391 matches found
Data URLs with executables and misleading download dialog – Opera Security Advisories
Data URLs with executables and misleading download dialog – Opera Security Advisories OPCOM Team | February 9, 2007 Severity: Moderate Summary A data URL RCF 2397 containing an executable file maycause Opera to mislead the user. Opera’s download dialogwill in some cases say “Open with NOTEPAD.EXE...
Update your browser: Security fix for Chrome zero-day CVE-2025-14174
News, Security Update your browser: Security fix for Chrome zero-day CVE-2025-14174 Share December 18th, 2025 Hi everyone! The latest patches to Opera, Opera GX, Opera Air, and Opera for Android address several recent vulnerabilities, including a zero-day exploit CVE-2025-14174. We recommend...
GameMaker security update: Patch now to prevent DoS attacks
Security GameMaker security update: Patch now to prevent DoS attacks Share October 30th, 2025 Today we’re looking at a vulnerability discovered in GameMaker, the game development tool that streamlines and simplifies game dev for all users, regardless of skill level. The vulnerability in question...
Prompt injection in Opera Neon: Rapid response through responsible disclosure
Security Prompt injection in Opera Neon: Rapid response through responsible disclosure Share October 23rd, 2025 Hi Opera users, This week, we were able to address a real-world security scenario on Opera Neon thanks to the work of a security researcher team. The researchers reached out to us throu...
Update your browser: Security fix for Chrome zero-day CVE-2025-6558
News, Security Update your browser: Security fix for Chrome zero-day CVE-2025-6558 Share July 17th, 2025 Hi everyone! The latest patches to the Opera, Opera GX, and Opera Air address several recent vulnerabilities, including a zero-day exploit CVE-2025-6558. We recommend updating your browsers to...
Update your browser: Security fix for Chrome zero-day CVE-2025-6554
News, Security Update your browser: Security fix for Chrome zero-day CVE-2025-6554 Share July 3rd, 2025 Hi everyone! The latest patches to the Opera, Opera GX, Opera Air, and Opera for Android address several recent vulnerabilities, including a zero-day exploit CVE-2025-6554. We recommend updatin...
Update your browser: Security fix for latest Chrome zero-day
News, Security Update your browser: Security fix for latest Chrome zero-day Share September 29th, 2023 Hi everyone! Opera browsers have received important updates addressing a number of vulnerabilities and bugs. Among those is the following zero-day vulnerability detected by security researchers,...
OpenSSL 3.0.7 security fix: Should Opera users be worried?
Security OpenSSL 3.0.7 security fix: Should Opera users be worried? Share November 3rd, 2022 Hi everyone! The OpenSSL 3.0.7 security-fix release fixes high-priority vulnerabilities in the OpenSSL open-source cryptography library, specifically CVE-2022-3602 and CVE-2022-3786. The vulnerabilities...
Bug Bounty Adventures: A NodeBB 0-day
Research Bug Bounty Adventures: A NodeBB 0-day Share March 25th, 2022 Opera maintains both apublic bug bounty program, and a private program, where security researchers can submit security issues they have found in Opera’s products for cash rewards. We like to highlight some of the issues that ha...
Bug Bounty Guest Post: Local File Read via Stored XSS in The Opera Browser
Research Bug Bounty Guest Post: Local File Read via Stored XSS in The Opera Browser Share September 8th, 2021 Opera manages aBug Bounty program where researchers can report vulnerabilities in Opera’s software and be rewarded for it. For high-quality reports, we like to invite researchers to write...
Earn up to $10K from the Opera Bug Bounty program
Security Earn up to $10K from the Opera Bug Bounty program Share April 30th, 2021 Join the Opera Bug Bounty program, find vulnerabilities in scope, tell us how you did it, and collect rewards. We pay up to $10K for confirmed high-value submissions. Opera has two bug bounty programs operated by...
Address bar spoofing in Opera Mini for Android – Opera Security Advisories
Opera Mini for Android before version 52.2 is vulnerable to an address bar spoofing attack. The vulnerability allows a malicious page to trick the browser into showing an address of a different page. This may allow the malicious page to impersonate another page and trick a user into providing...
To VPN or not to VPN?
Security To VPN or not to VPN? Share October 29th, 2020 Alice and Bob use VPN to fight Mallory, an inquisitive sysadmin. TL;DR: skip to the conclusions to see what Alice learned. The Privacy Problem Alice and Bob recently met Mallory, who works at the cable company providing internet access to th...
Opera mitigates critical CPU vulnerabilities
Security Opera mitigates critical CPU vulnerabilities Share January 4th, 2018 There is a lot of uncertainty right now about the impact of the hardware security issue named Meltdown. There will be a scheduled release of Opera which will contain a first set of workarounds as soon as the browser is...
Unjam the logjam
Security Unjam the logjam Share June 9th, 2015 When a browser and website communicate over a secure connection, they encrypt and decrypt the data using a shared symmetric encryption key; the same key is used for encryption and decryption. In order for the browser and server to make sure they use...
Breach incident
News Breach incident Share December 11th, 2013 At Opera, we strive to be open, and we want to continue this tradition, by sharing with you what happens here. High profile companies like Opera are under continuous attack by hackers trying to break into their systems, and we want to tell you about ...
