Skip to main content

DeepL Chrome Extension CVE-2026-40451

| EUVDEUVD-2026-24605 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-22 jpcert
5.1
CVSS 4.0 · Vendor: jpcert
Share

Severity by source

Vendor (jpcert) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (jpcert) · only source for this CVE.

CVSS VectorVendor: jpcert

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

5
Analysis Generated
Apr 22, 2026 - 05:25 vuln.today
CVSS changed
Apr 22, 2026 - 05:22 NVD
6.1 (MEDIUM) 5.1 (MEDIUM)
EUVD ID Assigned
Apr 22, 2026 - 05:00 euvd
EUVD-2026-24605
Analysis Generated
Apr 22, 2026 - 05:00 vuln.today
CVE Published
Apr 22, 2026 - 04:28 nvd
MEDIUM 5.1

DescriptionCVE.org

DeepL Chrome browser extension versions from v1.22.0 to v.1.23.0 contain a cross-site scripting vulnerability, which allows an attacker to execute arbitrary script in a user's browser, and inject malicious HTML into web pages viewed by the user.

AnalysisAI

Cross-site scripting (XSS) vulnerability in DeepL Chrome browser extension versions 1.22.0 through 1.23.0 allows remote attackers to execute arbitrary JavaScript and inject malicious HTML into web pages viewed by users. The vulnerability requires user interaction with a malicious web page but can compromise the security context of all visited websites.

Technical ContextAI

The vulnerability is a reflected or stored cross-site scripting (CWE-79) flaw in a browser extension, likely occurring in the extension's content script or popup handling where user-controlled input or web page content is not properly sanitized before being rendered as HTML or executed as JavaScript. Browser extensions run with elevated privileges and can access arbitrary web pages, making XSS in extensions particularly dangerous as it bypasses same-origin policy restrictions. The affected versions (1.22.0 to 1.23.0) suggest the flaw was introduced or exposed in a recent update to the extension's input handling or DOM manipulation logic.

RemediationAI

Update DeepL Chrome extension to the patched version immediately via the Chrome Web Store - vendor advisories should specify the minimum safe version (likely 1.23.1 or later). Users should verify the extension version in chrome://extensions/ and enable automatic updates for extensions if not already enabled. As an interim workaround, disable or remove the extension until patched if visiting untrusted or high-risk websites. Monitor the GitHub security advisory and JVN notice for confirmation of the patched version. No compensating controls are practical for XSS in a content-accessing extension; the core fix is to upgrade to a version with proper input sanitization.

Share

CVE-2026-40451 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy