127 matches found
CVE-2026-57948 Pinpoint - Insecure Session Cookie Attributes in pinpointJwt
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can...
CVE-2026-44727 Jupyter Server: Stored XSS in `NbconvertFileHandler` / `NbconvertPostHandler` via missing `sandbox` CSP
Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyterserver render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default...
CVE-2026-44727
Jupyter Server is the backend for Jupyter web applications. Prior to 2.20, the nbconvert HTTP handlers in jupyterserver render user-authored notebook HTML under the Jupyter origin without a sandbox directive in their Content-Security-Policy. Combined with nbconvert.HTMLExporter's default...
CVE-2026-54290
Hono (web framework) prior to 4.12.25 is vulnerable to a CORS misconfiguration: with credentials: true and no explicit origin (default wildcard), the CORS middleware reflects the request Origin and sets Access-Control-Allow-Credentials: true, allowing credentialed cross‑origin reads of cookie‑pro...
PT-2026-50175
Name of the Vulnerable Software and Affected Versions n8n versions prior to 2.25.7 n8n versions prior to 2.26.2 Description When @n8n/mcp-browser is operated in HTTP transport mode using the --transport http flag, the MCP endpoint allows session initialization and tool invocation requests without...
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Summary The budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. Given that Budibase has had XSS vulnerabilities GHSA-gp5x-2v54-v2q5 — stored XSS via unsanitized enti...
CVE-2026-34828
listmonk is a standalone, self-hosted, newsletter and mailing list manager. From version 4.1.0 to before version 6.1.0, a session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and...
OpenClaw's Browser Relay /cdp websocket is missing auth which could allow cross-tab cookie access
Summary In affected versions, the Browser Relay /cdp WebSocket endpoint did not require an authentication token. As a result, a website running in the browser could potentially connect to the local relay via loopback WebSocket and use CDP to access cookies from other open tabs and run JavaScript ...
CVE-2021-41101
wire-server is an open-source back end for Wire, a secure collaboration platform. Before version 2.106.0, the CORS Access-Control-Allow-Origin header set by nginz is set for all subdomains of .wire.com including wire.com. This means that if somebody were to find an XSS vector in any of the...
PT-2025-51941
Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 6.0.0 Description The application inadequately sanitizes or encodes user-supplied HTML/JS, leading to stored cross-site scripting XSS. This allows an attacker to execute JavaScript in the browsers of other users...
CVE-2025-12031
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
CVE-2025-12031 HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5...
EUVD-2003-0587
Malware in sbrugna...
EUVD-2016-2825
Malware in sbrugna...
EUVD-2009-2625
Malware in sbrugna...
EUVD-2003-0507
Malware in sbrugna...
EUVD-2019-7004
Malware in sbrugna...
EUVD-2003-0588
Malware in sbrugna...
EUVD-2003-0586
Malware in sbrugna...
EUVD-2003-0508
Malware in sbrugna...