Repeated attempts to access a target site can trigger address field spoofing – Opera Security Advisories
The browser address field should always show the correct address for the page that is currently being displayed. By making repeated requests to load a target site in rapid succession, an attacking web site can cause Opera to display the target sites address while the attacking page is still being...
Cross domain access to object constructors can be used to facilitate cross-site scripting – Opera Security Advisories
JavaScripts are able to redefine and override the methods of native objects. They may also do this with the native objects of any document that shares the same origin. By redefining the methods of another document through the constructor property of the document’s host objects, a malicious script...
CORS requests can incorrectly retrieve contents of cross origin pages – Opera Security Advisories
CORS Cross-Origin Resource Sharing allows web pages to retrieve the contents of pages from other sites, with their permission, as they would appear for the current user. When requests are made in this way, the browser should only allow the page content to be retrieved if the target site sends the...
Cross-domain JSON resources may be exposed as JavaScript variable data – Opera Security Advisories
JSON strings are sometimes exported by sites as a resource that cannot be read cross-domain, and may contain confidential data. The format of a JSON string ensures that it cannot be read as the contents of a variable, if it is included as a normal script. In some cases, Opera does not correctly...
Small windows can be used to trick users into executing downloads – Opera Security Advisories
When the download dialog is displayed, it should always be visible to the user, to ensure that the user realizes it is there. If the dialog is displayed in a small enough window, the user may not realize it is being displayed, and if the right keyboard sequence is carefully followed, they can end...
Opera may be used as a vector for a font issue in the underlying operating system – Opera Security Advisories
Opera may be used as a vector for a font issue in the underlying operating system – Opera Security Advisories OPCOM Team | June 19, 2010 Affected versions This vulnerability may be targeted through Opera for Windows. Severity Extremely Severe Description A flaw in the font handling on the Windows...
Feed links can link to local files
As a security precaution, Opera does not allow Web pages to link to files on the user's local disk. However, a flaw exists that allows Web pages to link to feed source files on the user's computer. Suitable detection of JavaScript events and appropriate manipulation can unreliably allow a script ...
Simulated text inputs can trick users into uploading arbitrary files
When a user types into a file input, scripts can cause some of the keystrokes to be ignored. If the script can convince the user that they are typing into a normal text input, and not let them see that their keystrokes are being ignored, it can cause the input to point to known file paths on the...
Java applets can be used to read sensitive information – Opera Security Advisories
Java applets can be used to read sensitive information – Opera Security Advisories OPCOM Team | December 16, 2008 Severity: Highly Severe Problem Description Once a Java applet has been cached, if a page can predict the cache path for that applet, it can load the applet from the cache, causing it...
Malformed JPEG headers can be used to execute arbitrary code – Opera Security Advisories
Malformed JPEG headers can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | December 16, 2008 Severity Extremely Severe Problem Description A specially crafted JPEG header can cause Opera to crash, allowing execution of arbitrary code. Opera’s Response Opera Software has...
Images can be read cross-domain with canvas
HTML CANVAS elements can use images as patterns, and that image data is made available to scripts. When the images are retrieved from other Web sites, the image data should no longer be available to scripts. A flaw exists in the way that Opera checks for the source of these images. Suitable...
Images can be read cross-domain with canvas – Opera Security Advisories
Images can be read cross-domain with canvas – Opera Security Advisories OPCOM Team | June 9, 2008 Severity: Less Severe Problem Description HTML CANVAS elements can use images as patterns, and that image data is made available to scripts. When the images are retrieved from other Web sites, the...
External news readers and e-mail clients can be used to execute arbitrary code – Opera Security Advisories
External news readers and e-mail clients can be used to execute arbitrary code – Opera Security Advisories OPCOM Team | October 16, 2007 External news readers and e-mail clients can be used to execute arbitrary code. Severity: Highly Severe Affected Versions All versions of Opera for Desktop prio...
data: URLs can spoof trusted trusted sites – Opera Security Advisories
data: URLs can spoof trusted trusted sites – Opera Security Advisories OPCOM Team | July 19, 2007 Summary Opera displays certain data: URLs wrongly, enabling URL spoofing. Severity: Moderately severe Problem description data: URLs embed data inside them, instead of linking to an externalresource...
Information displayed in the security field should be approached with caution. – Opera Security Advisories
Information displayed in the security field should be approached with caution. – Opera Security Advisories OPCOM Team | February 9, 2007 Summary Even though a Certificate Authority has verified and signed it, a usershould not trust the Organization name without checking the domain name.A fraudule...
A very large href attribute value in HTML can crash Opera – Opera Security Advisories
A very large href attribute value in HTML can crash Opera – Opera Security Advisories OPCOM Team | September 5, 2006 Summary A very large href attribute value in a Web page can crash Opera. Severity: Not a security issue Problem description A Web page containing a very large href attribute value...
(Updated) Specially crafted JPEG images enables the execution of arbitrary code.
A specially crafted JPEG image header can trick Opera into allocatingthe wrong amount of memory for the image. This can make Opera crash,or worse, execute code that has been placed into memory in advance...
