Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-jup4-p1cm-2qdf
Vulnerability ID VCID-jup4-p1cm-2qdf
Aliases CVE-2026-42615
GHSA-h4hv-92pp-pcjg
Summary GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-42615
epss 0.00014 https://api.first.org/data/v1/epss?cve=CVE-2026-42615
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-h4hv-92pp-pcjg
cvssv3.1 7.2 https://github.com/gchq/CyberChef
generic_textual HIGH https://github.com/gchq/CyberChef
cvssv3.1 7.2 https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d
generic_textual HIGH https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d
ssvc Track https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d
cvssv3.1 7.2 https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0
generic_textual HIGH https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0
ssvc Track https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0
cvssv3.1 7.2 https://github.com/gchq/CyberChef/issues/2344
generic_textual HIGH https://github.com/gchq/CyberChef/issues/2344
ssvc Track https://github.com/gchq/CyberChef/issues/2344
cvssv3.1 7.2 https://github.com/gchq/CyberChef/pull/2346
generic_textual HIGH https://github.com/gchq/CyberChef/pull/2346
ssvc Track https://github.com/gchq/CyberChef/pull/2346
cvssv3.1 7.2 https://nvd.nist.gov/vuln/detail/CVE-2026-42615
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-42615
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-42615
https://github.com/gchq/CyberChef
https://nvd.nist.gov/vuln/detail/CVE-2026-42615
2344 https://github.com/gchq/CyberChef/issues/2344
2346 https://github.com/gchq/CyberChef/pull/2346
9641ae07f92e9af50f10e978385465b2f4a36c4d https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d
GHSA-h4hv-92pp-pcjg https://github.com/advisories/GHSA-h4hv-92pp-pcjg
v10.24.0...v11.0.0 https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/gchq/CyberChef
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:13:50Z/ Found at https://github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4d
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:13:50Z/ Found at https://github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/gchq/CyberChef/issues/2344
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:13:50Z/ Found at https://github.com/gchq/CyberChef/issues/2344
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://github.com/gchq/CyberChef/pull/2346
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-29T13:13:50Z/ Found at https://github.com/gchq/CyberChef/pull/2346
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-42615
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.02734
EPSS Score 0.00014
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:44:18.317566+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/42xxx/CVE-2026-42615.json 38.6.0