Cross-Site Scripting Vulnerability in GCHQ CyberChef Software
CVE-2026-42615

7.2HIGH

Key Information:

Vendor: Gchq
Status: Cyberchef
Vendor: CVE Published:; 29 April 2026

What is CVE-2026-42615?

A Cross-Site Scripting (XSS) vulnerability exists in GCHQ CyberChef versions before 11.0.0, which occurs via the Show Base64 Offsets feature. This allows attackers to inject malicious scripts through a crafted payload. Successful exploitation may result in the execution of arbitrary JavaScript in the context of the user's browser session, which could lead to data theft, session hijacking, or other malicious activities. Users are advised to upgrade to the latest version to mitigate this risk.

Affected Version(s)

CyberChef 0 < 11.0.0

References

https://github.com/gchq/CyberChef/issues/2344

https://github.com/gchq/CyberChef/commit/9641ae07f92e9af5...

https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 29, 2026
Vulnerability Reserved
Apr 29, 2026

CVE-2026-42615 Data

JSON

Gchq

What is CVE-2026-42615?

Affected Version(s)

References

CVSS V3.1

Timeline