|
[Japanese]
|
JVNDB-2026-000060
|
DeepL Chrome browser extension vulnerable to cross-site scripting
|
|
DeepL Chrome browser extension contains the following vulnerability.- Cross-site scripting (CWE-79) - CVE-2026-40451
This vulnerability was reported by the researchers below and JPCERT/CC coordinated with the developer.
Junki Yuasa of Cybozu, Inc. reported this vulnerability to JPCERT/CC.
Keitaro Yamazaki of GMO Cybersecurity by Ierae reported this vulnerability to IPA under Information Security Early Warning Partnership.
|
|
CVSS V3 Severity:
Base Metrics 6.1 (Medium) [IPA Score]
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
|
CVSS v4 Severity
Base Metrics: 5.1 (Medium) [IPA Score]
- Access Vector (AV): Network
- Attack Complexity (AC): Low
- Attack Requirements (AT): None
- Privileges Required (PR): None
- User Interaction (UI): Active
Vulnerable System Impact
- Confidentiality Impact (VC): None
- Integrity Impact (VI): None
- Availability Impact (VA): None
Subsequent System Impact
- Confidentiality Impact (SC): Low
- Integrity Impact (SI): Low
- Availability Impact (SA): None
|
|
|
DeepL
- DeepL Chrome browser extension from v1.22.0 to v.1.23.0
|
DeepL web application is not affected by the vulnerability.
|
|
- An arbitrary script may be executed on a user's browser, and malicious HTML may be injected into web pages viewed by the user.
|
|
[Update the Software]
Update the software to the latest version according to the information provided by the developer.
|
|
DeepL
|
|
- Cross-site Scripting(CWE-79) [IPA Evaluation]
|
|
- CVE-2026-40451
|
|
- JVN : JVN#37524771
|
|
- [2026/04/22]
Web page was published
|
