CVE-2026-21855
Published: 07 January 2026
Summary
CVE-2026-21855 is a critical-severity Cross-site Scripting (CWE-79) vulnerability in Tarkov Tarkov Data Manager. Its CVSS base score is 9.3 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 22.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of URL parameters used in the toast notification system to block malicious JavaScript injection exploiting the reflected XSS vulnerability.
Mandates filtering and encoding of toast notification outputs to prevent execution of injected scripts in victims' browsers.
Ensures timely identification, testing, and remediation of flaws like the insufficient input sanitization in the toast system, as demonstrated by the fix commits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS enables arbitrary JavaScript execution in browser (T1059.007) via malicious link requiring user interaction (T1204.001).
NVD Description
The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context…
more
of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.
Deeper analysisAI
CVE-2026-21855 is a reflected Cross-Site Scripting (XSS) vulnerability (CWE-79) in the Tarkov Data Manager, a tool for managing item data related to the game Tarkov. The flaw exists in the toast notification system prior to fixes applied on 02 January 2025, where insufficient input sanitization allows injected scripts via malicious parameters. It carries a CVSS v3.1 base score of 9.3 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N), indicating critical severity due to network accessibility, low attack complexity, and high potential impacts on confidentiality and integrity with changed scope.
An unauthenticated attacker can exploit this vulnerability by crafting a malicious URL that a victim must access, typically requiring user interaction such as clicking a link. Upon triggering the toast notification, the payload executes arbitrary JavaScript within the victim's browser session, enabling actions like data exfiltration, session hijacking, or further phishing within the application's context.
The GitHub security advisory (GHSA-9c23-rrg9-jc89) documents the issue and notes that a series of fix commits on 02 January 2025 resolved this and other vulnerabilities in the Tarkov Data Manager. Mitigation involves updating to patched versions incorporating these commits, with practitioners advised to verify repository changes and warn users against accessing untrusted URLs.
Details
- CWE(s)