{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35466", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "state": "PUBLISHED", "assignerShortName": "certcc", "dateReserved": "2026-04-02T20:09:50.057Z", "datePublished": "2026-04-02T20:20:35.304Z", "dateUpdated": "2026-04-03T13:55:40.446Z"}, "containers": {"cna": {"title": "Stored XSS via unsanitized input from remote service", "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "descriptions": [{"lang": "en", "value": "XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services"}], "affected": [{"vendor": "CERT/CC", "product": "cveClient/cveInterface.js", "defaultStatus": "unaffected", "versions": [{"version": "0", "status": "affected", "lessThan": "1.0.24", "versionType": "semver"}]}], "references": [{"url": "https://github.com/CERTCC/cveClient/pull/37", "name": "Patch PR"}, {"url": "https://github.com/CERTCC/cveClient", "name": "GitHub Repository"}], "credits": [{"lang": "en", "value": "Jerry Gamblin (https://github.com/jgamblin)", "type": "finder"}], "x_generator": {"engine": "cveClient/1.0.15"}, "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-02T20:30:00.719Z"}}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T13:54:50.933767Z", "id": "CVE-2026-35466", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:55:40.446Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-35466", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-03T13:54:50.933767Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T13:53:25.522Z"}}], "cna": {"title": "Stored XSS via unsanitized input from remote service", "credits": [{"lang": "en", "type": "finder", "value": "Jerry Gamblin (https://github.com/jgamblin)"}], "affected": [{"vendor": "CERT/CC", "product": "cveClient/cveInterface.js", "versions": [{"status": "affected", "version": "0", "lessThan": "1.0.24", "versionType": "semver"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/CERTCC/cveClient/pull/37", "name": "Patch PR"}, {"url": "https://github.com/CERTCC/cveClient", "name": "GitHub Repository"}], "x_generator": {"engine": "cveClient/1.0.15"}, "descriptions": [{"lang": "en", "value": "XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services"}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "37e5125f-f79b-445b-8fad-9564f167944b", "shortName": "certcc", "dateUpdated": "2026-04-02T20:30:00.719Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35466", "state": "PUBLISHED", "dateUpdated": "2026-04-03T13:55:40.446Z", "dateReserved": "2026-04-02T20:09:50.057Z", "assignerOrgId": "37e5125f-f79b-445b-8fad-9564f167944b", "datePublished": "2026-04-02T20:20:35.304Z", "assignerShortName": "certcc"}, "dataVersion": "5.2"}

{"affected": [{"affectedData": [{"defaultStatus": "unaffected", "product": "cveClient/cveInterface.js", "vendor": "CERT/CC", "versions": [{"lessThan": "1.0.24", "status": "affected", "version": "0", "versionType": "semver"}]}], "source": "cret@cert.org"}], "configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cmu:cveclient:*:*:*:*:*:*:*:*", "matchCriteriaId": "AD2EB9C3-2F62-4A8E-BCE4-2DFF17EA50C1", "versionEndExcluding": "1.0.24", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services"}], "id": "CVE-2026-35466", "lastModified": "2026-06-17T10:40:38.817", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}], "ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-35466", "options": [{"exploitation": "none"}, {"automatable": "no"}, {"technicalImpact": "partial"}], "role": "CISA Coordinator", "timestamp": "2026-04-03T13:54:50.933767Z", "version": "2.0.3"}}]}, "published": "2026-04-02T21:16:40.687", "references": [{"source": "cret@cert.org", "tags": ["Product"], "url": "https://github.com/CERTCC/cveClient"}, {"source": "cret@cert.org", "tags": ["Issue Tracking", "Patch"], "url": "https://github.com/CERTCC/cveClient/pull/37"}], "sourceIdentifier": "cret@cert.org", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "cret@cert.org", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.0.24)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "cveClient/cveInterface.js", "source": "cna", "vendor": "CERT/CC"}, "product": "cveclient/cveinterface.js", "vendor": "cert/cc"}], "analysis": {"en": {"generated_at": "2026-04-03T17:22:17.696312+00:00", "value": {"mitigation_remediation": ["Upgrade cveClient to the latest release that sanitizes input from CVE API services.", "If an upgrade is not yet available, modify cveInterface.js to escape or whitelist HTML before rendering.", "Restrict the source of CVE data or validate incoming payloads to ensure they contain only safe content.", "Regularly monitor the project\u2019s repository for patches and security advisories."], "summary": {"action": "Apply patch", "impact": "Client-side script execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects CERT/CC\u2019s cveClient, specifically the cveInterface.js component that processes CVE data from external APIs. No specific product or version numbers are listed, so any instance of this client that imports or executes the affected script may be impacted. It is advisable to review the source or deployment configuration to identify whether this code is in use.", "description_and_impact": "A stored XSS flaw in the script cveInterface.js allows injection of arbitrary HTML or JavaScript supplied by remote CVE API services. Because the interface trusts external data, an attacker can embed malicious code that will run in the context of users viewing CVE entries, potentially leading to malware execution, credential theft, or session hijacking. The flaw corresponds to CWE\u201179, which describes insufficient input sanitization before rendering.", "risk_and_exploitability": "The CVSS base score is 6.1, indicating moderate severity, while the EPSS score is below 1\u202f%, suggesting low probability of exploitation in the wild. The vulnerability is not currently documented in the CISA KEV catalog. Exploitation requires an attacker to supply malicious input through a CVE API service; the client then renders this data without filtering, allowing the attacker to deliver cross\u2011site scripting payloads to other users. Given the medium score and low exploitation likelihood, organizations should still treat it as a notable risk, especially if the client is exposed to external data sources."}}}}, "created": "2026-04-03T07:31:20.500452+00:00", "updated": "2026-04-03T21:17:12.243206+00:00", "vendors": ["cert/cc", "cert/cc$PRODUCT$cveclient/cveinterface.js"]}