A reflected Cross‑Site Scripting flaw in the toast‑notification component of Tarkov Data Manager allows any attacker to embed malicious JavaScript that runs in the victim’s browser context when a crafted URL is opened. The vulnerability is a classic input‑validation weakness (CWE‑79) and satisfies the unauthenticated criterion, meaning the attacker does not need to authenticate or control the victim’s system. With this capability an attacker could steal session cookies, hijack accounts, or perform further phishing attacks against users without requiring direct access to the device.

The issue affects the Tarkov Data Manager application provided by the-hideout, as identified by its CPE, for all releases prior to the comprehensive fixes committed on 2 January 2025. All users running those earlier versions are potentially exploitable.

The CVSS score of 9.3 signals a high severity that grants attackers full control over the victim’s browser session. However, the EPSS score of less than 1% indicates that, as of now, exploitation is rare. The vulnerability is not present in the CISA KEV catalog, suggesting no confirmed exploitation reports. An attacker can launch an attack by simply embedding the malicious URL, for example in an email or webpage, and inviting a user to click it. When a user opens the link, the malicious script executes with the same privileges as the user’s browser context, enabling the attacker to compromise any data or credentials accessible to the victim’s session.