CVE-2026-7686

Name of the Vulnerable Software and Affected Versions eyeo Adblock Plus versions prior to 4.36.3

Description Improper access controls exist in the Legacy Premium Activation component within the postMessage() function of the premium.preload.js file. This allows remote exploitation through manipulation, though the affected code path is part of a deprecated activation flow. The licensing server issues short-lived trial licenses (approximately 24 hours) for any submitted userId, which expire upon the next validation if no valid subscription is found.

Recommendations Upgrade the affected component to a version later than 4.36.2.