CVE-2026-35467

Published: Apr 2, 2026Modified: Jun 3, 2026

7.5

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Exploitability: 3.9 / Impact: 3.6

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

Affected (1)

Products: Cmu: Cveclient

Cmu

1 product

Cveclient

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Cmu Cveclient	Before 1.0.24

Related CWEs

CWE-522

Insufficiently Protected Credentials

The product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.

References (2)

https://github.com/CERTCC/cveClient/

Source: cret@cert.org

Product

https://github.com/CERTCC/cveClient/pull/39

Source: cret@cert.org

Issue TrackingPatch

Timeline

No history available yet.