GCHQ CyberChef XSS Vulnerability (CVE-2026-42615) Identified
The National Vulnerability Database has detailed CVE-2026-42615, a high-severity Cross-Site Scripting (XSS) vulnerability affecting GCHQ CyberChef versions prior to 11.0.0. This flaw, assigned a CVSS score of 7.2, allows for XSS via the ‘Show Base64 offsets’ function, specifically through a crafted URL containing a script substring.
Attackers can exploit this by enticing a user to click a malicious link, leading to the execution of arbitrary JavaScript within the user’s browser context. While the National Vulnerability Database does not specify affected products beyond the CyberChef application itself, the nature of XSS means any user interacting with a vulnerable instance could be compromised. This is a client-side vulnerability, but its impact can range from session hijacking to defacement or further client-side exploitation.
Defenders must prioritize patching CyberChef instances to version 11.0.0 or later immediately. Given CyberChef’s utility in incident response and malware analysis, this vulnerability presents a concerning attack vector for adversaries targeting security teams. Ensure all instances are updated, and consider implementing Content Security Policies (CSPs) as a secondary defense layer for web applications that interact with user-supplied input.
What This Means For You
- If your team uses GCHQ CyberChef, you need to verify your version immediately. An unpatched CyberChef instance running before version 11.0.0 is a direct XSS risk. Patch this vulnerability NOW to prevent attackers from leveraging crafted URLs to execute arbitrary code in your analysts' browsers.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42615 - CyberChef XSS via Show Base64 Offsets
title: CVE-2026-42615 - CyberChef XSS via Show Base64 Offsets
id: scw-2026-04-29-ai-1
status: experimental
level: high
description: |
Detects the specific XSS payload used in CVE-2026-42615 targeting the Show Base64 offsets feature in CyberChef. This indicates an attempt to exploit a cross-site scripting vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42615/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '/#recipe=Show_Base64_offsets(\'%3Cscript%20substring'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42615 | XSS | GCHQ CyberChef before 11.0.0 |
| CVE-2026-42615 | XSS | Vulnerable component: Show Base64 offsets |
| CVE-2026-42615 | XSS | Attack vector: /#recipe=Show_Base64_offsets('%3Cscript substring |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 07:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-23773 — Server-Side Request Forgery
CVE-2026-23773 — Dell Disk Library for Mainframe, version(s) DLm 8700/2700 contain(s) a Server-Side Request Forgery (SSRF) vulnerability. A low privileged attacker with remote access could...
CVE-2026-42167: ProFTPD mod_sql RCE Via Log Expansion
CVE-2026-42167 — mod_sql in ProFTPD before 1.3.10rc1 allows remote attackers to execute arbitrary code via a username, in scenarios where there is logging of USER...
CVE-2026-7319: Path Traversal in elinsky execution-system-mcp Poses Remote Risk
CVE-2026-7319 — A flaw has been found in elinsky execution-system-mcp 0.1.0. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component...