Opera patched a critical vulnerability in Opera GX that allowed a malicious website to silently force-install a GX Mod and then abuse universal CSS injection to extract data from pages the victim later visited. Researchers zhero_ and inzo_ demonstrated that the attack could redirect a logged-in user to a Google account page and reconstruct the user’s full Gmail address, sending the data to an attacker-controlled server without requiring explicit approval from the victim.
The fix was released in Opera GX version 130.0.5847.89, which changed the mod installation pipeline so mods cannot be downloaded and enabled without clear user interaction and confirmation. Opera assigned the bug a top-severity P1 rating in its bounty program and said its review of systems and traffic found no evidence of exploitation in the wild; researchers also noted a separate issue where loading a .crx file in private mode could crash the browser and dump open tabs, affecting both Opera GX and the regular Opera browser.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
SC Media reported that Opera awarded a $5,000 bug bounty for the Opera GX GX Mods vulnerability finding. This bounty was associated with the researchers' disclosure of the forced-install, data exfiltration, and DoS issues.
The researchers also found a denial-of-service issue in Opera GX where mod installation in private browsing mode could crash the browser and terminate sessions. This was described alongside the forced-install and data exfiltration vulnerability.
Researchers zhero_ and inzo_ found that a third-party website could force-install an Opera GX mod under specific conditions, then abuse CSS injection to read and exfiltrate certain page data. Their proof of concept redirected a logged-in user to a Google account page and extracted the user's Gmail address.
After investigating its systems and traffic, Opera said it is confident the vulnerability was not exploited in the wild. This statement accompanied the company's disclosure of the fix.
Opera fixed the vulnerability by changing the mod installation pipeline so mods cannot be downloaded and enabled without explicit user interaction and clear confirmation. The patch was included in Opera GX version 130.0.5847.89 and later.
The researchers said Opera patched the GX Mods vulnerability on 2026-05-08 after responsible disclosure through Opera's Bugcrowd program. According to the disclosure, Opera ultimately classified the issue as a P1 severity vulnerability.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
5 references tracked. Mallory keeps watching after this page renders.
scworld.com
Open sourcecybersecuritynews.com
Open sourcethehackernews.com
Open sourceblogs.opera.com
Open sourcezhero-web-sec.github.io
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.