, sounds, and CSS do not require explicit permissions or JavaScript execution, unlike traditional browser extensions. However, researchers found that mods packaged as .crx files are automatically installed when downloaded, even via silent methods like embedded iframes. Attackers can trigger this by luring victims to a malicious webpage, with no further interaction needed beyond visiting the site.

Once installed, the malicious mod’s CSS is applied globally across all browser tabs, creating a universal injection vector. Using CSS-based data exfiltration (XS-Leaks), attackers can infer sensitive information such as email addresses by crafting selectors that trigger external requests when matched against DOM attributes.

Exploitation in Practice

The researchers demonstrated a real-world attack on Gmail addresses, using trigram-based reconstruction to extract email fragments. By generating 151,000 CSS rules targeting three-character sequences, the attack identifies substrings in HTML attributes (e.g., user@example.com). Matches trigger requests to attacker-controlled servers, which then reassemble the data using an overlap-based algorithm, reliably reconstructing the original string in a single page load.

The attack is fully automated: after mod installation, the victim is redirected to a target page (e.g., a Google account endpoint), where the injected CSS exfiltrates data before the user can react.

Additional Impact: Denial-of-Service

Beyond data theft, the researchers identified a DoS vulnerability affecting both Opera GX and standard Opera browsers. Triggering a .crx download in Incognito mode causes the browser to crash and restart, resulting in complete session loss due to flawed extension installation handling in private browsing.

Response and Implications

Opera addressed the vulnerabilities following responsible disclosure through its bug bounty program. The findings underscore the risks of non-traditional extension mechanisms, particularly those allowing automatic installations and global styling, which can be weaponized for large-scale attacks. The incident highlights the need for stricter controls over browser customization features to prevent similar exploits.

Source: https://gbhackers.com/critical-opera-gx-vulnerability/

Opera Colorado cybersecurity rating report: https://www.rankiteo.com/company/opera-colorado

"id": "OPE1783340899",
"linkid": "opera-colorado",
"type": "Vulnerability",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'All Opera GX users (potential)',
                        'industry': 'Technology/Software',
                        'name': 'Opera GX',
                        'type': 'Browser'}],
 'attack_vector': 'Zero-click exploit via malicious GX Mods (CRX files)',
 'data_breach': {'data_exfiltration': 'Yes (via CSS-based XS-Leaks)',
                 'personally_identifiable_information': 'Email addresses',
                 'sensitivity_of_data': 'High (email addresses, potential PII)',
                 'type_of_data_compromised': 'Email addresses, personally '
                                             'identifiable information (PII)'},
 'date_detected': '2026',
 'date_publicly_disclosed': '2026',
 'description': 'A severe security flaw in Opera GX allows attackers to '
                'exploit the browser’s GX Mods feature for universal CSS '
                'injection, enabling cross-site data exfiltration without user '
                'interaction. The vulnerability leverages automatic mod '
                'installation to compromise victims via a zero-click attack '
                'chain.',
 'impact': {'brand_reputation_impact': 'Risk of reputational damage due to '
                                       'zero-click exploit',
            'data_compromised': 'Email addresses, sensitive user data (via '
                                'CSS-based exfiltration)',
            'downtime': 'Browser crashes and session loss (DoS)',
            'identity_theft_risk': 'High (email addresses and PII '
                                   'exfiltration)',
            'operational_impact': 'Potential large-scale data theft, session '
                                  'disruption',
            'systems_affected': 'Opera GX browser, standard Opera browser (DoS '
                                'impact)'},
 'investigation_status': 'Resolved (patched by Opera)',
 'lessons_learned': 'Risks of non-traditional extension mechanisms (e.g., '
                    'automatic installations, global styling) in browsers. '
                    'Need for stricter controls over browser customization '
                    'features.',
 'motivation': 'Demonstration of vulnerability (research)',
 'post_incident_analysis': {'corrective_actions': 'Patches to mod installation '
                                                  'process and CSS injection '
                                                  'protections',
                            'root_causes': 'Flaws in GX Mods installation '
                                           '(automatic CRX file handling) and '
                                           'global CSS injection capabilities'},
 'recommendations': 'Implement stricter permissions for browser mods, disable '
                    'automatic installations, and enhance CSS injection '
                    'protections.',
 'references': [{'source': 'Researcher disclosure (zhero_web_security)'}],
 'response': {'containment_measures': 'Vulnerability patched by Opera '
                                      'following responsible disclosure',
              'remediation_measures': 'Fixes to GX Mods installation and CSS '
                                      'injection handling'},
 'threat_actor': 'zhero_web_security (researcher)',
 'title': 'Critical Zero-Click Vulnerability in Opera GX Exposes Users to Data '
          'Exfiltration',
 'type': 'Data Exfiltration',
 'vulnerability_exploited': "Universal CSS injection in Opera GX's GX Mods "
                            'feature'}
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.