{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-21855", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-05T16:44:16.366Z", "datePublished": "2026-01-07T18:16:02.728Z", "dateUpdated": "2026-01-07T18:37:42.582Z"}, "containers": {"cna": {"title": "Tarkov Data Manager has Unauthenticated Reflected XSS", "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "lang": "en", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89"}], "affected": [{"vendor": "the-hideout", "product": "tarkov-data-manager", "versions": [{"version": "<= 2.0.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T18:16:02.728Z"}, "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}], "source": {"advisory": "GHSA-9c23-rrg9-jc89", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-07T18:37:18.701602Z", "id": "CVE-2026-21855", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T18:37:42.582Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-21855", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T18:37:18.701602Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-07T18:37:31.903Z"}}], "cna": {"title": "Tarkov Data Manager has Unauthenticated Reflected XSS", "source": {"advisory": "GHSA-9c23-rrg9-jc89", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "the-hideout", "product": "tarkov-data-manager", "versions": [{"status": "affected", "version": "<= 2.0.0"}]}], "references": [{"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89", "name": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-01-07T18:16:02.728Z"}}}, "cveMetadata": {"cveId": "CVE-2026-21855", "state": "PUBLISHED", "dateUpdated": "2026-01-07T18:37:42.582Z", "dateReserved": "2026-01-05T16:44:16.366Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-01-07T18:16:02.728Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "1BED0E5B-BD43-4202-930F-9931EC05570C", "versionEndExcluding": "2025-01-02", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}], "id": "CVE-2026-21855", "lastModified": "2026-02-03T16:20:50.047", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.8, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-01-07T19:15:57.970", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-18T16:50:00.428882+00:00", "value": {"mitigation_remediation": ["Apply the latest release of Tarkov Data Manager (2 January 2025 or later) to remove the vulnerable toast\u2011notification code.", "If an update is not immediately possible, avoid opening links from untrusted sources and disable or remove the toast\u2011notification feature in the application's settings to eliminate the reflected XSS vector.", "Enforce a robust Content Security Policy that restricts inline scripts and disallows execution of data\u2011scheme URLs to provide a secondary mitigation against script execution within the application."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting (Reflected XSS)"}, "threat_synthesis": {"affected_systems": "The issue affects the Tarkov Data Manager application provided by the-hideout, as identified by its CPE, for all releases prior to the comprehensive fixes committed on 2 January 2025. All users running those earlier versions are potentially exploitable.", "description_and_impact": "A reflected Cross\u2011Site Scripting flaw in the toast\u2011notification component of Tarkov Data Manager allows any attacker to embed malicious JavaScript that runs in the victim\u2019s browser context when a crafted URL is opened. The vulnerability is a classic input\u2011validation weakness (CWE\u201179) and satisfies the unauthenticated criterion, meaning the attacker does not need to authenticate or control the victim\u2019s system. With this capability an attacker could steal session cookies, hijack accounts, or perform further phishing attacks against users without requiring direct access to the device.", "risk_and_exploitability": "The CVSS score of 9.3 signals a high severity that grants attackers full control over the victim\u2019s browser session. However, the EPSS score of less than 1% indicates that, as of now, exploitation is rare. The vulnerability is not present in the CISA KEV catalog, suggesting no confirmed exploitation reports. An attacker can launch an attack by simply embedding the malicious URL, for example in an email or webpage, and inviting a user to click it. When a user opens the link, the malicious script executes with the same privileges as the user\u2019s browser context, enabling the attacker to compromise any data or credentials accessible to the victim\u2019s session."}}}}, "created": "2026-04-18T17:00:05.565492+00:00", "updated": "2026-04-18T17:00:05.565503+00:00", "vendors": []}