CVE-2026-57439
Received Received - Intake

Prototype Pollution in CyberChef via Series Chart CSV Parsing

Vulnerability report for CVE-2026-57439, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: GitHub, Inc.

Description

CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gchq cyberchef to 11.2.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The provided information does not explicitly address how CVE-2026-57439 affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-57439 is a prototype pollution vulnerability in CyberChef, a web application used for encryption, encoding, compression, and data analysis. The vulnerability exists in the Series Chart operation, which accepts __proto__ as a key when parsing user-supplied CSV data. This allows attackers to manipulate the prototype of objects, a technique known as prototype pollution.

By exploiting this, attackers can chain the pollution with other operations such as Parse UDP to inject malicious JavaScript into the HTML output, leading to cross-site scripting (XSS) attacks. The vulnerability was fixed in CyberChef version 11.2.0.

Impact Analysis

This vulnerability can allow an attacker to inject malicious JavaScript into the HTML output of CyberChef by exploiting prototype pollution in the Series Chart operation. This can lead to cross-site scripting (XSS) attacks, which may result in unauthorized script execution in the context of the affected application.

The impact includes potential manipulation of data processing within CyberChef, low confidentiality and integrity impacts, and the possibility of executing arbitrary scripts that could compromise user data or session information. The CVSS score for this vulnerability is 5.0, indicating a moderate severity.

Detection Guidance

This vulnerability involves prototype pollution in the Series Chart operation of CyberChef when parsing user-supplied CSV data containing the __proto__ key. Detection would involve identifying if vulnerable versions of CyberChef (prior to 11.2.0) are in use and if malicious CSV inputs containing __proto__ keys are being processed.

There are no explicit detection commands or network signatures provided in the available resources. However, monitoring for usage of CyberChef versions before 11.2.0 and inspecting CSV inputs for the presence of __proto__ keys could help identify potential exploitation attempts.

Since the vulnerability can lead to injection of malicious JavaScript via chained operations, reviewing logs or outputs for unexpected script tags or unusual HTML content in chart outputs might also indicate exploitation.

Mitigation Strategies

The primary and recommended mitigation step is to upgrade CyberChef to version 11.2.0 or later, where this prototype pollution vulnerability has been fixed.

No workarounds are available according to the security advisory, so upgrading is essential to prevent exploitation.

Additionally, avoid processing untrusted CSV inputs containing __proto__ keys or chaining the Series Chart operation with other operations like Parse UDP until the upgrade is applied.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57439. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart