What the vulnerability does
01Description
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
CVSS base score
7.2/10
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Key dates
02Disclosure timeline
April 29, 2026
CVE published
April 29, 2026
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2026-40171 Jupyter Notebook and JupyterLab token theft via stored XSS in help command linker
CVE-2026-24752 Kiteworks Secure Data Forms Vulnerable to Cross-site Scripting
CVE-2021-24671 MX Time Zone Clocks < 3.4.1 - Contributor+ Cross-Site Scripting
CVE-2022-47171 WordPress IP Vault – WP Firewall Plugin <= 1.1 is vulnerable to Cross Site Scripting (XSS)
CVE-2024-3576 NPort 5100A Series Store XSS Vulnerability
