A cross-site scripting (XSS) vulnerability has been officially disclosed in the DeepL Chrome browser extension, tracked as CVE-2026-40451 (JVN#37524771), affecting all users running versions v1.22.0 through v1.23.0.
The flaw allows remote attackers to inject and execute arbitrary JavaScript within a victim’s browser, potentially enabling malicious HTML injection across every web page a user visits. The complete fix is available only in version v1.24.0, and all users are urged to install it immediately.
DeepL Chrome Extension XSS Flaw
DeepL is one of the world’s most widely used AI-powered translation platforms, with its Chrome browser extension boasting millions of active installs globally.
The extension enables users to seamlessly translate web page content, selected text, and input fields directly within the browser, making it a staple productivity tool for multilingual professionals, students, and developers.
Its deep integration with the browser’s DOM, however, means that any security flaw at the extension layer carries significant consequences for end-user safety.
The root cause lies in the extension’s failure to properly sanitize user-controlled input such as search queries or translated page content before rendering it into the browser’s Document Object Model (DOM).
This unsanitized data pathway allows an attacker to craft malicious input that is treated as an executable script rather than inert text, triggering unintended JavaScript execution in the user’s browser session.
The vulnerability was introduced with version v1.22.0 and persisted through incomplete patch attempts in v1.22.1, v1.22.2, and v1.23.0, meaning users who believed they were already protected after earlier updates remain exposed. Only v1.24.0 delivers a complete remediation.
| Metric | CVSS v4.0 | CVSS v3.0 |
|---|---|---|
| Base Score | 5.1 (Medium) | 6.1 (Medium) |
| Attack Vector | Network | Network |
| Attack Complexity | Low | Low |
| Privileges Required | None | None |
| User Interaction | Active | Required |
| Scope / Subsequent Impact | Confidentiality: Low, Integrity: Low | Changed (Confidentiality: Low, Integrity: Low) |
The CVSS v4.0 score of 5.1 indicates moderate severity. While the direct system impact on confidentiality, integrity, and availability is rated “None”.
The subsequent system impact scores are Low for both Confidentiality and Integrity, indicating a real risk to downstream browsing sessions and the page contexts the extension interacts with.
Exploitation Working
Under the CVSS metrics, the attack requires no privileges or authentication. It only requires active user interaction, meaning a victim simply needs to browse a web page while the vulnerable extension is active.
An attacker can craft a malicious web page or translation payload that, when processed by the extension, causes unsanitized input to be injected directly into the DOM. Once executed, the injected JavaScript can:
- Steal session cookies or authentication tokens from the active browser session
- Inject malicious HTML into trusted pages that the user is currently viewing
- Redirect users to phishing sites or serve drive-by malware downloads
- Perform unauthorized actions on behalf of the user within authenticated web applications
Because the extension operates across all tabs and domains, the blast radius of a successful exploit extends beyond a single web page; any site loaded while the vulnerable extension is active could theoretically be manipulated.
Affected Versions and Patch Timeline
Published on April 22, 2026, on DeepL.com GitHub, the vulnerability is classified under CWE-79: Improper Neutralization of Input During Web Page Generation, the formal category for cross-site scripting flaws.
The vulnerability was silently introduced in v1.22.0 and saw two failed partial fixes before a complete resolution was delivered:
- v1.22.0 – Vulnerability introduced
- v1.22.1, v1.22.2 – Incomplete fixes released; vulnerability persists
- v1.23.0 – Incomplete fix; still vulnerable
- v1.24.0 – Complete fix; all users must upgrade to this version
Notably, the DeepL web application itself is not affected; the vulnerability is isolated entirely to the Chrome browser extension.
Remediation
The fix is straightforward: update the DeepL Chrome extension to v1.24.0 or later. Users can do this by:
- Opening Chrome and navigating to
chrome://extensions/ - Enabling Developer Mode (top-right toggle)
- Clicking “Update” to force-refresh all extensions
- Verifying the DeepL extension version reads v1.24.0 or above
Enterprise administrators managing Chrome deployments via policy should push the updated extension version through their management consoles without delay.
Users who have auto-updates enabled may already be on v1.24.0, but manual verification is strongly recommended given the failed intermediate patches.
FAQ
Q1: Which versions of the DeepL Chrome extension are vulnerable to CVE-2026-40451?
All versions from v1.22.0 through v1.23.0 are affected, including the incomplete fixes in v1.22.1 and v1.22.2; only v1.24.0 fully resolves the issue.
Q2: Is the DeepL web application or desktop app affected by this XSS vulnerability?
No, the DeepL web application is explicitly confirmed as unaffected; only the Chrome browser extension is vulnerable.
Q3: Can this XSS vulnerability be exploited without any special attacker privileges or user account access?
Yes, the attack requires no privileges or authentication and only requires basic user interaction (browsing a crafted page) to trigger malicious script execution.
Q4: Who reported the DeepL Chrome extension XSS flaw, and how was it disclosed?
Junki Yuasa of Cybozu, Inc. reported it to JPCERT/CC, and Keitaro Yamazaki of GMO Cybersecurity by Ierae reported it to IPA, with both organizations coordinating a responsible disclosure with DeepL.
Site: https://thecybrdef.com
About the Author
