CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

show all

424 matches found

CVE•added 2026/05/07 6:49 p.m.•4 views

CVE-2026-42239

Budibase (backend-core, budibase:auth cookie) is affected prior to version 3.35.10. The issue is that the budibase:auth cookie is set HTTPOnly: false, lacks secure: true and sameSite, allowing access to the JWT session token via document.cookie. This enables any XSS to escalate to full account ta...

8.1CVSS5.8AI score0.00028EPSS

Exploits0References2

Snyk•added 2026/04/24 4:18 p.m.•2 views

Sensitive Cookie Without "HttpOnly" Flag

Overview @budibase/backend-core is a Budibase backend core libraries used in server and worker Affected versions of this package are vulnerable to Sensitive Cookie Without "HttpOnly" Flag via the set function in the cookie handling process. An attacker can gain unauthorized access to user account...

8.4CVSS5.5AI score0.00028EPSS

Exploits0References2

OSV•added 2026/01/16 2:15 p.m.•2 views

CVE-2026-0696

In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values...

6.5CVSS5.8AI score0.0002EPSS

Exploits0References2

ATTACKERKB•added 2026/01/16 1:34 p.m.•0 views

CVE-2026-0696

6.5CVSS5.3AI score0.0002EPSS

Exploits0References3

RedhatCVE•added 2026/01/13 10:52 p.m.•2 views

CVE-2026-22081

This vulnerability exists in Tenda wireless routers 300Mbps Wireless Router F3 and N300 Easy Setup Router due to the missing HTTPOnly flag for session cookies associated with the web-based administrative interface. A remote at-tacker could exploit this vulnerability by capturing session cookies...

8.8CVSS6.8AI score0.00023EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 12:28 p.m.•4 views

CVE-2018-12302

Missing HTTPOnly flag on session cookies in the Seagate NAS OS version 4.3.15.1 web application allows attackers to steal session tokens via cross-site scripting...

6.1CVSS6.8AI score0.0024EPSS

Exploits0References1

NVD•added 2026/01/09 12:15 p.m.•1 views

CVE-2026-22081

8.8CVSS0.00023EPSS

Exploits0References1

CVE•added 2026/01/09 11:16 a.m.•4 views

CVE-2026-22081

The CVE-2026-22081 issue affects Tenda 300Mbps Wireless Router F3 and N300 Easy Setup Router, arising from the absence of the HTTPOnly flag on cookies used by the web-based administrative interface. This enables a remote attacker to potentially capture session cookies transmitted over unencrypted...

8.8CVSS6.4AI score0.00023EPSS

Exploits0References1

RedhatCVE•added 2026/01/09 9:59 a.m.•5 views

CVE-2020-7051

Codologic Codoforum through 4.8.4 allows stored XSS in the login area. This is relevant in conjunction with CVE-2020-5842 because session cookies lack the HttpOnly flag. The impact is account takeover...

6.1CVSS5.6AI score0.01819EPSS

Exploits1References1

RedhatCVE•added 2026/01/07 9:33 a.m.•4 views

CVE-2019-16187

Limesurvey before 3.17.14 uses an anti-CSRF cookie without the HttpOnly flag, which allows attackers to access a cookie value via a client-side script...

7.5CVSS6.8AI score0.00276EPSS

Exploits0References1

CNNVD•added 2025/10/21 12:0 a.m.•1 views

Azure Access Technology BLU-IC2和Azure Access Technology BLU-IC4 安全漏洞

The Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4 are both networked access controllers from Azure Access Technology, USA. A security vulnerability exists in Azure Access Technology BLU-IC2 and Azure Access Technology BLU-IC4, which stems from the lack of Secure and HTTPOnly...

5.3CVSS6.6AI score0.00041EPSS

Exploits0References2

RedhatCVE•added 2025/10/13 8:27 a.m.•0 views

CVE-2025-52614

HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by feeding a user suitable links, either directly or via another web site...

4.3CVSS6.8AI score0.00016EPSS

Exploits0References1

OSV•added 2025/10/12 8:15 a.m.•0 views

CVE-2025-52614

4.3CVSS5.7AI score

Exploits0References1