The vulnerability is a client‑side cross‑site scripting flaw in the DeepL Chrome browser extension. Versions 1.22.0 through 1.23.0 allow an attacker to inject malicious JavaScript and arbitrary HTML into web pages viewed by the user. This enables execution of attacker‑controlled code in the context of the user’s browsing session, potentially leading to data theft, credential compromise, or other malicious activity, because the script runs with the permissions granted to the extension.

This flaw affects the DeepL Chrome browser extension for all users who have versions 1.22.0 up to and including 1.23.0 installed. The extension is distributed via the Chrome Web Store, and users of any operating system running Chrome or Chromium‑based browsers that support extensions are at risk. Specific product names are DeepL Chrome extension.

The CVSS base score of 5.1 indicates a moderate severity. The EPSS score is not available, so current exploitation probability is unknown. The vulnerability is not listed in the CISA KEV catalog, suggesting no publicly known exploitation at the time of this assessment. The likely attack vector is a malicious web page that the user visits or a compromised site that loads the extension’s content scripts, which can inject the malicious payload. Once activated, the script runs with the privileges granted to the extension, providing the attacker with a high level of influence over the user’s browsing environment.