Cyber Resilience

CVE-2026-42615

High

Published: 29 April 2026

Published
29 April 2026
Modified
30 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0001 2.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42615 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2026-42615 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GCHQ CyberChef versions prior to 11.0.0. The flaw occurs in the "Show Base64 offsets" recipe function, which can be exploited through a crafted URL such as /#recipe=Show_Base64_offsets('%3Cscript substring, allowing arbitrary JavaScript execution when processed in the browser. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low complexity, lack of required privileges or user interaction, and scope change with low impacts on confidentiality and integrity.

A remote attacker can exploit this vulnerability by distributing a malicious URL containing the crafted recipe payload to target users. When a victim loads the URL in a vulnerable CyberChef instance, the XSS payload executes in the browser context, potentially enabling theft of session cookies, local storage data, or other sensitive information accessible to the application. The attack requires no authentication or additional user actions beyond visiting the link, and impacts are confined to low-level data exposure or modification within the changed scope.

Mitigation is available via the official patch in CyberChef version 11.0.0, as detailed in the GitHub commit 9641ae07f92e9af50f10e978385465b2f4a36c4d, the release comparison between v10.24.0 and v11.0.0, issue tracker entry #2344, and pull request #2346. Security practitioners should upgrade to version 11.0.0 or later and validate inputs in custom deployments of CyberChef.

EU & UK References

Vulnerability details

GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
Why these techniques?

XSS in public-facing web app (CyberChef) allows arbitrary JS execution via crafted URL, directly enabling exploitation of public-facing application and use of JavaScript interpreter.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-3231Shared CWE-79
CVE-2025-23481Shared CWE-79
CVE-2025-69302Shared CWE-79
CVE-2025-23734Shared CWE-79
CVE-2025-23571Shared CWE-79
CVE-2025-65110Shared CWE-79
CVE-2026-24948Shared CWE-79
CVE-2025-27352Shared CWE-79
CVE-2025-30349Shared CWE-79
CVE-2026-3876Shared CWE-79

Affected Assets

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the CVE by requiring identification, reporting, and correction of the specific XSS flaw in CyberChef's Show Base64 offsets function via patching to version 11.0.0 or later.

prevent

Prevents XSS execution by filtering and encoding information outputs from the vulnerable recipe function before rendering in the browser context.

prevent

Blocks exploitation by validating recipe URL inputs such as the crafted Show_Base64_offsets('%3Cscript substring payload against defined validity criteria.

References