A serious vulnerability in the Opera GX browser allows malicious websites to automatically install customization mods, which can then steal data from other sites without user interaction. The mod's CSS can inject across all tabs, enabling zero-click data leaks such as retrieving a user's Gmail address and launching denial-of-service attacks by crashing the browser in incognito mode.
This flaw was reported by a researcher in February, initially deemed low priority but later recognized as critical, leading to a patch release in May and a $5000 bounty payment.