{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-42615", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "state": "PUBLISHED", "assignerShortName": "mitre", "dateReserved": "2026-04-29T02:55:52.684Z", "datePublished": "2026-04-29T02:55:53.171Z", "dateUpdated": "2026-04-29T02:56:14.260Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CyberChef", "vendor": "GCHQ", "versions": [{"lessThan": "11.0.0", "status": "affected", "version": "0", "versionType": "semver"}]}], "descriptions": [{"lang": "en", "value": "GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring."}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2026-04-29T02:56:14.260Z"}, "references": [{"url": "https://github.com/gchq/CyberChef/issues/2344"}, {"url": "https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d"}, {"url": "https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0"}, {"url": "https://github.com/gchq/CyberChef/pull/2346"}], "x_generator": {"engine": "CVE-Request-form 0.0.1"}, "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gchq:cyberchef:*:*:*:*:*:*:*:*", "versionEndExcluding": "11.0.0"}]}]}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring."}], "id": "CVE-2026-42615", "lastModified": "2026-04-29T04:16:41.750", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "cve@mitre.org", "type": "Secondary"}]}, "published": "2026-04-29T04:16:41.750", "references": [{"source": "cve@mitre.org", "url": "https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d"}, {"source": "cve@mitre.org", "url": "https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0"}, {"source": "cve@mitre.org", "url": "https://github.com/gchq/CyberChef/issues/2344"}, {"source": "cve@mitre.org", "url": "https://github.com/gchq/CyberChef/pull/2346"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cve@mitre.org", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,11.0.0)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "CyberChef", "source": "cna", "vendor": "GCHQ"}, "product": "cyberchef", "vendor": "gchq"}], "analysis": {"en": {"generated_at": "2026-04-29T04:21:00.037998+00:00", "value": {"mitigation_remediation": ["Upgrade to CyberChef 11.0.0 or a later release that removes the vector.", "If an upgrade is infeasible, enforce a content\u2011security\u2011policy that blocks inline script execution from recipe inputs, or disable the Show Base64 offsets feature via configuration.", "Monitor user activity for unusual recipe URLs and educate users about the risks of opening unknown recipe links."], "summary": {"action": "Patch Immediately", "impact": "Cross\u2011Site Scripting"}, "threat_synthesis": {"affected_systems": "GCHQ CyberChef versions prior to 11.0.0, including the 10.x series (e.g., 10.24.0), are affected. The vulnerability manifests when the Show Base64 offsets recipe is invoked via a crafted URL such as /#recipe=Show_Base64_offsets('%3Cscript\u2026).", "description_and_impact": "The vulnerability is a reflected cross\u2011site scripting flaw triggered when a maliciously crafted recipe string is processed by CyberChef\u2019s Show Base64 offsets function. An injected <script> element can be executed in the context of the victim\u2019s browser, permitting the attacker to steal session cookies, deface the interface, or execute further malicious actions. The weakness is identified as CWE\u201179, a classic example of improper handling of user\u2011supplied data.", "risk_and_exploitability": "The CVSS score of 7.2 reflects a high risk with medium to high potential impact for users who load untrusted recipe URLs. The EPSS score is not available, but the vulnerability is not currently listed in CISA's KEV catalog, indicating it has no known large\u2011scale exploitation campaigns reported. Attackers can feasibly abuse the flaw by embedding malicious recipe links into phishing messages or compromised websites, relying on user interaction to trigger the script. If successful, the attack grants the attacker the same privileges as the end user within the affected browser session."}}}}, "created": "2026-04-29T04:30:02.193799+00:00", "title": "Cross\u2011Site Scripting in CyberChef\u2019s Base64 Offset Feature", "updated": "2026-04-29T04:30:02.485145+00:00", "vendors": ["gchq", "gchq$PRODUCT$cyberchef"]}