CVE-2026-35467

HIGH 7.5

Private Key stored as extractable in browser IndexeDB

CVSS Score

7.5

EPSS Score

0.0%

EPSS Percentile

1th

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

CWE	CWE-522
Vendor	cert/cc
Product	cveclient/encrypt-storage.js
Published	Apr 2, 2026
Last Updated	Apr 3, 2026

Stay Ahead of the Next One

Get instant alerts for cert/cc cveclient/encrypt-storage.js

Be the first to know when new high vulnerabilities affecting cert/cc cveclient/encrypt-storage.js are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

CERT/CC / cveClient/encrypt-storage.js

0 < 1.1.15

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/CERTCC/cveClient/pull/39 github.com: https://github.com/CERTCC/cveClient/

Credits

Jerry Gamblin (https://github.com/jgamblin)