Lucene search
K

178 matches found

Cvelist
Cvelist
added 3 days ago30 views

CVE-2026-38057 ST Engineering iDirect iQ-Series Terminals Cross-Site request forgery

The iDirect iQ200 does not validate CSRF tokens on state-changing API endpoints after authentication. The /api/reboot endpoint accepts POST requests authenticated solely by a session cookie that lacks the SameSite attribute. A remote attacker can host a malicious web page that, when visited by an...

8.1CVSS0.00308EPSS
Exploits0References3
RedHat Linux
RedHat Linux
added last week4 views

undici: undici: Weakening of cookie SameSite policy due to incorrect parsing of Set-Cookie header

A flaw was found in undici. When undici processes Set-Cookie headers, it incorrectly interprets the SameSite attribute, accepting partial matches instead of exact ones. This allows a malicious server to downgrade a cookie's SameSite policy to a less secure setting, potentially leading to unintend...

3.7CVSS7AI score0.00248EPSS
Exploits0References6
Snyk
Snyk
added 2026/06/17 6:22 p.m.9 views

Permissive List of Allowed Inputs

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via permissive substring matching in the Set-Cookie attribute parsing. An attacker can weaken cookie SameSite enforcement by crafting a...

8.3CVSS5.9AI score0.00248EPSS
Exploits0References2
NVD
NVD
added 2026/06/17 6:17 p.m.13 views

CVE-2026-11525

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

3.7CVSS0.00248EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/05 7:51 p.m.10 views

CVE-2025-52608

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

4.3CVSS5.5AI score0.00098EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/04 5:59 p.m.15 views

EUVD-2026-32925

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection...

5.3CVSS5.8AI score0.00216EPSS
Exploits0References4
NVD
NVD
added 2026/06/04 12:16 p.m.12 views

CVE-2025-52608

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

4.3CVSS0.00098EPSS
Exploits0References1
EUVD
EUVD
added 2026/06/04 11:49 a.m.10 views

EUVD-2025-210061

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

4.3CVSS5.8AI score0.00098EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/04 11:49 a.m.9 views

CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

3.1CVSS5.8AI score0.00098EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/06/04 12:0 a.m.9 views

HCL iControl 安全漏洞

HCL iControl is an IT infrastructure monitoring and automation platform developed by the Indian company HCL. HCL iControl has a security vulnerability, which stems from the lack of Cookie attributes, including Secure and SameSite, and the path is set to the root directory...

4.3CVSS5.3AI score0.00098EPSS
Exploits0References1
Github Security Blog
Github Security Blog
added 2026/05/21 8:35 p.m.13 views

NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags

Summary The refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint...

5.4CVSS5.7AI score0.00099EPSS
Exploits0References2Affected Software1
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.8 views

Astra Linux – Vulnerability in python-tornado

In Tornado before version 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments of .RequestHandler.setcookie were not checked for crafted characters...

7.2CVSS5.2AI score0.00237EPSS
Exploits0References1
RedHat Linux
RedHat Linux
added 2026/05/19 6:24 p.m.22 views

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

7.2CVSS5.7AI score0.00237EPSS
Exploits0References6
CNNVD
CNNVD
added 2026/05/11 12:0 a.m.9 views

HireFlow 安全漏洞

HireFlow is an online interview management platform developed by StratonWebDesigners as a personal developer project. Version 1.2 of HireFlow contains a security vulnerability. This vulnerability stems from the fact that all POST endpoints for state changes do not implement CSRF token verificatio...

8.1CVSS5.9AI score0.00168EPSS
Exploits1References2
CVE
CVE
added 2026/05/07 6:49 p.m.26 views

CVE-2026-42239

Budibase (backend-core, budibase:auth cookie) is affected prior to version 3.35.10. The issue is that the budibase:auth cookie is set HTTPOnly: false, lacks secure: true and sameSite, allowing access to the JWT session token via document.cookie. This enables any XSS to escalate to full account ta...

8.1CVSS5.8AI score0.00283EPSS
Exploits1References2Affected Software1
RedHat Linux
RedHat Linux
added 2026/05/05 9:22 a.m.14 views

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

7.2CVSS5.6AI score0.00237EPSS
Exploits0References6
Tenable Nessus
Tenable Nessus
added 2026/04/17 12:0 a.m.15 views

Python Library Tornado < 6.5.5 Multiple Vulnerabilities

The version of the Tornado Python library installed on the remote host is prior to 6.5.5. It is, therefore, affected by multiple vulnerabilities: - Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts i...

8.7CVSS7.3AI score0.00375EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/04/03 2:25 a.m.22 views

CVE-2026-35536

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...

7.2CVSS0.00237EPSS
Exploits0References2
CVE
CVE
added 2026/04/03 2:25 a.m.35 views

CVE-2026-35536

Tornado

7.2CVSS5.9AI score0.00237EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/03/11 10:17 p.m.4 views

GHSA-78CV-MQJ4-43F7 Tornado has incomplete validation of cookie attributes

Values passed to the domain, path, and samesite arguments of RequestHandler.setcookie were not completely validated in versions of Tornado prior to 6.5.5. In particular, semicolons would be allowed, which could be used to inject attacker-controlled values for other cookie attributes...

5.4CVSS5.9AI score0.00237EPSS
Exploits0References4
Rows per page
Query Builder