A stored XSS flaw in the script cveInterface.js allows injection of arbitrary HTML or JavaScript supplied by remote CVE API services. Because the interface trusts external data, an attacker can embed malicious code that will run in the context of users viewing CVE entries, potentially leading to malware execution, credential theft, or session hijacking. The flaw corresponds to CWE‑79, which describes insufficient input sanitization before rendering.

The vulnerability affects CERT/CC’s cveClient, specifically the cveInterface.js component that processes CVE data from external APIs. No specific product or version numbers are listed, so any instance of this client that imports or executes the affected script may be impacted. It is advisable to review the source or deployment configuration to identify whether this code is in use.

The CVSS base score is 6.1, indicating moderate severity, while the EPSS score is below 1 %, suggesting low probability of exploitation in the wild. The vulnerability is not currently documented in the CISA KEV catalog. Exploitation requires an attacker to supply malicious input through a CVE API service; the client then renders this data without filtering, allowing the attacker to deliver cross‑site scripting payloads to other users. Given the medium score and low exploitation likelihood, organizations should still treat it as a notable risk, especially if the client is exposed to external data sources.