Executive Summary

CVE-2026-21855 is a critical reflected Cross-Site Scripting (XSS) vulnerability in the Tarkov Data Manager's toast notification system. It occurs because the application decodes a hex-encoded string from a URL parameter and directly inserts it into a JavaScript context without sanitization. This allows an attacker to craft a malicious URL that executes arbitrary JavaScript in the victim's browser when visited, potentially hijacking sessions and stealing sensitive data. [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers to execute arbitrary JavaScript in your browser session, leading to hijacking of administrator sessions and exfiltration of sensitive data displayed on authenticated pages. Although HttpOnly cookies prevent direct theft of session tokens, attackers can perform authenticated requests and scrape sensitive information such as plaintext credentials. The attack requires the victim to click a malicious link and can bypass typical Web Application Firewalls due to hex encoding. [1]

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by testing the toast notification system for reflected Cross-Site Scripting (XSS) via the `toast` query parameter. You can craft a URL with a hex-encoded payload that, when decoded and executed, triggers JavaScript execution. For example, use the proof-of-concept payload hex-encoded as `277d293b616c65727428646f63756d656e742e646f6d61696e293b2f2f` in the `toast` parameter. To detect it on your system, you can use curl or wget to request such a URL and observe if the response contains the injected script. Example command: `curl 'http://your-target-url/?toast=277d293b616c65727428646f63756d656e742e646f6d61696e293b2f2f' -i` and then check if the response includes the injected JavaScript alert code. Additionally, manual testing by visiting the crafted URL in a browser and observing if an alert box appears can confirm the vulnerability. [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include sanitizing user input before inserting it into JavaScript contexts in the toast notification system. Specifically, the `toast` query parameter input should be properly sanitized or escaped to prevent injection. Using libraries such as DOMPurify to sanitize the decoded input before interpolation is recommended. Additionally, reviewing and updating the code in the `getFooter` function to avoid unsafe interpolation of hex-decoded user input is critical. Since no patched versions are available yet, applying these code-level mitigations is necessary. Further guidance can be found in the OWASP Cross-Site Scripting Prevention Cheat Sheet. [1]

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows attackers to execute arbitrary JavaScript in the victim's browser, hijack administrator sessions, and exfiltrate sensitive data such as plaintext scanner credentials. Such unauthorized access and data exposure could lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches. Therefore, the presence of this vulnerability negatively impacts compliance with these common standards and regulations by exposing sensitive data to attackers. [1]

Useful 0 Not Useful 0