CVE-2026-21855

The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities.

CVSS v3 9.3 CRITICAL

9.3^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 2.8 / Impact : 5.8

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*

History

17 Jun 2026, 10:19

Type	Values Removed	Values Added
Summary		(es) El Tarkov Data Manager es una herramienta para gestionar los datos de ítems de Tarkov. Antes del 02 de enero de 2025, una vulnerabilidad de Cross Site Scripting (XSS) reflejado en el sistema de notificaciones 'toast' permite a cualquier atacante ejecutar JavaScript arbitrario en el contexto de la sesión del navegador de una víctima al crear una URL maliciosa. Una serie de 'commits' de corrección el 02 de enero de 2025 corrigió esta y otras vulnerabilidades.

03 Feb 2026, 16:20

Type	Values Removed	Values Added
References	~~() https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89 -~~	() https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89 - Exploit, Vendor Advisory
First Time		Tarkov Tarkov tarkov Data Manager
CPE		cpe:2.3:a:tarkov:tarkov_data_manager::::::::

07 Jan 2026, 19:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-01-07 19:15

Updated : 2026-06-17 10:19

NVD link : CVE-2026-21855

Mitre link : CVE-2026-21855

CVE.ORG link : CVE-2026-21855

JSON object : View

Products Affected

tarkov

tarkov_data_manager

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-21855", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-21855", "role": "CISA Coordinator", "options": [{"exploitation": "poc"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-07T18:37:18.701602Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.8, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "the-hideout", "product": "tarkov-data-manager", "versions": [{"status": "affected", "version": "<= 2.0.0"}]}]}], "published": "2026-01-07T19:15:57.970", "references": [{"url": "https://github.com/the-hideout/tarkov-data-manager/security/advisories/GHSA-9c23-rrg9-jc89", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "The Tarkov Data Manager is a tool to manage the Tarkov item data. Prior to 02 January 2025, a reflected Cross Site Scripting (XSS) vulnerability in the toast notification system allows any attacker to execute arbitrary JavaScript in the context of a victim's browser session by crafting a malicious URL. A series of fix commits on 02 January 2025 fixed this and other vulnerabilities."}, {"lang": "es", "value": "El Tarkov Data Manager es una herramienta para gestionar los datos de \u00edtems de Tarkov. Antes del 02 de enero de 2025, una vulnerabilidad de Cross Site Scripting (XSS) reflejado en el sistema de notificaciones 'toast' permite a cualquier atacante ejecutar JavaScript arbitrario en el contexto de la sesi\u00f3n del navegador de una v\u00edctima al crear una URL maliciosa. Una serie de 'commits' de correcci\u00f3n el 02 de enero de 2025 corrigi\u00f3 esta y otras vulnerabilidades."}], "lastModified": "2026-06-17T10:19:02.170", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tarkov:tarkov_data_manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1BED0E5B-BD43-4202-930F-9931EC05570C", "versionEndExcluding": "2025-01-02"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}