CVE-2026-41017

CVE-2026-41017 affects Apache Airflow where JWTRefreshMiddleware sets the JWT cookie without the Secure flag. This impacts deployments exposing the Airflow API server behind TLS-terminating proxies (e.g., nginx, Envoy, or managed load balancers) and may allow a network-positioned attacker to capt...

CVE-2026-43828

CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...

PT-2026-43119

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 1.0 through 2.1.0 Apache Shiro version 3.0.0-alpha-1 Description Default configurations cause the Shiro-native session manager and the Remember-Me manager to send JSESSIONID and rememberMe cookies without the 'Secure'...

Apache Shiro 安全漏洞

Apache Shiro is a set of Java security frameworks for performing authentication, authorization, encryption, and session management from the Apache Foundation USA. A security vulnerability exists in Apache Shiro versions 1.0 through 2.1.0 and 3.0.0-alpha-1, which stems from a default configuration...

pyLoad has a Session Cookie Security Downgrade via Untrusted X-Forwarded-Proto Header Spoofing (Global State Race Condition)

Summary The setsessioncookiesecure beforerequest handler in src/pyload/webui/app/init.py reads the X-Forwarded-Proto header from any HTTP request without validating that the request originates from a trusted proxy, then mutates the global Flask configuration SESSIONCOOKIESECURE on every request...

CVE-2026-4820

IBM Maximo Application Suite is affected by CVE-2026-4820 due to the session cookie ltpatoken2_ not being marked Secure, enabling potential cookie theft over insecure links. Affected versions: 8.10, 8.11, 9.0, 9.1. Remediations: 8.10.33, 8.11.30, 9.0.19, 9.1.8. CVSS Base score: 4.3 (CWE-614: Sens...

Security Bulletin: IBM Maximo Application Suite was vulnerable to CVE-2026-4820 because Cookie ltpatoken2_<workspace_name> was not set with secure flag

Summary IBM Maximo Application Suite was vulnerable to CVE-2026-4820 because Cookie ltpatoken2 was not set with secure flag Vulnerability Details CVEID:CVE-2026-4820 DESCRIPTION: IBM Maximo Application Suite does not set the secure attribute on authorization tokens or session cookies. Attackers m...

EUVD-2025-203381

The Convercent Whistleblowing Platform operated by EQS Group contains a protection mechanism failure in its browser and session handling. By default, affected deployments omit HTTP security headers such as Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Embedder-Policy,...

EUVD-2008-6268

Malware in sbrugna...

EUVD-2015-1959

Malware in sbrugna...

CVE-2021-29248

BTCPay Server through 1.0.7.0 could allow a remote attacker to obtain sensitive information, caused by failure to set the Secure flag for a cookie...

CVE-2024-30142

HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker using XSS, resulting in unauthorized access or session cookies could be transferred over an unencrypted channel...

CVE-2020-4780

OOTB build scripts does not set the secure attribute on session cookie which may impact IBM Curam Social Program Management 7.0.9 and 7.0,10. The purpose of the 'secure' attribute is to prevent cookies from being observed by unauthorized parties. IBM X-Force ID: 189158...

CVE-2011-4849

The Control Panel in Parallels Plesk Panel 10.4.4build20111103.18 does not set the secure flag for a cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session, as demonstrated by cookies used by help.php a...

Heap overflow

Unspecified vulnerability in sISAPILocation before 1.0.2.2 allows remote attackers to bypass intended access restrictions for character encoding and the cookie secure flag via unknown vectors related to the "HTTP header rewrite function."...

CVE-2008-6298

Unspecified vulnerability in sISAPILocation before 1.0.2.2 allows remote attackers to bypass intended access restrictions for character encoding and the cookie secure flag via unknown vectors related to the "HTTP header rewrite function."...

sISAPILocation vulnerability bypasses HTTP header rewrite function

Overview sISAPILocation, an ISAPI Internet Server Application Program Interface filter, contains a vulnerability that allows the HTTP header rewrite function to be bypassed. sISAPILocation, developed by an individual developer, is an ISAPI filter for IIS Internet Information Services...