Description
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
Published: 2026-04-29
Score: 7.2 High
EPSS: n/a
KEV: No
Impact: Cross‑Site Scripting
Action: Patch Immediately
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw triggered when a maliciously crafted recipe string is processed by CyberChef’s Show Base64 offsets function. An injected <script> element can be executed in the context of the victim’s browser, permitting the attacker to steal session cookies, deface the interface, or execute further malicious actions. The weakness is identified as CWE‑79, a classic example of improper handling of user‑supplied data.

Affected Systems

GCHQ CyberChef versions prior to 11.0.0, including the 10.x series (e.g., 10.24.0), are affected. The vulnerability manifests when the Show Base64 offsets recipe is invoked via a crafted URL such as /#recipe=Show_Base64_offsets('%3Cscript…).

Risk and Exploitability

The CVSS score of 7.2 reflects a high risk with medium to high potential impact for users who load untrusted recipe URLs. The EPSS score is not available, but the vulnerability is not currently listed in CISA's KEV catalog, indicating it has no known large‑scale exploitation campaigns reported. Attackers can feasibly abuse the flaw by embedding malicious recipe links into phishing messages or compromised websites, relying on user interaction to trigger the script. If successful, the attack grants the attacker the same privileges as the end user within the affected browser session.

Generated by OpenCVE AI on April 29, 2026 at 04:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to CyberChef 11.0.0 or a later release that removes the vector.
  • If an upgrade is infeasible, enforce a content‑security‑policy that blocks inline script execution from recipe inputs, or disable the Show Base64 offsets feature via configuration.
  • Monitor user activity for unusual recipe URLs and educate users about the risks of opening unknown recipe links.

Generated by OpenCVE AI on April 29, 2026 at 04:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Title Cross‑Site Scripting in CyberChef’s Base64 Offset Feature

Wed, 29 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
Description GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
First Time appeared Gchq
Gchq cyberchef
Weaknesses CWE-79
CPEs cpe:2.3:a:gchq:cyberchef:*:*:*:*:*:*:*:*
Vendors & Products Gchq
Gchq cyberchef
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Gchq Cyberchef
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-29T02:56:14.260Z

Reserved: 2026-04-29T02:55:52.684Z

Link: CVE-2026-42615

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-29T04:16:41.750

Modified: 2026-04-29T04:16:41.750

Link: CVE-2026-42615

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T04:30:02Z

Weaknesses