Skip to main content

Cveclient Cveinterface Js CVE-2026-35466

| EUVDEUVD-2026-18552 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-04-02 certcc GHSA-c5mh-66wj-fpf7
6.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
1.0.24
EUVD ID Assigned
Apr 02, 2026 - 21:01 euvd
EUVD-2026-18552
Analysis Generated
Apr 02, 2026 - 21:01 vuln.today
CVE Published
Apr 02, 2026 - 20:20 nvd
MEDIUM 6.1

DescriptionCVE.org

XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services

AnalysisAI

Cross-site scripting (XSS) vulnerability in CERT/CC cveClient cveInterface.js prior to version 1.0.24 allows injection of arbitrary HTML through untrusted CVE API service input. The vulnerability stems from insufficient input validation, enabling attackers to inject malicious scripts that execute in the context of users viewing CVE data. No CVSS score or exploitation data is available, limiting quantitative risk assessment; however, the attack vector is network-based and requires no authentication.

Technical ContextAI

The vulnerability is a classic Stored or Reflected Cross-Site Scripting (CWE-79) flaw in the cveInterface.js component of the CERT/CC cveClient application. The root cause is improper neutralization of input during web page generation-specifically, the cveInterface component receives data from external CVE API services and renders it directly into the HTML display without sanitization or encoding. This trust boundary violation allows malicious HTML and JavaScript payloads embedded in CVE data responses to be executed client-side. The affected product is cveClient version 0 through 1.0.23 (CPE: cpe:2.3:a:cert/cc:cveclient/cveinterface.js:*:*:*:*:*:*:*:*).

RemediationAI

Vendor-released patch: upgrade cveClient cveInterface.js to version 1.0.24 or later. The upstream fix is documented in GitHub PR #37 (https://github.com/CERTCC/cveClient/pull/37). Users should update via the official CERT/CC cveClient repository (https://github.com/CERTCC/cveClient). No interim workarounds are documented; patching is the primary mitigation. Organizations unable to immediately patch should implement Content Security Policy (CSP) headers and input validation at the application level to restrict execution of injected scripts, though source code remediation is strongly recommended.

Share

CVE-2026-35466 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy