CVE-2026-35466

Vulnerability

Overview

CVE-2026-35466 is a cross-site scripting (XSS) vulnerability in the cveInterface.js component of the CERTCC cveClient, a browser-based CVE management tool for CVE Numbering Authorities (CNAs) and Roots [2]. The root cause is that the client trusts and passes unsanitized HTML received from CVE API services directly to the display layer without sanitization, allowing an attacker to inject arbitrary HTML or JavaScript [1].

Attack

Vector and Prerequisites

An attacker can exploit this vulnerability by crafting a malicious CVE record or API response containing embedded HTML/script payloads. When a victim user (e.g., a CNA analyst) views the affected record through the cveClient interface, the injected script executes in the context of the user's browser session. No authentication is required beyond normal API access, and the attack can be delivered remotely via the CVE Services API [1][2].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the victim's browser, potentially leading to potential data exfiltration, session hijacking, or unauthorized actions performed on behalf of the authenticated user. Since the client stores API keys encrypted locally using RSA-OAEP 4096-bit encryption, the XSS could be used to steal these credentials or perform actions within the CVE management workflow [2].

Mitigation

Status

The vulnerability has been addressed in a pull request that updates the client to properly sanitize or escape HTML before rendering [1]. Users are advised to update to the latest version of cveClient. No workaround is to avoid using the client with untrusted CVE API endpoints until the patch is applied.