VDB
GCVE-110-OSM-2026-5926
GCVE-110-OSM-2026-5926
Advisory PublishedCVSS 9.6/10
This package is a phishing kit masquerading as an IXL/Google Classroom embed. The entrypoint `logo.svg` contains a full-screen SVG foreignObject that decodes a base64-obfuscated URL (`aHR0cHM6Ly9kMmV4cHY3cGZmd3pqNC5jbG91ZGZyb250Lm5ldA==` → `https://d2expv7pffwzj4.cloudfront.net`) and loads it in a hidden iframe with an `about:blank` initial src to evade load-event detection, using a closed Shadow DOM to obstruct inspection. The iframe requests `clipboard-read; clipboard-write; microphone; camera` permissions — a credential-harvesting surface — while displaying a fake 'Google Classroom' title and Google favicon to complete the social engineering illusion. The publisher account `ixl-math-learning` with email `owner@vng.lol` was created the same day as first publish, impersonates a known edtech brand, published 25 versions in under 4 hours, and has no source repository — all consistent with a single-day attack campaign.
ENTRY
logo.svg (main: logo.svg)
OBFUSCATION
- Decoded Base64 Content in logo.svg
- recovered 1 urls, 1 domains from decoded/deobfuscated content
ADDITIONAL FINDINGS
- Rapid Version Publishing
PAYLOAD FILES
logo.svg
INDICATORS (IOCs)
- urls: https://d2expv7pffwzj4.cloudfront.net
- domains: d2expv7pffwzj4.cloudfront.net
- payloadFileHash: 6d6701fb08086510e56f8b353ce880af1036c6004e9c570123ad72dae8315106
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | classroom-portal-embed | 4.0.2 (affected) | — |
Browse GCVE Records
73,738 records in the GCVE database · Updated July 19, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.