Skip to main content

Toocheke Companion CVE-2026-32403

| EUVDEUVD-2026-11920 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-03-13 Patchstack
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 13, 2026 - 16:57 euvd
EUVD-2026-11920
Analysis Generated
Mar 13, 2026 - 16:57 vuln.today
CVE Published
Mar 13, 2026 - 11:42 nvd
MEDIUM 6.5

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in toocheke Toocheke Companion toocheke-companion allows DOM-Based XSS.This issue affects Toocheke Companion: from n/a through <= 1.194.

AnalysisAI

A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Toocheke Companion browser extension versions through 1.194, allowing authenticated attackers to inject malicious scripts that execute in the context of a user's web session. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, enabling session hijacking, credential theft, or malware distribution. While no active KEV exploitation or public proof-of-concept has been disclosed for this CVE, the CVSS 6.5 score reflects moderate severity due to the requirement for user interaction and authenticated access.

Technical ContextAI

Toocheke Companion is a browser extension designed to enhance web page functionality through DOM manipulation and dynamic content injection. The vulnerability stems from improper neutralization of user-supplied input during client-side rendering, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Unlike server-side XSS, DOM-based XSS occurs when untrusted data is processed by client-side JavaScript without proper encoding or sanitization, allowing attackers to manipulate the Document Object Model directly. The affected component processes user input through web page generation routines without sufficient output encoding, enabling script execution within the browser's same-origin policy context. The vulnerability affects Toocheke Companion CPE identifier cpe:2.3:a:toocheke:toocheke-companion and persists through version 1.194.

RemediationAI

Users should upgrade Toocheke Companion to the latest available version beyond 1.194 as soon as a patch is released by the vendor. Monitor the official Toocheke project repository and security advisory channels for notification of patched versions. As an interim mitigation, restrict Toocheke Companion's permissions to only essential websites using the browser extension permission management interface, disable the extension on sensitive web applications until patched, and ensure your browser maintains an updated security policy. Additionally, enforce strong password management practices and enable multi-factor authentication on accounts accessed through the extension to limit credential theft impact if DOM-based XSS is exploited.

Share

CVE-2026-32403 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy