Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (jpcert) · only source for this CVE.
CVSS VectorVendor: jpcert
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user.
AnalysisAI
Cross-site scripting (XSS) vulnerability in DeepL Chrome browser extension versions 1.22.0 through 1.23.0 allows remote attackers to execute arbitrary JavaScript and inject malicious HTML into web pages viewed by users. The vulnerability requires user interaction with a malicious web page but can compromise the security context of all visited websites.
Technical ContextAI
The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in a browser extension, likely occurring in the extension's content script or popup handling where user-controlled input or web page content is not properly sanitized before being rendered as HTML or executed as JavaScript. Browser extensions run with elevated privileges and can access arbitrary web pages, making XSS in extensions particularly dangerous as it bypasses same-origin policy restrictions. The affected versions (1.22.0 to 1.23.0) suggest the flaw was introduced or exposed in a recent update to the extension's input handling or DOM manipulation logic.
RemediationAI
Update DeepL Chrome extension to the patched version immediately via the Chrome Web Store - vendor advisories should specify the minimum safe version (likely 1.23.1 or later). Users should verify the extension version in chrome://extensions/ and enable automatic updates for extensions if not already enabled. As an interim workaround, disable or remove the extension until patched if visiting untrusted or high-risk websites. Monitor the GitHub security advisory and JVN notice for confirmation of the patched version. No compensating controls are practical for XSS in a content-accessing extension; the core fix is to upgrade to a version with proper input sanitization.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24605