Permalink
CVE-2026-57439
5.0 MEDIUM
- CVSS version (CVSS): 3.1
- Attack Vector (AV): Local (L)
- Attack Complexity (AC): Low (L)
- Privileges Required (PR): None (N)
- User Interaction (UI): Required (R)
- Scope (S): Changed (C)
- Confidentiality (C): Low (L)
- Integrity (I): Low (L)
- Availability (A): None (N)
- Modified Attack Vector (MAV): Local (L)
- Modified Attack Complexity (MAC): Low (L)
- Modified Privileges Required (MPR): None (N)
- Modified User Interaction (MUI): Required (R)
- Modified Confidentiality (MC): Low (L)
- Modified Scope (MS): Changed (C)
- Modified Integrity (MI): Low (L)
- Modified Availability (MA): None (N)
Activity log
- Created suggestion
CyberChef: Prototype pollution in Series Chart operation
CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.
References
-
https://github.com/gchq/CyberChef/security/advisories/GHSA-fx6f-382r-j72c exploitx_refsource_CONFIRM
-
https://github.com/gchq/CyberChef/issues/2568 x_refsource_MISC
-
https://github.com/gchq/CyberChef/pull/2569 x_refsource_MISC
-
https://github.com/gchq/CyberChef/releases/tag/v11.2.0 x_refsource_MISC
Affected products
CyberChef
- ==< 11.2.0
Package maintainers
-
@sebastianblunt Sebastian Blunt <nix@sebastianblunt.com>
-
@aldenparker Alden Parker