CVE-2026-42615
Published: 29 April 2026
Summary
CVE-2026-42615 is a high-severity Cross-site Scripting (CWE-79) vulnerability. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2026-42615 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting GCHQ CyberChef versions prior to 11.0.0. The flaw occurs in the "Show Base64 offsets" recipe function, which can be exploited through a crafted URL such as /#recipe=Show_Base64_offsets('%3Cscript substring, allowing arbitrary JavaScript execution when processed in the browser. The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), indicating high severity due to its network accessibility, low complexity, lack of required privileges or user interaction, and scope change with low impacts on confidentiality and integrity.
A remote attacker can exploit this vulnerability by distributing a malicious URL containing the crafted recipe payload to target users. When a victim loads the URL in a vulnerable CyberChef instance, the XSS payload executes in the browser context, potentially enabling theft of session cookies, local storage data, or other sensitive information accessible to the application. The attack requires no authentication or additional user actions beyond visiting the link, and impacts are confined to low-level data exposure or modification within the changed scope.
Mitigation is available via the official patch in CyberChef version 11.0.0, as detailed in the GitHub commit 9641ae07f92e9af50f10e978385465b2f4a36c4d, the release comparison between v10.24.0 and v11.0.0, issue tracker entry #2344, and pull request #2346. Security practitioners should upgrade to version 11.0.0 or later and validate inputs in custom deployments of CyberChef.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26191
Vulnerability details
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing web app (CyberChef) allows arbitrary JS execution via crafted URL, directly enabling exploitation of public-facing application and use of JavaScript interpreter.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the CVE by requiring identification, reporting, and correction of the specific XSS flaw in CyberChef's Show Base64 offsets function via patching to version 11.0.0 or later.
Prevents XSS execution by filtering and encoding information outputs from the vulnerable recipe function before rendering in the browser context.
Blocks exploitation by validating recipe URL inputs such as the crafted Show_Base64_offsets('%3Cscript substring payload against defined validity criteria.