PatchSiren cyber security CVE debrief
CVE-2026-57439 gchq CVE debrief
CVE-2026-57439 is a medium-severity vulnerability in CyberChef, a web app for encryption, encoding, compression, and data analysis. The Series Chart operation's acceptance of __proto__ as a key while parsing user-supplied CSV allows for prototype pollution. This issue can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. The vulnerability is fixed in version 11.2.0. Users of CyberChef, especially those who utilize the Series Chart operation or Parse UDP operations, should be aware of this vulnerability and ensure they are using version 11.2.0 or later to prevent potential prototype pollution attacks.
- Vendor
- gchq
- Product
- CyberChef
- CVSS
- MEDIUM 5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of CyberChef, especially those who utilize the Series Chart operation or Parse UDP operations, should be aware of this vulnerability and ensure they are using version 11.2.0 or later to prevent potential prototype pollution attacks. This includes operators, platform administrators, vulnerability management teams, and security teams who need to review and mitigate this vulnerability.
Technical summary
The Series Chart operation in CyberChef, prior to version 11.2.0, accepts __proto__ as a key while parsing user-supplied CSV. This allows for prototype pollution, which can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. The vulnerability has a CVSS score of 5 and a severity of MEDIUM. Users of CyberChef should be aware of this vulnerability and ensure they are using version 11.2.0 or later to prevent potential prototype pollution attacks. The vulnerability is fixed in version 11.2.0.
Defensive priority
Medium priority should be given to updating CyberChef to version 11.2.0 or later, as the vulnerability can be exploited to inject malicious JavaScript into HTML output.
Recommended defensive actions
- Update CyberChef to version 11.2.0 or later
- Review and monitor Series Chart operation usage
- Implement compensating controls to detect potential prototype pollution attacks
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review the supplied official advisory or CVE record to validate affected scope, severity, and vendor guidance
- Plan vendor-supported updates or mitigations through normal change control where exposure is confirmed
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
Evidence notes
The CVE record was published on 2026-07-08T16:16:31.280Z and was last modified on 2026-07-10T17:56:00.910Z. The NVD entry is currently Deferred. The vulnerability affects CyberChef, a web app for encryption, encoding, compression, and data analysis. The Series Chart operation's acceptance of __proto__ as a key while parsing user-supplied CSV allows for prototype pollution. This issue can be chained with operations such as Parse UDP to inject malicious JavaScript into HTML output. The vulnerability has a CVSS score of 5 and a severity of MEDIUM. Users should verify their deployments and review official advisories for affected scope and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T16:16:31.280Z and has not been modified since then. The NVD entry is currently Deferred.