Plateforme
other
Composant
tarkov-data-manager
Corrigé dans
2.0.1
CVE-2026-21855 describes a reflected Cross-Site Scripting (XSS) vulnerability affecting Tarkov Data Manager versions up to 2.0.0. This flaw allows attackers to inject and execute arbitrary JavaScript code within a victim's browser session. The vulnerability resides within the toast notification system and can be exploited by crafting a malicious URL. A fix was released on January 2, 2025, in version 2.0.1.
Successful exploitation of CVE-2026-21855 allows an attacker to execute arbitrary JavaScript code in the context of a victim's browser session. This can lead to a wide range of malicious activities, including session hijacking, credential theft, and redirection to phishing sites. An attacker could potentially steal sensitive data stored within the user's browser, such as login credentials or personal information. The impact is significant as it can compromise the entire user account and potentially lead to further attacks against the user's system or network.
CVE-2026-21855 was publicly disclosed on January 7, 2026. No public proof-of-concept (POC) code has been identified at the time of writing. The vulnerability's severity is high due to the potential for remote code execution via a crafted URL. It is not currently listed on the CISA KEV catalog, and there are no confirmed reports of active exploitation.
Users of Tarkov Data Manager, particularly those running versions prior to 2.0.1, are at risk. This includes individuals who rely on the tool for managing their Tarkov item data and are susceptible to attacks through malicious URLs.
• windows / supply-chain: Monitor for suspicious PowerShell commands related to Tarkov Data Manager. Check Autoruns for unusual entries.
Get-Process -Name TarkovDataManager | Select-Object -ExpandProperty Path• generic web: Examine access and error logs for requests containing suspicious URL parameters that might be attempting to inject JavaScript code.
grep -i 'script' /var/log/apache2/access.logpatch
disclosure
Statut de l'Exploit
EPSS
0.06% (percentile 17%)
CISA SSVC
Vecteur CVSS
The primary mitigation for CVE-2026-21855 is to immediately upgrade Tarkov Data Manager to version 2.0.1 or later. If upgrading is not immediately feasible, consider implementing strict input validation and output encoding on all user-supplied data within the toast notification system. While a direct workaround is limited, carefully reviewing and sanitizing any URLs passed to the notification system can reduce the attack surface. After upgrading, confirm the fix by attempting to trigger the vulnerable toast notification with a crafted XSS payload; it should no longer execute.
Actualice a una versión posterior a la 2.0.0. La vulnerabilidad fue corregida en commits del 2 de enero de 2025. Consulte el advisory de seguridad en GitHub para más detalles.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2026-21855 is a critical XSS vulnerability in Tarkov Data Manager versions up to 2.0.0, allowing attackers to execute JavaScript via malicious URLs.
Yes, if you are using Tarkov Data Manager version 2.0.0 or earlier, you are vulnerable to this XSS attack.
Upgrade to Tarkov Data Manager version 2.0.1 or later to resolve this vulnerability. Consider input validation as a temporary measure.
There are currently no confirmed reports of active exploitation, but the vulnerability's severity warrants immediate attention and patching.
Refer to the official Tarkov Data Manager release notes and documentation for details regarding this vulnerability and the fix.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.