CyberChef has a Cross-site Scripting issue

Description

GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets(‘%3Cscript substring.

Recommendation

Update the cyberchef package to the latest compatible version. Followings are version details:

• Affected version(s): < 11.0.0
• Patched version(s): 11.0.0

References

• GHSA-h4hv-92pp-pcjg
• CVE-2026-42615
• CWE-79
• CAPEC-310
• OWASP 2021-A3
• OWASP 2021-A6

Related Issues

• LobeHub has a Cross-Site Scripting issue that escalates to Remote Code Execution - CVE-2026-42045
• Slim Select has potential Cross-site Scripting issue - CVE-2024-9440
• DbGate has cross site scripting via the SVG Icon String Handler component - CVE-2026-6216
• beautiful-mermaid contains an SVG attribute injection issue that can lead to cross-site scripting (XSS) - CVE-2026-26226

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

cyberchef