Skip to main content

Cyberchef

3 CVEs product

Monthly

CVE-2026-57439 MEDIUM PATCH This Month

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.

XSS Cyberchef
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-42615 npm HIGH PATCH GHSA This Week

GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.

XSS Cyberchef
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.0%
CVE-2019-15532 npm MEDIUM POC PATCH This Month

CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cyberchef
NVD GitHub
CVSS 3.0
6.1
EPSS
1.3%
EPSS 0% CVSS 5.0
MEDIUM PATCH This Month

Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.

XSS Cyberchef
NVD GitHub VulDB
EPSS 0% CVSS 7.2
HIGH PATCH This Week

GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.

XSS Cyberchef
NVD GitHub VulDB
EPSS 1% CVSS 6.1
MEDIUM POC PATCH This Month

CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

XSS Cyberchef
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy