CVE-2026-35467
7.5 HIGHThe stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for ex...
Published: 2026-04-02 · Last updated: 2026-06-03
Severity and scoring
- CVSS
- 7.5 HIGH
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- CWE
- CWE-522
Affected products
| Vendor | Product |
|---|---|
| cmu | cveclient |
Description
The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
Source: NVD
References
Related CVEs
Same vendor
- CVE-2026-35466 — XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services (6.1 MEDIUM)
- CVE-2026-22190 — The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains an uncontrolled format string vulnerability (7.5 HIGH)
- CVE-2026-22189 — The egg-mkfont utility in Panda3D versions up to and including 1.10.16 contains a stack-based buffer overflow vulnerability due to use of... (9.8 CRITICAL)
- CVE-2026-22188 — The deploy-stub component in Panda3D versions up to and including 1.10.16 contains a denial of service vulnerability due to unbounded sta... (5.5 MEDIUM)
Same CWE
- CVE-2026-49949 — CodexBar before 0.33.0 contains a credential forwarding vulnerability that allows network-adjacent attackers to intercept sensitive crede... (5.3 MEDIUM)
- CVE-2026-41715 — In specific scenarios involving HTTP redirects from a secure to an insecure endpoint, the Reactor Netty HTTP client may leak credentials (6.1 MEDIUM)
- CVE-2026-39908 — OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the N... (6.5 MEDIUM)
- CVE-2026-46440 — Flowise is a drag & drop user interface to build a customized large language model flow (9.1 CRITICAL)
- CVE-2026-46511 — HAX CMS helps manage microsite universe with PHP or NodeJs backends