HIGHCVE-2026-35467Published 2026-04-02Modified 2026-04-03CNA certcc

CVE-2026-35467: Private Key stored as extractable in browser IndexeDB

The stored API keys in temporary browser client is not marked as protected allowing for JavScript console or other errors to allow for extraction of the encryption credentials.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: 1.1.15
Affected Products: 1

Fix available

1.1.15

Affected packages

CERT/CC / cveClient/encrypt-storage.js
< 1.1.15 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Github PR to fix the issue
Github Repository of the project.

Metrics

Fix available