CVE-2026-42615
Received Received - Intake
Cross-Site Scripting in GCHQ CyberChef Show Base64 Offsets

Publication date: 2026-04-29

Last updated on: 2026-04-29

Assigner: MITRE

Description
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2026-42615
EUVD
EUVD-2026-26191
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gchq cyberchef to 11.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42615 is a Cross-Site Scripting (XSS) vulnerability in the CyberChef tool, specifically in the "Show Base64 offsets" feature. The issue arises because user-controlled Base64 input is not properly escaped before being rendered in the HTML output. This allows an attacker to inject malicious scripts via crafted Base64 data, which can then execute in the context of the victim's browser.

The vulnerability occurs when the `staticSection` parameter, which contains Base64 output, is inserted directly into the DOM without escaping. When the `showVariable` flag is false, this unescaped content can include malicious script tags, enabling arbitrary JavaScript execution.

The fix involved applying proper HTML escaping to all dynamic content in the Show Base64 offsets operation, preventing untrusted input from being interpreted as executable code.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a user's browser when they view a maliciously crafted URL using the vulnerable CyberChef feature.

  • Execution of malicious scripts can lead to theft of sensitive information such as cookies, session tokens, or other credentials.
  • It can enable attackers to perform actions on behalf of the user, such as modifying the webpage content or redirecting the user to malicious sites.
  • The vulnerability can be exploited without any user interaction beyond visiting a crafted URL, increasing the risk of automated or targeted attacks.

Overall, the impact includes loss of confidentiality and integrity of user data and potential compromise of user sessions.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the XSS issue using a crafted URL that injects a <script> tag into the Base64 alphabet parameter of the Show_Base64_offsets recipe in CyberChef.

Specifically, you can test if the application improperly renders unescaped Base64 offset data by accessing a URL similar to: /#recipe=Show_Base64_offsets('<script>alert(1)</script>') and observing if the script executes.

There are no explicit command-line commands provided in the resources, but manual testing via browser or automated web vulnerability scanners targeting the Show_Base64_offsets feature with malicious Base64 input can help detect the vulnerability.

Mitigation Strategies

The immediate mitigation is to update CyberChef to version 11.0.0 or later, where the vulnerability has been fixed by properly escaping all user-controllable output in the Show_Base64_offsets operation.

  • Ensure that the `staticSection` parameter is sanitized by escaping HTML entities before rendering.
  • Avoid using vulnerable versions of CyberChef (prior to 11.0.0) in environments where untrusted users can supply Base64 input.
  • If immediate update is not possible, restrict access to the affected feature or disable the Show_Base64_offsets recipe to prevent exploitation.
Compliance Impact

The CVE-2026-42615 vulnerability is a cross-site scripting (XSS) issue that allows execution of arbitrary JavaScript code via unescaped Base64 offset displays in CyberChef. Such vulnerabilities can lead to unauthorized access or manipulation of data in a web application context.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.

If exploited, this vulnerability could potentially lead to unauthorized disclosure or alteration of sensitive information, thereby impacting compliance with data protection regulations that require safeguarding personal or sensitive data.

The fix implemented ensures proper escaping of user input to prevent script injection, which helps mitigate these risks and supports compliance efforts by reducing the attack surface for data breaches.

Executive Summary

CVE-2026-42615 is a Cross-Site Scripting (XSS) vulnerability in the CyberChef tool, specifically in the "Show Base64 offsets" feature. The issue arises because user-controlled Base64 input is not properly escaped before being rendered in the HTML output. This allows an attacker to inject malicious scripts via crafted Base64 data, which can then execute in the context of the victim's browser.

The vulnerability occurs when the `staticSection` parameter, which contains Base64 output, is inserted directly into the DOM without escaping. When the `showVariable` flag is false, this unescaped content can include malicious script tags, leading to XSS attacks.

The fix involved applying proper HTML escaping to all dynamic content in the Show Base64 offsets operation, preventing the injection of executable code.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the user's browser when they interact with the vulnerable CyberChef feature. This can lead to several impacts including:

  • The attacker can steal sensitive information such as cookies, session tokens, or other data accessible via the browser.
  • It can enable unauthorized actions on behalf of the user, such as modifying displayed content or performing actions within the application.
  • It may lead to further attacks like phishing, malware distribution, or spreading the attack to other users.

Overall, the vulnerability compromises the security and trustworthiness of the CyberChef tool when processing Base64 data.

Detection Guidance

This vulnerability can be detected by attempting to reproduce the XSS attack vector using a crafted URL that injects a <script> tag into the Base64 alphabet parameter of the Show_Base64_offsets recipe in CyberChef.

Specifically, you can test if the application improperly renders unescaped Base64 offset data by accessing a URL similar to: /#recipe=Show_Base64_offsets('...<script>...') and observing if the script executes.

There are no explicit command-line tools or network scanning commands provided in the resources, but manual testing via browser or automated web vulnerability scanners targeting the Show_Base64_offsets feature with malicious Base64 input can help detect the issue.

Mitigation Strategies

The immediate mitigation is to update CyberChef to version 11.0.0 or later, where the vulnerability has been fixed by properly escaping all user-controllable output in the Show_Base64_offsets operation.

  • Ensure that the `staticSection` parameter is sanitized by escaping HTML entities before rendering.
  • Avoid using vulnerable versions of CyberChef (before 11.0.0) in untrusted environments or with untrusted input.
  • If immediate upgrade is not possible, restrict access to the affected feature or disable the Show_Base64_offsets recipe to prevent exploitation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42615. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart