What is the CVSS score of CVE-2026-4820?

CVE-2026-4820 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for CVE-2026-4820?

Yes, a patch is available for CVE-2026-4820. Update the affected software to the latest version immediately.

IBM CVE-2026-4820

EUVD-2026-18068 MEDIUM

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute (CWE-614)

2026-04-01 ibm

GHSA-7cvp-jxjh-qvvf

Information Disclosure IBM

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

EUVD ID Assigned

Apr 01, 2026 - 21:15 euvd

EUVD-2026-18068

Analysis Generated

Apr 01, 2026 - 21:15 vuln.today

Patch released

Apr 01, 2026 - 21:15 nvd

Patch available

CVE Published

Apr 01, 2026 - 20:54 nvd

MEDIUM 4.3

DescriptionNVD

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

AnalysisAI

IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 fail to set the secure attribute on authorization tokens and session cookies, allowing unauthenticated remote attackers to obtain sensitive cookie values through man-in-the-middle interception via unencrypted HTTP connections. An attacker can trick a user into clicking an HTTP link or embed such a link on a visited website, causing the browser to transmit cookies over unencrypted channels where they can be captured. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-7524 CRITICAL Act Now

9.8 May 27

Remote code execution in IBM Langflow OSS versions 1.0.0 through 1.9.1 lets unauthenticated network attackers run arbitr

CVE-2026-8175 CRITICAL Act Now

9.8 May 27

Remote code execution and authentication bypass are possible in IBM Aspera High-Speed Transfer Server and High-Speed Tra

CVE-2026-7876 CRITICAL Act Now

9.1 May 27

Authentication bypass in IBM Aspera High-Speed Transfer Server for Cloud Pak for Integration (CP4I) versions 1.5.1 throu

CVE-2026-5065 HIGH This Week

8.8 May 27

Hard-coded credentials in IBM Controller (versions 11.0.1, 11.1.0, 11.1.1, and 11.1.2) give attackers a static, embedded

CVE-2026-8179 HIGH This Week

8.8 May 27

Arbitrary code execution in IBM Aspera High-Speed Transfer Server and Endpoint (versions 3.7.4 through 4.4.7 Fix Pack 1)

CVE-2026-4820 vulnerability details – vuln.today

Back

IBM CVE-2026-4820

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Full analysis requires sign-in

More from same product – last 7 days

Share

External POC / Exploit Code