CVE-2025-67446

Improper Authentication Authentication Bypass exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value e.g., setting it to "admin", an attacker can bypass the authentication schema and gain...

CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

CVE-2026-31387

CVE-2026-31387 concerns Apache OFBiz with an Improper Authentication issue affecting versions prior to 24.09.06. The CVE list entry emphasizes a cookie manipulation flaw that enables authenticated JWT forgery and account impersonation. The recommended remediation is upgrading to OFBiz 24.09.06. T...

CVE-2026-31387 Apache OFBiz: Cookie Manipulation Allows Authenticated JWT Forgery and Account Impersonation

Improper Authentication vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 24.09.06. Users are recommended to upgrade to version 24.09.06, which fixes the issue...

CVE-2026-27964 FacturaScripts: Reflected Cross-Site Scripting (XSS) via Cookie Manipulation

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting XSS vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie ...

CVE-2026-27964 FacturaScripts: Reflected Cross-Site Scripting (XSS) via Cookie Manipulation

FacturaScripts is an open source accounting and invoicing software. Versions 2025.7 and prior contain a Reflected Cross-Site Scripting XSS vulnerability through the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. The fsNick cookie ...

CVE-2026-27964

FacturaScripts versions 2025.7 and earlier contain a Reflected Cross-Site Scripting (XSS) vulnerability via the fsNick cookie parameter. The application reflects the cookie value directly into the HTML without sanitization, rendering the DOM without encoding. Although the server logs out the sess...

GHSA-GQ5C-RW37-G46C FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation

Summary A Reflected Cross-Site Scripting XSS vulnerability exists in the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. Details The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified...

FacturaScripts vulnerable to Reflected Cross-Site Scripting (XSS) via Cookie Manipulation

Summary A Reflected Cross-Site Scripting XSS vulnerability exists in the fsNick cookie parameter. The application reflects the cookie's value directly into the HTML without sanitization. Details The fsNick cookie is rendered into the DOM without encoding. While the server does reject the modified...

USN-8190-2: Rack::Session vulnerability

USN-8190-1 fixed a vulnerability in Rack::Session. This update provides the corresponding update for Ubuntu 26.04 LTS. Original advisory details: SeungMyung Lee discovered that Rack::Session did not properly reject cookies upon decryption failure. A remote attacker could use this issue to...

Ubuntu 25.10 : Rack::Session vulnerability (USN-8190-1)

The remote Ubuntu 25.10 host has a package installed that is affected by a vulnerability as referenced in the USN-8190-1 advisory. SeungMyung Lee discovered that Rack::Session did not properly reject cookies upon decryption failure. A remote attacker could use this issue to manipulate session...

CVE-2026-40043

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser action that allows authenticated low-privilege users to escalate privileges by manipulating the originalusername cookie. Attackers can set the client-controlled originalusername cookie to any value and request a...

CVE-2026-40043 Pachno 1.0.6 Authentication Bypass via runSwitchUser()

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser action that allows authenticated low-privilege users to escalate privileges by manipulating the originalusername cookie. Attackers can set the client-controlled originalusername cookie to any value and request a...

CVE-2026-40043

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser action that allows authenticated low-privilege users to escalate privileges by manipulating the originalusername cookie. Attackers can set the client-controlled originalusername cookie to any value and request a...

CVE-2026-5130 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation

The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wpdebugtroubleshootsimulateuser cookie value directly as a user ID without any cryptographic validation or...

CVE-2026-5130 Debugger & Troubleshooter <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation

The Debugger & Troubleshooter plugin for WordPress was vulnerable to Unauthenticated Privilege Escalation in versions up to and including 1.3.2. This was due to the plugin accepting the wpdebugtroubleshootsimulateuser cookie value directly as a user ID without any cryptographic validation or...

CVE-2026-5130

The PatchStack entry details an unauthenticated privilege escalation in the WordPress plugin Debugger & Troubleshooter (versions

WordPress Debugger & Troubleshooter plugin <= 1.3.2 - Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation vulnerability

Unauthenticated Privilege Escalation to Administrator via Cookie Manipulation vulnerability discovered by Nabil Irawan - Heroes Cyber Security in WordPress Plugin Debugger & Troubleshooter versions = 1.3.2...

CVE-2026-22204

wpDiscuz before 7.6.47 contains an email header injection vulnerability that allows attackers to manipulate mail recipients by injecting malicious data into the commentauthoremail cookie. Attackers can craft a malicious cookie value that, when processed through urldecode and passed to wpmail...

CRLF Injection

Overview hono is an Ultrafast web framework for the Edges Affected versions of this package are vulnerable to CRLF Injection via the setCookie utility. An attacker can inject unauthorized cookie attributes by supplying specially crafted input containing semicolons, carriage returns, or newline...