CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.

Project Subscriptions

Vendors Products
Cyberchef Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Wed, 08 Jul 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 17:00:00 +0000

Type Values Removed Values Added
First Time appeared Gchq
Gchq cyberchef
Vendors & Products Gchq
Gchq cyberchef

Wed, 08 Jul 2026 15:45:00 +0000

Type Values Removed Values Added
Description CyberChef is a web app for encryption, encoding, compression, and data analysis. Prior to 11.2.0, the Series Chart operation accepts __proto__ as a key while parsing user-supplied CSV, allowing prototype pollution that can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. This issue is fixed in version 11.2.0.
Title CyberChef: Prototype pollution in Series Chart operation
Weaknesses CWE-1321
CWE-79
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-08T16:12:28.118Z

Reserved: 2026-06-24T13:21:20.729Z

Link: CVE-2026-57439

cve-icon Vulnrichment

Updated: 2026-07-08T16:12:25.219Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-08T16:45:03Z

Weaknesses