Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in toocheke Toocheke Companion toocheke-companion allows DOM-Based XSS.This issue affects Toocheke Companion: from n/a through <= 1.194.
AnalysisAI
A DOM-based Cross-Site Scripting (XSS) vulnerability exists in Toocheke Companion browser extension versions through 1.194, allowing authenticated attackers to inject malicious scripts that execute in the context of a user's web session. An attacker with login credentials can craft malicious input that bypasses input sanitization during web page generation, enabling session hijacking, credential theft, or malware distribution. While no active KEV exploitation or public proof-of-concept has been disclosed for this CVE, the CVSS 6.5 score reflects moderate severity due to the requirement for user interaction and authenticated access.
Technical ContextAI
Toocheke Companion is a browser extension designed to enhance web page functionality through DOM manipulation and dynamic content injection. The vulnerability stems from improper neutralization of user-supplied input during client-side rendering, classified under CWE-79 (Improper Neutralization of Input During Web Page Generation). Unlike server-side XSS, DOM-based XSS occurs when untrusted data is processed by client-side JavaScript without proper encoding or sanitization, allowing attackers to manipulate the Document Object Model directly. The affected component processes user input through web page generation routines without sufficient output encoding, enabling script execution within the browser's same-origin policy context. The vulnerability affects Toocheke Companion CPE identifier cpe:2.3:a:toocheke:toocheke-companion and persists through version 1.194.
RemediationAI
Users should upgrade Toocheke Companion to the latest available version beyond 1.194 as soon as a patch is released by the vendor. Monitor the official Toocheke project repository and security advisory channels for notification of patched versions. As an interim mitigation, restrict Toocheke Companion's permissions to only essential websites using the browser extension permission management interface, disable the extension on sensitive web applications until patched, and ensure your browser maintains an updated security policy. Additionally, enforce strong password management practices and enable multi-factor authentication on accounts accessed through the extension to limit credential theft impact if DOM-based XSS is exploited.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-11920