CVE-2026-42615 is a cross-site scripting (CWE-79) vulnerability in GCHQ CyberChef before version 11.0.0. The vulnerability occurs due to improper input neutralization in the Show Base64 offsets feature, allowing injection of malicious scripts via crafted input in the URL fragment. This can lead to execution of arbitrary scripts in the context of the user's browser session. The CVSS 3.1 base score is 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges or user interaction required, and a scope change with partial confidentiality and integrity impact. No patch or official remediation level has been published yet.

Successful exploitation allows an attacker to execute arbitrary JavaScript in the victim's browser context, potentially leading to partial confidentiality and integrity loss such as theft of sensitive information or manipulation of displayed data. There is no impact on availability. The vulnerability can be triggered remotely without authentication or user interaction.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, avoid using affected versions of CyberChef with untrusted input, especially the Show Base64 offsets feature. Implement additional input validation or sanitization on the client side if possible. Monitor official GCHQ CyberChef communications for updates.