CyberChef has a Cross-site Scripting issue
GCHQ CyberChef before 11.0.0 allows XSS via Show Base64 offsets, as demonstrated by the /#recipe=Show_Base64_offsets('%3Cscript substring.
Advisories for Npm/Cyberchef package
2026
2019
Cross-site Scripting
CyberChef before allows XSS in core/operations/TextEncodingBruteForce.mjs.