VDB

GCVE-110-OSM-2026-5926

GCVE-110-OSM-2026-5926
Advisory PublishedCVSS 9.6/10
Vulnetix · Advisory published June 14, 2026
This package is a phishing kit masquerading as an IXL/Google Classroom embed. The entrypoint `logo.svg` contains a full-screen SVG foreignObject that decodes a base64-obfuscated URL (`aHR0cHM6Ly9kMmV4cHY3cGZmd3pqNC5jbG91ZGZyb250Lm5ldA==` → `https://d2expv7pffwzj4.cloudfront.net`) and loads it in a hidden iframe with an `about:blank` initial src to evade load-event detection, using a closed Shadow DOM to obstruct inspection. The iframe requests `clipboard-read; clipboard-write; microphone; camera` permissions — a credential-harvesting surface — while displaying a fake 'Google Classroom' title and Google favicon to complete the social engineering illusion. The publisher account `ixl-math-learning` with email `owner@vng.lol` was created the same day as first publish, impersonates a known edtech brand, published 25 versions in under 4 hours, and has no source repository — all consistent with a single-day attack campaign. ENTRY logo.svg (main: logo.svg) OBFUSCATION - Decoded Base64 Content in logo.svg - recovered 1 urls, 1 domains from decoded/deobfuscated content ADDITIONAL FINDINGS - Rapid Version Publishing PAYLOAD FILES logo.svg INDICATORS (IOCs) - urls: https://d2expv7pffwzj4.cloudfront.net - domains: d2expv7pffwzj4.cloudfront.net - payloadFileHash: 6d6701fb08086510e56f8b353ce880af1036c6004e9c570123ad72dae8315106

Weaknesses (CWE)

CWE-506Embedded Malicious Code

Risk Scores

CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Affected Products

VendorProductVersionsPlatforms
unknownclassroom-portal-embed4.0.2 (affected)

Browse GCVE Records

73,738 records in the GCVE database · Updated July 19, 2026

No matching records found.

Explore Further

Investigate this vulnerability in the interactive console or download the raw GCVE record.

$ Console Community · 100/wk Open console ›