CVE-2026-40451

Vulnerability

Overview CVE-2026-40451 is a cross-site scripting (XSS) vulnerability in the DeepL Chrome browser extension, affecting versions from v1.22.0 to v1.23.0 [1][2]. The root cause is improper neutralization of user-controlled input—such as search queries or page content—during web page generation, allowing injection of malicious code into the DOM [2].

Exploitation

Requirements An attacker can exploit this flaw by convincing a user to interact with a crafted web page or link that triggers the vulnerable extension processing [1]. No authentication or special network access is needed; the attack only requires user interaction (UI:R) and low attack complexity (AC:L) per the CVSS vector [1].

Impact

Successful exploitation enables arbitrary script execution in the user's browser and injection of malicious HTML into web pages viewed by the victim [1]. The scope is changed (S:C) as the injected script can affect other resources beyond the vulnerable extension [1].

Mitigation

The vendor released a complete fix in version 1.24.0; users should update the extension immediately [1][2]. Partial patches in versions v1.22.2 and v1.23.0 were incomplete and did not fully resolve the vulnerability [2]. The DeepL web application is not affected [1].