CVE-2026-42615 Overview
A Cross-Site Scripting (XSS) vulnerability exists in GCHQ CyberChef versions prior to 11.0.0. The vulnerability occurs in the "Show Base64 offsets" operation, which fails to properly sanitize user-supplied input before rendering it in the browser context. An attacker can craft a malicious URL containing JavaScript code that will execute when a victim visits the specially crafted link, potentially leading to session hijacking, credential theft, or other client-side attacks.
Critical Impact
Attackers can execute arbitrary JavaScript in the context of CyberChef users by crafting malicious URLs with embedded scripts in the recipe parameter, potentially compromising sensitive data processed through the tool.
Affected Products
- GCHQ CyberChef versions before 11.0.0
- CyberChef version 10.24.0 and earlier releases
Discovery Timeline
- April 29, 2026 - CVE-2026-42615 published to NVD
- April 29, 2026 - Last updated in NVD database
Technical Details for CVE-2026-42615
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting. The flaw exists within the "Show Base64 offsets" operation in CyberChef, a web-based data analysis tool developed by GCHQ. When processing recipes containing the Show_Base64_offsets function, the application fails to properly escape or sanitize the parameter values before inserting them into the rendered HTML output.
The attack is network-accessible and requires no authentication or special privileges to exploit. The impact extends beyond the vulnerable application's origin (changed scope), affecting both confidentiality and integrity of data processed by users who click on malicious links. The attack does not require user interaction beyond clicking the malicious link, as the recipe is automatically loaded and executed from the URL fragment.
Root Cause
The root cause stems from insufficient input validation and output encoding in the Show Base64 offsets operation. The recipe parameter passed via the URL fragment identifier (#recipe=) is processed and rendered without proper HTML entity encoding or JavaScript escaping. This allows an attacker to inject arbitrary HTML and JavaScript content by including script tags or event handlers within the operation parameters.
Attack Vector
The vulnerability can be exploited remotely via a network attack vector. An attacker constructs a malicious CyberChef URL containing a recipe with the Show_Base64_offsets operation. The operation parameter includes HTML/JavaScript payload such as <script> tags. When a victim clicks the link, the CyberChef application processes the URL fragment, parses the recipe, and renders the attacker-controlled content directly into the DOM without proper sanitization, causing the malicious script to execute in the victim's browser context.
The attack is demonstrated through URLs following this pattern: /#recipe=Show_Base64_offsets('%3Cscript... where %3C decodes to <, allowing script injection. Since CyberChef is commonly used for analyzing potentially sensitive data including encoded credentials, API keys, and other security-relevant information, successful exploitation could expose this sensitive data to attackers.
Detection Methods for CVE-2026-42615
Indicators of Compromise
- Monitor web server and proxy logs for CyberChef URLs containing Show_Base64_offsets with encoded script tags (%3Cscript, %3Csvg, %3Ciframe)
- Look for suspicious referrer URLs pointing to external domains that redirect to CyberChef instances with malicious recipes
- Check browser console logs or content security policy violation reports indicating inline script execution attempts
Detection Strategies
- Implement Content Security Policy (CSP) headers on CyberChef deployments to detect and block inline script execution attempts
- Deploy web application firewalls (WAF) with rules to detect XSS patterns in URL fragments and query parameters
- Monitor network traffic for requests to internal CyberChef instances originating from external phishing links
- Enable browser-based XSS auditing and monitoring for organizations using CyberChef
Monitoring Recommendations
- Configure centralized logging for all CyberChef access with full URL capture including fragments where possible
- Set up alerts for unusual access patterns to CyberChef instances, particularly from external referrers
- Monitor for CSP violation reports that may indicate attempted XSS exploitation
How to Mitigate CVE-2026-42615
Immediate Actions Required
- Upgrade GCHQ CyberChef to version 11.0.0 or later immediately
- If immediate upgrade is not possible, restrict access to CyberChef instances to trusted networks only
- Implement Content Security Policy headers to mitigate potential XSS impact
- Warn users not to click on CyberChef links from untrusted sources
Patch Information
The vulnerability has been addressed in CyberChef version 11.0.0. The fix involves proper sanitization and encoding of user-supplied input in the Show Base64 offsets operation before rendering. Technical details of the fix can be found in the GitHub commit. The complete changes between the vulnerable version 10.24.0 and the patched version 11.0.0 are available in the GitHub version comparison. Additional context is available in the related GitHub issue and pull request.
Workarounds
- Deploy CyberChef behind a reverse proxy with strict Content Security Policy headers that block inline script execution
- Restrict access to CyberChef deployments using network-level access controls to limit exposure to trusted users only
- Educate users about the risks of clicking on CyberChef URLs from untrusted sources, particularly those containing complex recipe parameters
- Consider using a local/offline version of CyberChef for processing sensitive data until the patch can be applied
# Example CSP header configuration for Apache
# Add to virtual host or .htaccess file
Header set Content-Security-Policy "default-src 'self'; script-src 'self'; object-src 'none'; base-uri 'self';"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
