Cyberchef
Monthly
Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Prototype pollution in CyberChef prior to 11.2.0 enables cross-site scripting via a chained operation attack. The Series Chart operation accepts `__proto__` as a valid CSV key without sanitization, corrupting the JavaScript Object prototype; when downstream operations such as Parse UDP generate HTML output, the polluted prototype injects attacker-controlled JavaScript that executes in the victim's browser. The vendor has released a fix in version 11.2.0; no public exploit and no CISA KEV listing have been identified at time of analysis.
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
CyberChef before 8.31.2 allows XSS in core/operations/TextEncodingBruteForce.mjs. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.