Skip to main content

Dsa Study Hub CVE-2026-28678

HIGH
Missing Encryption of Sensitive Data (CWE-311)
2026-03-07 security-advisories@github.com
8.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
Patch released
Mar 11, 2026 - 17:35 nvd
Patch available
CVE Published
Mar 07, 2026 - 16:15 nvd
HIGH 8.1

DescriptionGitHub Advisory

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba.

AnalysisAI

DSA Study Hub stores JWT authentication tokens in unencrypted HTTP cookies, allowing attackers to extract and replay user credentials to gain unauthorized access to accounts. An unauthenticated remote attacker can intercept these tokens through network traffic analysis or client-side inspection to impersonate legitimate users. A patch is available in commit d527fba and should be applied immediately.

Technical ContextAI

Classified as CWE-311 (Missing Encryption of Sensitive Data). Affects Dsa Study Hub. DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba.

RemediationAI

A vendor patch is available — apply it immediately. Restrict network access to the affected service where possible.

Share

CVE-2026-28678 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy