CVE-2019-15532
Description
CyberChef before 8.31.2 is vulnerable to cross-site scripting (XSS) in the Text Encoding Brute Force operation.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CyberChef before 8.31.2 is vulnerable to cross-site scripting (XSS) in the Text Encoding Brute Force operation.
Description
CyberChef versions prior to 8.31.2 contain a cross-site scripting (XSS) vulnerability in the TextEncodingBruteForce.mjs file [1][2]. The operation generates an HTML table of encoded values but fails to sanitize the output before inserting it into the DOM. Specifically, the Utils.printable function is called without escaping HTML entities, allowing attacker-controlled data to be interpreted as markup [4].
Exploitation
An attacker can exploit this vulnerability by crafting input that, when processed by the Text Encoding Brute Force operation, results in malicious HTML or JavaScript being injected into the page. The attack requires the victim to use the vulnerable operation on the crafted input. No authentication is needed if the attacker can trick a user into using the operation through social engineering or by persisting malicious content in a shared CyberChef instance [2].
Impact
Successful exploitation leads to arbitrary script execution in the context of the victim's browser. This could enable data theft, session hijacking, or further attacks within the CyberChef application [2]. Since CyberChef is often used in security contexts, an XSS attack could compromise sensitive data processed by the tool.
Mitigation
The vulnerability is fixed in CyberChef version 8.31.2 and later [4]. The fix ensures that values are HTML-escaped using Utils.escapeHtml before being inserted into the table [4]. Users should upgrade to the latest version. No workarounds are documented [2].
AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cyberchefnpm | < 8.31.3 | 8.31.3 |
Affected products
2- CyberChef/CyberChefdescription
Patches
101f0625d6a17Fixed XSS in 'Text Encoding Brute Force. Closes #539
1 file changed · +1 −1
src/core/operations/TextEncodingBruteForce.mjs+1 −1 modified@@ -79,7 +79,7 @@ class TextEncodingBruteForce extends Operation { let table = "<table class='table table-hover table-sm table-bordered table-nonfluid'><tr><th>Encoding</th><th>Value</th></tr>"; for (const enc in encodings) { - const value = Utils.printable(encodings[enc], true); + const value = Utils.escapeHtml(Utils.printable(encodings[enc], true)); table += `<tr><td>${enc}</td><td>${value}</td></tr>`; }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-jp6r-xcjj-5h7rghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2019-15532ghsaADVISORY
- github.com/gchq/CyberChef/commit/01f0625d6a177f9c5df9281f12a27c814c2d8bcfghsax_refsource_MISCWEB
- github.com/gchq/CyberChef/compare/v8.31.1...v8.31.2ghsax_refsource_MISCWEB
- github.com/gchq/CyberChef/issues/539ghsax_refsource_MISCWEB
- github.com/gchq/CyberChef/issues/544ghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JS-CYBERCHEF-460296ghsaWEB
- www.npmjs.com/advisories/1149ghsaWEB
News mentions
0No linked articles in our index yet.