CVE-2026-46550

NocoDB’s CVE-2026-46550 concerns the refresh-token cookie being set with httpOnly but without Secure and SameSite attributes prior to 2026.04.1. The root cause is in setTokenCookie(), which emitted a cookie with only httpOnly (and possibly domain), leaving it vulnerable to interception over HTTP ...

CVE-2026-46550 NocoDB: Refresh Token Cookie Set Without `Secure` and `SameSite` Flags

NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it t...

NPM: NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags

NPM: NocoDB: Refresh Token Cookie Set Without secure and sameSite Flags vulnerability discovered by ? in WordPress Npm nocodb versions = 0.301.3...

SUSE CVE-2026-35536

In Tornado before 6.5.5, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters...

The vulnerability of the software for monitoring and analyzing network traffic in industrial networks, SINEC Traffic Analyzer, allows a intruder to gain unauthorized access to protected information.

The vulnerability of the SINEC Traffic Analyzer software for monitoring and analyzing network traffic in industrial networks stems from the absence of the "Secure", "HttpOnly", or "SameSite" flags in session cookie files. Exploiting this vulnerability can allow an unauthorized attacker to gain...

Cookies generated by VPN Vserver lack Secure/SameSite/HttpOnly flags

Cookies generated by VPN Vserver lack Secure/SameSite/HttpOnly flags...

Cross site request forgery (csrf)

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks...

CVE-2019-19737

MFScripts YetiShare 3.5.2 through 4.5.3 does not set the SameSite flag on session cookies, allowing the cookie to be sent in cross-site requests and potentially be used in cross-site request forgery attacks...

CVE-2019-19737

CVE-2019-19737 affects MFScripts YetiShare in versions 3.5.2 through 4.5.3. The root cause is that session cookies do not have the SameSite flag set, allowing cookies to be sent with cross-site requests and potentially enabling cross-site request forgery attacks. Multiple connected sources confir...