Primary

Context

GCHQ CyberChef Cross-Site Scripting Vulnerability in Base64 Offset Operation

Vulnerability

Patched

A cross-site scripting (XSS) vulnerability has been identified in GCHQ CyberChef versions prior to 11.0.0. The issue arises in the 'Show Base64 offsets' operation, where unescaped Base64 data can be injected and executed as JavaScript. This vulnerability is made possible by the 'eval()' function in 'OutputWaiter.mjs', which executes script tags in the output.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can execute arbitrary JavaScript in the context of the user's browser.

Reproduction

To reproduce this vulnerability, use the 'Show Base64 offsets' operation with a crafted Base64 string that includes a script tag. The unescaped output will execute the injected script, demonstrating the XSS vulnerability.

Remediation

Users can update to GCHQ CyberChef version 11.0.0 or later, where this vulnerability has been fixed.

Added: Apr 29, 2026, 4:20 AM

Updated: Apr 29, 2026, 4:20 AM

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

5.6

remediation

7.7

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.2

impact

1.7

exploitability

5.6

remediation

7.7

relevance

7.0

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GCHQ CyberChef Cross-Site Scripting Vulnerability in Base64 Offset Operation

Vulnerability

Impact

Reproduction

Remediation

Affected Products

GCHQ CyberChef

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating