Crafted recipe URL triggers XSS in CyberChef before 11.0.0
TL;DR - CyberChef < 11.0.0: a crafted /#recipe=Show_Base64_offsets(...,false) URL injects and executes arbitrary HTML/JS in the output pane, inside the viewer's browser session.
What happened
CyberChef is a browser-based "recipe" tool for data transformation and analysis - encodings, crypto primitives, format parsing. Security teams deploy it as an internal web app for incident response and malware triage.
CVE-2026-42615 is a high-severity stored-free XSS in the Show Base64 offsets operation. The root cause is in ShowBase64Offsets.mjs: when showVariable is false, a user-controlled Base64 static segment (staticSection) is returned directly as HTML without escaping. Send a victim a link like /#recipe=Show_Base64_offsets('%3Cscript ... and their browser executes your payload the moment they open it.
That last point is the operational problem. CyberChef's shareable recipe URLs are a core feature - analysts routinely paste them into tickets, chats, and runbooks. That makes this class of bug trivially weaponisable inside internal workflows. One link in a Slack thread is all it takes.
Who is impacted
- Any deployment running
CyberChefversions< 11.0.0. - Highest risk: shared or multi-user instances where the browser session has access to sensitive material - saved recipes, inputs, internal bookmarks, or active SSO sessions.
| Item | Detail |
|---|---|
| Affected component | CyberChef Show Base64 offsets (ShowBase64Offsets.mjs) |
| Affected versions | < 11.0.0 |
| Severity | CVSS 3.1 7.2 (High) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N |
What to do now
- Update to
CyberChef11.0.0or later. The CVE record marks all versions< 11.0.0as affected. - Review how your instance is accessed:
- check whether it sits behind SSO and what session context a victim's browser would carry
- assess whether the instance is reachable from untrusted networks
- Audit how recipe URLs circulate in your organisation - internal chats, incident tickets, documentation wikis. If analysts routinely share
/#recipe=...links, that's the delivery vector. - If you suspect exploitation, rotate credentials accessible to the affected browser session. Check for anomalous recipe URLs in access logs - but note the payload lives in the URL fragment, which most servers never log.
Additional information
- Upstream bug report:
gchq/CyberChefissue#2344(includes reproduction URL). - Fix: pull request
gchq/CyberChef#2346, commit9641ae07f92e9af50f10e978385465b2f4a36c4d. - Release range referenced by the CVE:
v10.24.0...v11.0.0.
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.