Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services
AnalysisAI
Cross-site scripting (XSS) vulnerability in CERT/CC cveClient cveInterface.js prior to version 1.0.24 allows injection of arbitrary HTML through untrusted CVE API service input. The vulnerability stems from insufficient input validation, enabling attackers to inject malicious scripts that execute in the context of users viewing CVE data. No CVSS score or exploitation data is available, limiting quantitative risk assessment; however, the attack vector is network-based and requires no authentication.
Technical ContextAI
The vulnerability is a classic Stored or Reflected Cross-Site Scripting (CWE-79) flaw in the cveInterface.js component of the CERT/CC cveClient application. The root cause is improper neutralization of input during web page generation-specifically, the cveInterface component receives data from external CVE API services and renders it directly into the HTML display without sanitization or encoding. This trust boundary violation allows malicious HTML and JavaScript payloads embedded in CVE data responses to be executed client-side. The affected product is cveClient version 0 through 1.0.23 (CPE: cpe:2.3:a:cert/cc:cveclient/cveinterface.js:*:*:*:*:*:*:*:*).
RemediationAI
Vendor-released patch: upgrade cveClient cveInterface.js to version 1.0.24 or later. The upstream fix is documented in GitHub PR #37 (https://github.com/CERTCC/cveClient/pull/37). Users should update via the official CERT/CC cveClient repository (https://github.com/CERTCC/cveClient). No interim workarounds are documented; patching is the primary mitigation. Organizations unable to immediately patch should implement Content Security Policy (CSP) headers and input validation at the application level to restrict execution of injected scripts, though source code remediation is strongly recommended.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18552
GHSA-c5mh-66wj-fpf7