Cyber Resilience

CVE-2026-21855

CriticalPublic PoC

Published: 07 January 2026

Published
07 January 2026
Modified
03 February 2026
KEV Added
Patch
CVSS Score v3.1 9.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N
EPSS Score 0.0020 10.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-21855 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Tarkov Tarkov Data Manager. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 10.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-21855 is a reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) in the Tarkov Data Manager, a tool for managing item data related to the game Tarkov. The flaw exists in the toast notification system prior to fixes applied on 02 January 2025, where insufficient input sanitization allows injected scripts via malicious parameters. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to network accessibility, low attack complexity, and high potential impacts on confidentiality and integrity with changed scope.

An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL that a victim must access, typically requiring user interaction such as clicking a link. Upon triggering the toast notification, the payload executes arbitrary JavaScript within the victim's browser session, enabling actions like data exfiltration, session hijacking, or further phishing within the application's context.

The GitHub security advisory (GHSA-9c23-rrg9-jc89) documents the issue and notes that a series of fix commits on 02 January 2025 resolved this and other vulnerabilities in the Tarkov Data Manager. Mitigation involves updating to patched versions incorporating these commits, with practitioners advised to verify repository changes and warn users against accessing untrusted URLs.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context…

more

of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Reflected XSS enables arbitrary JavaScript execution in browser (T1059.007) via malicious link requiring user interaction (T1204.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-21854Same product: Tarkov Tarkov Data Manager
CVE-2026-21856Same product: Tarkov Tarkov Data Manager
CVE-2024-56065Shared CWE-79
CVE-2025-22564Shared CWE-79
CVE-2026-27382Shared CWE-79
CVE-2025-23736Shared CWE-79
CVE-2025-68894Shared CWE-79
CVE-2025-23636Shared CWE-79
CVE-2025-23885Shared CWE-79
CVE-2025-23697Shared CWE-79

Affected Assets

tarkov
tarkov data manager
≤ 2025-01-02

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of URL parameters used in the toast notification system to block malicious JavaScript injection exploiting the reflected XSS vulnerability.

prevent

Mandates filtering and encoding of toast notification outputs to prevent execution of injected scripts in victims' browsers.

prevent

Ensures timely identification, testing, and remediation of flaws like the insufficient input sanitization in the toast system, as demonstrated by the fix commits.

References