Vulnerability Details CVE-2026-35467
The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 13.8%
CVSS Severity
CVSS v3 Score 7.5
Products affected by CVE-2026-35467
-
cpe:2.3:a:cmu:cveclient:1.0.17
-
cpe:2.3:a:cmu:cveclient:1.0.18
-
cpe:2.3:a:cmu:cveclient:1.0.19
-
cpe:2.3:a:cmu:cveclient:1.0.20
-
cpe:2.3:a:cmu:cveclient:1.0.21
-
cpe:2.3:a:cmu:cveclient:1.0.22
-
cpe:2.3:a:cmu:cveclient:1.0.23