Skip to main content

CyberChef CVE-2026-57439

| EUVDEUVD-2026-42294 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-08 GitHub_M
5.0
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.0 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

CyberChef is commonly accessed as a hosted web application with shareable recipes, making AV:N more representative of realistic delivery; all other metrics align with the XSS impact model and mandatory user interaction.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 08, 2026 - 17:01 EUVD
Analysis Generated
Jul 08, 2026 - 16:37 vuln.today

DescriptionCVE.org

CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.

AnalysisAI

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts __proto__ as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Craft CSV with __proto__ XSS payload
Delivery
Deliver file to CyberChef user via phishing or shared recipe
Exploit
Victim loads CSV through Series Chart operation
Install
Object prototype polluted with attacker value
C2
Victim chains HTML-generating operation (e.g., Parse UDP)
Execute
Malicious JS injected into rendered HTML output
Impact
XSS executes in victim browser session

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following: (1) the victim must load an attacker-controlled CSV file containing `__proto__` as a field key through the Series Chart operation; (2) the victim's recipe must chain Series Chart with at least one HTML-generating operation such as Parse UDP in the same CyberChef session; and (3) the victim must have CyberChef open in an active browser tab. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The assigned CVSS score of 5.0 with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N reflects a moderate, user-interaction-dependent risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a CSV file containing `__proto__` as a column header with a JavaScript payload as the cell value, then delivers it to a security analyst via phishing or a shared CyberChef recipe link. The analyst loads the CSV into the Series Chart operation as part of routine data triage, then adds Parse UDP or another HTML-output operation to the recipe. …
Remediation Upgrade to CyberChef version 11.2.0 or later, which contains the fix committed in 85db3be5d0096859b810f0e8d3e151d5dc9b948f and merged via pull request #2569 (https://github.com/gchq/CyberChef/pull/2569). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-57439 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy