Claude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
Claude extension flaw enabled silent prompt injection via XSS and weak allowlist, risking data theft and impersonation until Feb 19, 2026 fix.
More info