Skip to main content

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

22 CVEs Avg CVSS 6.3 MITRE
2
CRITICAL
2
HIGH
16
MEDIUM
1
LOW
5
POC
0
KEV

Monthly

CVE-2026-42239 npm HIGH PATCH GHSA This Week

Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

XSS Budibase
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2026-0696 MEDIUM This Month

Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).

Information Disclosure Professional Service Automation
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-22081 Monitor

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface.

Information Disclosure
NVD
EPSS
0.0%
CVE-2025-27453 MEDIUM This Month

A remote code execution vulnerability in HttpOnly flag (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Meac300 Fnade4 Firmware
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-49189 MEDIUM PATCH This Month

CVE-2025-49189 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Media Server
NVD
CVSS 3.1
5.3
EPSS
0.1%
CVE-2025-47289 MEDIUM PATCH This Month

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker - potentially leading to account takeover. Version 1.1.0.3 fixes the issue.

XSS Ce Phoenix Cart
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-26844 CRITICAL Act Now

An issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Znuny
NVD
CVSS 3.1
9.8
EPSS
0.4%
CVE-2025-24318 MEDIUM This Month

Cookie policy is observable via built-in browser tools. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS
NVD
CVSS 4.0
5.9
EPSS
0.1%
CVE-2024-41685 MEDIUM This Month

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sy Gpon 1110 Wdont Firmware
NVD
CVSS 4.0
6.9
EPSS
0.5%
CVE-2024-6739 MEDIUM POC This Month

The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mailaudit Mailgates
NVD
CVSS 3.1
6.1
EPSS
0.4%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Session hijacking via JavaScript-readable authentication cookies in Budibase versions prior to 3.35.10 allows any Cross-Site Scripting (XSS) vulnerability to escalate into full account takeover. The budibase:auth cookie containing the JWT session token is set with httpOnly: false, enabling JavaScript to read it via document.cookie. Combined with confirmed prior XSS vulnerabilities in Budibase (GHSA-gp5x-2v54-v2q5), attackers can exfiltrate session tokens and gain persistent access to victim accounts. The cookie also lacks secure and sameSite flags, exposing tokens over plaintext HTTP. No public exploit identified at time of analysis. EPSS data not available. Patch available in version 3.35.10.

XSS Budibase
NVD GitHub VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Professional Service Automation contains a vulnerability that allows attackers to client-side scripts access to session cookie values (CVSS 6.5).

Information Disclosure Professional Service Automation
NVD
EPSS 0%
Monitor

This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface.

Information Disclosure
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

A remote code execution vulnerability in HttpOnly flag (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Meac300 Fnade4 Firmware
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

CVE-2025-49189 is a security vulnerability (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Information Disclosure Media Server
NVD
EPSS 0% CVSS 6.3
MEDIUM PATCH This Month

CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malicious JavaScript into the testimonial description field. Once submitted, if the shop owner (admin) approves the testimonial, the script executes in the context of any user visiting the testimonial page. Because the session cookies are not marked with the `HttpOnly` flag, they can be exfiltrated by the attacker - potentially leading to account takeover. Version 1.1.0.3 fixes the issue.

XSS Ce Phoenix Cart
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Znuny through 7.1.3. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Znuny
NVD
EPSS 0% CVSS 5.9
MEDIUM This Month

Cookie policy is observable via built-in browser tools. Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

XSS
NVD
EPSS 0% CVSS 6.9
MEDIUM This Month

This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing HTTPOnly flag for the session cookies associated with the router's web management interface. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Sy Gpon 1110 Wdont Firmware
NVD
EPSS 0% CVSS 6.1
MEDIUM POC This Month

The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session cookie via XSS. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Mailaudit Mailgates
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy