CVE-2026-11525 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

PT-2026-50499

Name of the Vulnerable Software and Affected Versions undici versions 5.15.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description When parsing a Set-Cookie header, the software accepts any SameSite attribute value containing Strict, Lax, or None as a...

Astra Linux - уязвимость в chromium

Insufficient policy enforcement in cookies in Google Chrome prior to 104.0.5112.79 allowed a remote attacker to leak cross-origin data through a crafted HTML page...

Astra Linux – Vulnerability in Chromium

Insufficient policy enforcement regarding cookies in Google Chrome prior to version 91.0.4472.77 allowed a remote attacker to bypass cookie policies through a crafted HTML page...

WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

GHSA-4WWR-7H7C-CHQR AVideo's CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

Summary AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit SameSite=None cookie policy, an attacker can forge cross-origin...

EUVD-2026-17630

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

CVE-2026-34394 AVideo: CSRF on Admin Plugin Configuration Enables Payment Credential Hijacking

WWBN AVideo is an open source video platform. In versions 26.0 and prior, AVideo's admin plugin configuration endpoint admin/save.json.php lacks any CSRF token validation. There is no call to isGlobalTokenValid or verifyToken before processing the request. Combined with the application's explicit...

WordPress plugin WP Cookie Consent 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

EUVD-2021-17458

Malware in sbrugna...

EUVD-2018-10082

Malware in sbrugna...

EUVD-2019-5161

Malware in sbrugna...

EUVD-2025-5941

Malicious code in bioql PyPI...

CVE-2025-24318

Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise...

CVE-2025-24318

Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise...

CVE-2025-24318

CVE-2025-24318 affects the Dario Health USB-C Blood Glucose Monitoring System Starter Kit Android Application. Descriptions across sources state that a cookie policy is observable via built-in browser tools, and that in the presence of cross-site scripting (XSS) this could lead to full session co...

PT-2025-9118 · Dario Health · Dario Application Database/Internet-Based Server Infrastructure

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. Description: The issue allows observation of the cookie policy via built-in browser tools. In the presence of cross-site scripting XSS, this could potentially lead to full session compromise...

Dario Health USB-C Blood Glucose Monitoring System 安全漏洞

Dario Health USB-C Blood Glucose Monitoring System is a portable blood glucose monitoring device from Dario Health, Israel. A security vulnerability exists in the Dario Health USB-C Blood Glucose Monitoring System that stems from a cookie policy observable through built-in browser tools, which in...

CVE-2024-36511

An improperly implemented security check for standard vulnerability CWE-358 in FortiADC Web Application Firewall WAF 7.4.0 through 7.4.4, 7.2 all versions, 7.1 all versions, 7.0 all versions, 6.2 all versions, 6.1 all versions, 6.0 all versions when cookie security policy is enabled may allow an...

PT-2024-7549 · Fortinet · Fortiadc Web Application Firewall

Name of the Vulnerable Software and Affected Versions: FortiADC Web Application Firewall WAF versions 6.0 through 7.4.4 FortiADC Web Application Firewall WAF version 7.4.5 and later are not affected, but the exact fixed version is not specified in the highest priority source, so we consider...