CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
Description
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Hierarchy (View 1000)
Parents
Children
none
CVEs mapped to this weakness (18)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2026-22081 | Hig | 0.57 | — | 0.00 | Jan 9, 2026 | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by… | ||
| CVE-2025-53757 | Hig | 0.57 | — | 0.00 | Jul 16, 2025 | This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an… | ||
| CVE-2025-0479 | Hig | 0.56 | — | 0.00 | Jan 20, 2025 | This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful… | ||
| CVE-2025-57424 | — | Hig | 0.47 | 7.3 | 0.00 | Sep 29, 2025 | A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the… | |
| CVE-2026-42239 | — | Hig | 0.46 | 8.1 | 0.00 | May 7, 2026 | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every… | |
| CVE-2026-35575 | Hig | 0.45 | 8.0 | 0.00 | Apr 7, 2026 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically… | ||
| CVE-2025-24318 | — | Med | 0.44 | 6.8 | 0.00 | Feb 28, 2025 | Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise. | |
| CVE-2026-39338 | Med | 0.33 | 6.1 | 0.00 | Apr 7, 2026 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it… | ||
| CVE-2026-11956 | Low | 0.24 | 3.7 | 0.00 | Jun 11, 2026 | A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched… | ||
| CVE-2025-42909 | Low | 0.20 | 3.0 | 0.00 | Oct 14, 2025 | SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and… | ||
| CVE-2026-25736 | 0.00 | — | 0.00 | Feb 25, 2026 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute… | |||
| CVE-2026-25735 | 0.00 | — | 0.00 | Feb 25, 2026 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the… | |||
| CVE-2026-25734 | 0.00 | — | 0.00 | Feb 25, 2026 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the… | |||
| CVE-2026-25733 | 0.00 | — | 0.00 | Feb 25, 2026 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules… | |||
| CVE-2026-25136 | 0.00 | — | 0.00 | Feb 25, 2026 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of… | |||
| CVE-2024-47833 | 0.00 | — | 0.00 | Oct 9, 2024 | Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and… | |||
| CVE-2019-25091 | — | 0.00 | — | 0.01 | Dec 27, 2022 | A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag.… | ||
| CVE-2010-4312 | 0.00 | — | 0.02 | Nov 26, 2010 | The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie. |
- risk 0.57cvss —epss 0.00
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by…
- risk 0.57cvss —epss 0.00
This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could exploit this vulnerability by capturing the session cookies transmitted over an…
- risk 0.56cvss —epss 0.00
This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker could exploit this vulnerability by intercepting data transmissions during an HTTP session on the vulnerable system. Successful…
- risk 0.47cvss 7.3epss 0.00
A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which executes in the browser of any user viewing it, including administrators. Due to the…
- risk 0.46cvss 8.1epss 0.00
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every…
- risk 0.45cvss 8.0epss 0.00
ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-creation privileges to inject malicious JavaScript that executes automatically…
- risk 0.44cvss 6.8epss 0.00
Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise.
- risk 0.33cvss 6.1epss 0.00
ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The application fails to sanitize or encode user-supplied input prior to rendering it…
- risk 0.24cvss 3.7epss 0.00
A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched…
- risk 0.20cvss 3.0epss 0.00
SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other appliances. This has low impact on confidentiality of the application, integrity and…
- CVE-2026-25736Feb 25, 2026risk 0.00cvss —epss 0.00
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom RSE Attribute…
- CVE-2026-25735Feb 25, 2026risk 0.00cvss —epss 0.00
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Identity Name of the…
- CVE-2026-25734Feb 25, 2026risk 0.00cvss —epss 0.00
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the RSE metadata of the…
- CVE-2026-25733Feb 25, 2026risk 0.00cvss —epss 0.00
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 have a stored Cross-Site Scripting (XSS) vulnerability in the Custom Rules…
- CVE-2026-25136Feb 25, 2026risk 0.00cvss —epss 0.00
Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability was located in versions prior to 35.8.3, 38.5.4, and 39.3.1 in the rendering of…
- CVE-2024-47833Oct 9, 2024risk 0.00cvss —epss 0.00
Taipy is an open-source Python library for easy, end-to-end application development for data scientists and machine learning engineers. In affected versions session cookies are served without Secure and HTTPOnly flags. This issue has been addressed in release version 4.0.0 and…
- CVE-2019-25091Dec 27, 2022risk 0.00cvss —epss 0.01
A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag.…
- CVE-2010-4312Nov 26, 2010risk 0.00cvss —epss 0.02
The default configuration of Apache Tomcat 6.x does not include the HTTPOnly flag in a Set-Cookie header, which makes it easier for remote attackers to hijack a session via script access to a cookie.