High severity7.2NVD Advisory· Published Apr 29, 2026· Updated Apr 30, 2026
CVE-2026-42615
CVE-2026-42615
Description
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
cyberchefnpm | < 11.0.0 | 11.0.0 |
Affected products
1Patches
19641ae07f92eFix XSS in Show Base64 offsets (#2346)
2 files changed · +39 −28
src/core/operations/ShowBase64Offsets.mjs+28 −28 modified@@ -77,84 +77,84 @@ class ShowBase64Offsets extends Operation { staticSection = offset0.slice(0, -3); offset0 = "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64(staticSection, alphabet).slice(0, -2)) + "'>" + - staticSection + "</span>" + - "<span class='hl5'>" + offset0.substr(offset0.length - 3, 1) + "</span>" + - "<span class='hl3'>" + offset0.substr(offset0.length - 2) + "</span>"; + Utils.escapeHtml(staticSection) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset0.substr(offset0.length - 3, 1)) + "</span>" + + "<span class='hl3'>" + Utils.escapeHtml(offset0.substr(offset0.length - 2)) + "</span>"; } else if (len0 % 4 === 3) { staticSection = offset0.slice(0, -2); offset0 = "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64(staticSection, alphabet).slice(0, -1)) + "'>" + - staticSection + "</span>" + - "<span class='hl5'>" + offset0.substr(offset0.length - 2, 1) + "</span>" + - "<span class='hl3'>" + offset0.substr(offset0.length - 1) + "</span>"; + Utils.escapeHtml(staticSection) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset0.substr(offset0.length - 2, 1)) + "</span>" + + "<span class='hl3'>" + Utils.escapeHtml(offset0.substr(offset0.length - 1)) + "</span>"; } else { staticSection = offset0; offset0 = "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64(staticSection, alphabet)) + "'>" + - staticSection + "</span>"; + Utils.escapeHtml(staticSection) + "</span>"; } if (!showVariable) { - offset0 = staticSection; + offset0 = Utils.escapeHtml(staticSection); } // Highlight offset 1 - padding = "<span class='hl3'>" + offset1.substr(0, 1) + "</span>" + - "<span class='hl5'>" + offset1.substr(1, 1) + "</span>"; + padding = "<span class='hl3'>" + Utils.escapeHtml(offset1.substr(0, 1)) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset1.substr(1, 1)) + "</span>"; offset1 = offset1.substr(2); if (len1 % 4 === 2) { staticSection = offset1.slice(0, -3); offset1 = padding + "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64("AA" + staticSection, alphabet).slice(1, -2)) + "'>" + - staticSection + "</span>" + - "<span class='hl5'>" + offset1.substr(offset1.length - 3, 1) + "</span>" + - "<span class='hl3'>" + offset1.substr(offset1.length - 2) + "</span>"; + Utils.escapeHtml(staticSection) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset1.substr(offset1.length - 3, 1)) + "</span>" + + "<span class='hl3'>" + Utils.escapeHtml(offset1.substr(offset1.length - 2)) + "</span>"; } else if (len1 % 4 === 3) { staticSection = offset1.slice(0, -2); offset1 = padding + "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64("AA" + staticSection, alphabet).slice(1, -1)) + "'>" + - staticSection + "</span>" + - "<span class='hl5'>" + offset1.substr(offset1.length - 2, 1) + "</span>" + - "<span class='hl3'>" + offset1.substr(offset1.length - 1) + "</span>"; + Utils.escapeHtml(staticSection) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset1.substr(offset1.length - 2, 1)) + "</span>" + + "<span class='hl3'>" + Utils.escapeHtml(offset1.substr(offset1.length - 1)) + "</span>"; } else { staticSection = offset1; offset1 = padding + "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64("AA" + staticSection, alphabet).slice(1)) + "'>" + - staticSection + "</span>"; + Utils.escapeHtml(staticSection) + "</span>"; } if (!showVariable) { - offset1 = staticSection; + offset1 = Utils.escapeHtml(staticSection); } // Highlight offset 2 - padding = "<span class='hl3'>" + offset2.substr(0, 2) + "</span>" + - "<span class='hl5'>" + offset2.substr(2, 1) + "</span>"; + padding = "<span class='hl3'>" + Utils.escapeHtml(offset2.substr(0, 2)) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset2.substr(2, 1)) + "</span>"; offset2 = offset2.substr(3); if (len2 % 4 === 2) { staticSection = offset2.slice(0, -3); offset2 = padding + "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64("AAA" + staticSection, alphabet).slice(2, -2)) + "'>" + - staticSection + "</span>" + - "<span class='hl5'>" + offset2.substr(offset2.length - 3, 1) + "</span>" + - "<span class='hl3'>" + offset2.substr(offset2.length - 2) + "</span>"; + Utils.escapeHtml(staticSection) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset2.substr(offset2.length - 3, 1)) + "</span>" + + "<span class='hl3'>" + Utils.escapeHtml(offset2.substr(offset2.length - 2)) + "</span>"; } else if (len2 % 4 === 3) { staticSection = offset2.slice(0, -2); offset2 = padding + "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64("AAA" + staticSection, alphabet).slice(2, -2)) + "'>" + - staticSection + "</span>" + - "<span class='hl5'>" + offset2.substr(offset2.length - 2, 1) + "</span>" + - "<span class='hl3'>" + offset2.substr(offset2.length - 1) + "</span>"; + Utils.escapeHtml(staticSection) + "</span>" + + "<span class='hl5'>" + Utils.escapeHtml(offset2.substr(offset2.length - 2, 1)) + "</span>" + + "<span class='hl3'>" + Utils.escapeHtml(offset2.substr(offset2.length - 1)) + "</span>"; } else { staticSection = offset2; offset2 = padding + "<span data-toggle='tooltip' data-placement='top' title='" + Utils.escapeHtml(fromBase64("AAA" + staticSection, alphabet).slice(2)) + "'>" + - staticSection + "</span>"; + Utils.escapeHtml(staticSection) + "</span>"; } if (!showVariable) { - offset2 = staticSection; + offset2 = Utils.escapeHtml(staticSection); } return (showVariable ? "Characters highlighted in <span class='hl5'>green</span> could change if the input is surrounded by more data." +
tests/operations/tests/Base64.mjs+11 −0 modified@@ -116,4 +116,15 @@ TestRegister.addTests([ }, ], }, + { + name: "Show Base64 offsets: escapes static output", + input: "\x00\x10\x83\x10\x51\x87", + expectedOutput: "<script>\n<AQmsBRk66\n<ia1AEIM6", + recipeConfig: [ + { + op: "Show Base64 offsets", + args: ["<script>ale(1)/.ABCDEFGHIJKLMNOPQRSTUVWXYZbdfghjkmnoquvwxyz023456", false, "Raw"], + }, + ], + }, ]);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-h4hv-92pp-pcjgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42615ghsaADVISORY
- github.com/gchq/CyberChef/commit/9641ae07f92e9af50f10e978385465b2f4a36c4dnvdWEB
- github.com/gchq/CyberChef/compare/v10.24.0...v11.0.0nvdWEB
- github.com/gchq/CyberChef/issues/2344nvdWEB
- github.com/gchq/CyberChef/pull/2346nvdWEB
News mentions
0No linked articles in our index yet.