CVE-2026-42615
Cross-Site Scripting in GCHQ CyberChef Show Base64 Offsets
Publication date: 2026-04-29
Last updated on: 2026-04-29
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gchq | cyberchef | to 11.0.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42615 is a Cross-Site Scripting (XSS) vulnerability in the CyberChef tool, specifically in the "Show Base64 offsets" feature. The issue arises because user-controlled Base64 input is not properly escaped before being rendered in the HTML output. This allows an attacker to inject malicious scripts via crafted Base64 data, which can then execute in the context of the victim's browser.
The vulnerability occurs when the `staticSection` parameter, which contains Base64 output, is inserted directly into the DOM without escaping. When the `showVariable` flag is false, this unescaped content can include malicious script tags, enabling arbitrary JavaScript execution.
The fix involved applying proper HTML escaping to all dynamic content in the Show Base64 offsets operation, preventing untrusted input from being interpreted as executable code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of a user's browser when they view a maliciously crafted URL using the vulnerable CyberChef feature.
- Execution of malicious scripts can lead to theft of sensitive information such as cookies, session tokens, or other credentials.
- It can enable attackers to perform actions on behalf of the user, such as modifying the webpage content or redirecting the user to malicious sites.
- The vulnerability can be exploited without any user interaction beyond visiting a crafted URL, increasing the risk of automated or targeted attacks.
Overall, the impact includes loss of confidentiality and integrity of user data and potential compromise of user sessions.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the XSS issue using a crafted URL that injects a <script> tag into the Base64 alphabet parameter of the Show_Base64_offsets recipe in CyberChef.
Specifically, you can test if the application improperly renders unescaped Base64 offset data by accessing a URL similar to: /#recipe=Show_Base64_offsets('<script>alert(1)</script>') and observing if the script executes.
There are no explicit command-line commands provided in the resources, but manual testing via browser or automated web vulnerability scanners targeting the Show_Base64_offsets feature with malicious Base64 input can help detect the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to update CyberChef to version 11.0.0 or later, where the vulnerability has been fixed by properly escaping all user-controllable output in the Show_Base64_offsets operation.
- Ensure that the `staticSection` parameter is sanitized by escaping HTML entities before rendering.
- Avoid using vulnerable versions of CyberChef (prior to 11.0.0) in environments where untrusted users can supply Base64 input.
- If immediate update is not possible, restrict access to the affected feature or disable the Show_Base64_offsets recipe to prevent exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-42615 vulnerability is a cross-site scripting (XSS) issue that allows execution of arbitrary JavaScript code via unescaped Base64 offset displays in CyberChef. Such vulnerabilities can lead to unauthorized access or manipulation of data in a web application context.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, XSS vulnerabilities generally pose risks to data confidentiality and integrity, which are critical aspects of these regulations.
If exploited, this vulnerability could potentially lead to unauthorized disclosure or alteration of sensitive information, thereby impacting compliance with data protection regulations that require safeguarding personal or sensitive data.
The fix implemented ensures proper escaping of user input to prevent script injection, which helps mitigate these risks and supports compliance efforts by reducing the attack surface for data breaches.
Can you explain this vulnerability to me?
CVE-2026-42615 is a Cross-Site Scripting (XSS) vulnerability in the CyberChef tool, specifically in the "Show Base64 offsets" feature. The issue arises because user-controlled Base64 input is not properly escaped before being rendered in the HTML output. This allows an attacker to inject malicious scripts via crafted Base64 data, which can then execute in the context of the victim's browser.
The vulnerability occurs when the `staticSection` parameter, which contains Base64 output, is inserted directly into the DOM without escaping. When the `showVariable` flag is false, this unescaped content can include malicious script tags, leading to XSS attacks.
The fix involved applying proper HTML escaping to all dynamic content in the Show Base64 offsets operation, preventing the injection of executable code.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute arbitrary JavaScript code in the context of the user's browser when they interact with the vulnerable CyberChef feature. This can lead to several impacts including:
- The attacker can steal sensitive information such as cookies, session tokens, or other data accessible via the browser.
- It can enable unauthorized actions on behalf of the user, such as modifying displayed content or performing actions within the application.
- It may lead to further attacks like phishing, malware distribution, or spreading the attack to other users.
Overall, the vulnerability compromises the security and trustworthiness of the CyberChef tool when processing Base64 data.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the XSS attack vector using a crafted URL that injects a <script> tag into the Base64 alphabet parameter of the Show_Base64_offsets recipe in CyberChef.
Specifically, you can test if the application improperly renders unescaped Base64 offset data by accessing a URL similar to: /#recipe=Show_Base64_offsets('...<script>...') and observing if the script executes.
There are no explicit command-line tools or network scanning commands provided in the resources, but manual testing via browser or automated web vulnerability scanners targeting the Show_Base64_offsets feature with malicious Base64 input can help detect the issue.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation is to update CyberChef to version 11.0.0 or later, where the vulnerability has been fixed by properly escaping all user-controllable output in the Show_Base64_offsets operation.
- Ensure that the `staticSection` parameter is sanitized by escaping HTML entities before rendering.
- Avoid using vulnerable versions of CyberChef (before 11.0.0) in untrusted environments or with untrusted input.
- If immediate upgrade is not possible, restrict access to the affected feature or disable the Show_Base64_offsets recipe to prevent exploitation.