Data Privacy Day: Inside the role of Data Protection Officer at Opera
Privacy Data Privacy Day: Inside the role of Data Protection Officer at Opera Share January 28th, 2026 Privacy matters all year round. But every January, Data Privacy Day is a great opportunity to learn more about data privacy and protection, and to highlight their importance for everyone in the...
Does the TunnelVision vulnerability affect Opera’s free VPN?
Privacy Does the TunnelVision vulnerability affect Opera’s free VPN? Share June 12th, 2024 Hello! You may have heard recently about a new type of vulnerability called TunnelVision that makes it possible for a malicious actor to bypass VPN protection. So you will be happy to know that Opera’s free...
Update your browser: Security fixes for latest Chrome bugs
News, Security Update your browser: Security fixes for latest Chrome bugs Share December 1st, 2023 Hi everyone! The latest patches to the Opera, Opera GX, and Opera Crypto browsers address several recent vulnerabilities, including a zero-day exploit CVE-2023-6345. We recommend updating your...
Opera Privacy Statement Update 2022
Privacy Opera Privacy Statement Update 2022 Share August 29th, 2022 Opera, a browser company based out of Oslo, Norway, cares deeply about user security and data protection. With that in mind, we actively work on improving our internal practices and communications with you, our users. We are maki...
$8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser
Research $8,000 Bug Bounty Highlight: XSS to RCE in the Opera Browser Share September 24th, 2021 Continuing from hisprevious post, Bug Bounty Hunter Renwa writes about the second vulnerability he submitted to Opera’s Private Bug Bounty Programme: a Remote Code Execution in Opera’s My Flow Feature...
Opera Receives DevSecOps All-Star Award at SnykCon 2020
News Opera Receives DevSecOps All-Star Award at SnykCon 2020 Share October 28th, 2020 AtSnykCon 2020, Opera received the DevSecOps All-Star Award for leveraging Snyk to bring a complete and fully automated DevSecOps process into a secure software development lifecycle. Opera was represented by...
Security changes in Opera 21
News Security changes in Opera 21 Share May 6th, 2014 Opera 21 for Windows and Mac is now out on the Stable channel. As with most major releases, the main focus is on the new features, which are discussed over on the Desktop Team blog. In addition, we have included a reworking of the Address fiel...
Heartbleed and other heartaches
Security Heartbleed and other heartaches Share April 11th, 2014 As has been reported extensively already, OpenSSL just fixed a serious vulnerability, dubbed Heartbleed. OpenSSL is used in a variety of products used on the internet, including Opera products and servers. We want to share with you h...
Certificate update
Security Certificate update Share December 9th, 2013 Last week we became aware of the existence of several unauthorized security certificates, issued in violation of rules for creation of such certificates. The certificates chained back to a French certificate authority, ANSSI, and had been signe...
RC4 encryption protocol is vulnerable to certain brute force attacks – Opera Security Advisories
Weaknesses in the RC4 encryption protocol have been found, allowing an attacker to deduce the plaintext. If the same message is encrypted many millions of times, statistical methods can be used to extract valuable information, such as cookies. Due to the time this amount of requests takes, this i...
Use of SVG clipPaths can allow execution of arbitrary code – Opera Security Advisories
When SVG documents with specifically prepared clipPaths are used in Opera, Opera may allow other content to overwrite the memory, before referencing the memory, which will lead to a crash. If an attacker can control the contents being written into memory, execution of arbitrary code may occur...
Specially crafted WebP images can be used to disclose random chunks of memory – Opera Security Advisories
WebP images may be used as fill patterns in a HTML5 Canvas, and the values of each pixel in the image can then be intentionally read using scripts. Specially crafted WebP images may specify the wrong size for certain parts of their data, which causes Opera to read data from the wrong positions in...
Internet shortcuts used for phishing in elements – Opera Security Advisories
Websites may occasionally want to display image content from untrusted sources. A phishing attack may be carried out by the untrusted source, by displaying malicious instructions on the image, or by navigating the containing page to a similar looking document on another server. Since some image...
Carefully timed reloads, redirects, and navigation can spoof the address field – Opera Security Advisories
The address field should always show the address of the page that is being displayed. Certain types of navigation, combined with reloads and redirects to a slowly-responding target site can cause the address field to show the target site’s address, while the attacking site is still being displaye...
History.state can leak the state data from cross domain pages – Opera Security Advisories
When a site uses history.pushState and history.replaceState to add or replace history entries, it can also provide optional data, which may typically be used to restore the given state when the user navigates through their browser history. When pages with cross-domain frames use this functionalit...
Overlapping content can trick users into executing downloads – Opera Security Advisories
Dialogs such as the download dialog are usually displayed on top of page content, to ensure that the user knows that the dialog is requesting attention. In some cases, this policy was not implemented correctly in Opera, allowing certain page content to overlay the dialog. In these cases, clicking...
Frameset issue allows execution of arbitrary code – Opera Security Advisories
Framesets allow web pages to hold other pages inside them. Certain frameset constructs are not handled correctly when the page is unloaded, causing a memory corruption. To inject code, additional techniques will have to be employed...