DeepL Chrome Extension Patched After Cross-Site Scripting Vulnerability Found
AI-generated from multiple sources. Verify before acting on this reporting.
FRANKFURT (AP) — DeepL, the German machine translation service, has patched a security vulnerability in its Chrome browser extension that could have allowed attackers to execute malicious scripts on users' machines.
The flaw, designated CVE-2026-40451, affects versions 1.22.0 through 1.23.0 of the extension. It is classified as a cross-site scripting vulnerability, known in cybersecurity terminology as CWE-79. The vulnerability was identified and reported by security researchers Junki Yuasa of Cybozu, Inc. and Keitaro Yamazaki of GMO Cybersecurity by Ierae.
Cross-site scripting vulnerabilities occur when an application includes untrusted data in a web page without proper validation or escaping. In this instance, the flaw could have permitted an attacker to inject client-side scripts into web pages viewed by other users. If exploited, such scripts could potentially steal session cookies, redirect users to malicious websites, or deface the application interface.
The vulnerability was disclosed on April 22, 2026. DeepL has since released an updated version of the extension that resolves the issue. Users are advised to update their installations immediately to ensure protection against potential exploitation.
The Japanese Computer Emergency Response Team Coordination Center (JPCERT/CC) and the Information-technology Promotion Agency (IPA) of Japan were involved in the coordination of the disclosure. The researchers followed responsible disclosure practices, notifying the vendor before making the vulnerability public to allow time for a fix.
DeepL's extension is widely used globally by professionals and students who require real-time translation services while browsing the web. The company, based in Frankfurt, Germany, provides translation services in over 30 languages. The widespread adoption of the tool means the vulnerability potentially exposed a large user base to risk prior to the patch.
Security experts note that while the vulnerability has been patched, users who had not updated their extensions prior to the disclosure date may have been vulnerable during the window between discovery and the release of the fix. There is currently no evidence that the vulnerability was exploited in the wild before the patch was released.
The incident highlights the ongoing challenges in maintaining the security of browser extensions, which often have significant permissions to read and modify web content. As the ecosystem of browser add-ons grows, the potential attack surface for malicious actors expands accordingly.
DeepL has not commented on whether any users were affected by the vulnerability prior to the patch. The company has stated that it is working with security researchers to ensure similar issues are addressed proactively in the future. The updated extension is now available through the Chrome Web Store.