Prototype Pollution in CyberChef Web App by GCHQ
CVE-2026-57439

5MEDIUM

Key Information:

Vendor

Gchq

Status
Vendor
CVE Published:
8 July 2026

What is CVE-2026-57439?

The CyberChef web application, which specializes in encryption, encoding, compression, and data analysis, has a vulnerability that allows for prototype pollution. Prior to version 11.2.0, the Series Chart operation improperly handled user-supplied CSV input by accepting proto as a key. This flaw opens the door for attackers to manipulate the JavaScript prototype, potentially leading to harmful injections into HTML output. This vulnerability can be exploited in conjunction with other operations like Parse UDP to execute malicious scripts. The issue has been addressed and is resolved in version 11.2.0.

Affected Version(s)

CyberChef < 11.2.0

References

CVSS V3.1

Score:
5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.