Severity by source
AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CyberChef is commonly accessed as a hosted web application with shareable recipes, making AV:N more representative of realistic delivery; all other metrics align with the XSS impact model and mandatory user interaction.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.
AnalysisAI
Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts __proto__ as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires all of the following: (1) the victim must load an attacker-controlled CSV file containing `__proto__` as a field key through the Series Chart operation; (2) the victim's recipe must chain Series Chart with at least one HTML-generating operation such as Parse UDP in the same CyberChef session; and (3) the victim must have CyberChef open in an active browser tab. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The assigned CVSS score of 5.0 with vector CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N reflects a moderate, user-interaction-dependent risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a CSV file containing `__proto__` as a column header with a JavaScript payload as the cell value, then delivers it to a security analyst via phishing or a shared CyberChef recipe link. The analyst loads the CSV into the Series Chart operation as part of routine data triage, then adds Parse UDP or another HTML-output operation to the recipe. … |
| Remediation | Upgrade to CyberChef version 11.2.0 or later, which contains the fix committed in 85db3be5d0096859b810f0e8d3e151d5dc9b948f and merged via pull request #2569 (https://github.com/gchq/CyberChef/pull/2569). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. Rated medium severity (CVSS 6.1), this
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42294