{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-40451", "assignerOrgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "state": "PUBLISHED", "assignerShortName": "jpcert", "dateReserved": "2026-04-13T06:27:03.647Z", "datePublished": "2026-04-22T04:28:49.657Z", "dateUpdated": "2026-04-22T04:28:49.657Z"}, "containers": {"cna": {"affected": [{"vendor": "DeepL", "product": "Chrome browser extension", "versions": [{"version": "from v1.22.0 to v.1.23.0", "status": "affected"}]}], "descriptions": [{"lang": "en", "value": "DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user."}], "problemTypes": [{"descriptions": [{"description": "Cross-site scripting (XSS)", "lang": "en-US", "cweId": "CWE-79", "type": "CWE"}]}], "references": [{"url": "https://github.com/DeepLcom/deepl-chrome-extension/security/advisories/GHSA-4x2r-q3p9-xhx4"}, {"url": "https://jvn.jp/en/jp/JVN37524771/"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_0": {"version": "3.0", "baseSeverity": "MEDIUM", "baseScore": 6.1, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV4_0": {"version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 5.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"}}], "providerMetadata": {"orgId": "ede6fdc4-6654-4307-a26d-3331c018e2ce", "shortName": "jpcert", "dateUpdated": "2026-04-22T04:28:49.657Z"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user."}], "id": "CVE-2026-40451", "lastModified": "2026-04-22T05:16:23.253", "metrics": {"cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "vultures@jpcert.or.jp", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.1, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "LOW", "subIntegrityImpact": "LOW", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "vultures@jpcert.or.jp", "type": "Secondary"}]}, "published": "2026-04-22T05:16:23.253", "references": [{"source": "vultures@jpcert.or.jp", "url": "https://github.com/DeepLcom/deepl-chrome-extension/security/advisories/GHSA-4x2r-q3p9-xhx4"}, {"source": "vultures@jpcert.or.jp", "url": "https://jvn.jp/en/jp/JVN37524771/"}], "sourceIdentifier": "vultures@jpcert.or.jp", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "vultures@jpcert.or.jp", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T07:06:14.996138+00:00", "value": {"mitigation_remediation": ["Upgrade the DeepL Chrome extension to the latest available version, which removes the XSS vulnerability.", "If an upgrade is not immediately feasible, disable or uninstall the extension to prevent script execution until a fix is applied.", "Implement a site\u2011wide Content Security Policy that restricts inline script execution, thereby mitigating the impact of any residual injection vectors."], "summary": {"action": "Immediate Patch", "impact": "Remote code execution via injected scripts"}, "threat_synthesis": {"affected_systems": "This flaw affects the DeepL Chrome browser extension for all users who have versions 1.22.0 up to and including 1.23.0 installed. The extension is distributed via the Chrome Web Store, and users of any operating system running Chrome or Chromium\u2011based browsers that support extensions are at risk. Specific product names are DeepL Chrome extension.", "description_and_impact": "The vulnerability is a client\u2011side cross\u2011site scripting flaw in the DeepL Chrome browser extension. Versions 1.22.0 through 1.23.0 allow an attacker to inject malicious JavaScript and arbitrary HTML into web pages viewed by the user. This enables execution of attacker\u2011controlled code in the context of the user\u2019s browsing session, potentially leading to data theft, credential compromise, or other malicious activity, because the script runs with the permissions granted to the extension.", "risk_and_exploitability": "The CVSS base score of 5.1 indicates a moderate severity. The EPSS score is not available, so current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at the time of this assessment. The likely attack vector is a malicious web page that the user visits or a compromised site that loads the extension\u2019s content scripts, which can inject the malicious payload. Once activated, the script runs with the privileges granted to the extension, providing the attacker with a high level of influence over the user\u2019s browsing environment."}}}}, "created": "2026-04-22T07:15:11.666895+00:00", "title": "Cross\u2011Site Scripting in DeepL Chrome Extension Enables Arbitrary Script Execution", "updated": "2026-04-22T07:15:11.666906+00:00", "vendors": []}