Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

8 matches found

NVD
NVDadded yesterday5 views

CVE-2026-46398

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcmsrefreshtoken cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on t...

8.8CVSS
Exploits0References1
EUVD
EUVDadded yesterday4 views

EUVD-2026-34893

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcmsrefreshtoken cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on t...

8.8CVSS5.4AI score
Exploits0References1
CVE
CVEadded yesterday7 views

CVE-2026-46398

HAX CMS vulnerability: the haxcms_refresh_token cookie is set without the Secure flag in versions 25.0.0 through

8.8CVSS5.4AI score
Exploits0References1
Cvelist
Cvelistadded yesterday7 views

CVE-2026-46398 HAX CMS Missing Secure Flag on Cookie

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcmsrefreshtoken cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on t...

8.8CVSS
Exploits0References1
Github Security Blog
Github Security Blogadded 2026/05/21 8:35 p.m.8 views

NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags

Summary The refresh-token cookie was set with httpOnly: true but missing both the secure flag and the sameSite attribute. Over plain HTTP the cookie could be intercepted on the network; without sameSite, browsers attached it to cross-site POSTs, enabling CSRF against the token-refresh endpoint...

5.7AI score
Exploits0References2Affected Software1
Positive Technologies
Positive Technologiesadded 2026/05/21 12:0 a.m.7 views

PT-2026-42676

Name of the Vulnerable Software and Affected Versions NocoDB affected versions not specified Description The refresh-token cookie is configured with httpOnly: true but lacks the secure flag and the sameSite attribute. The absence of the secure flag allows the cookie to be intercepted over plain...

5.4CVSS5.5AI score
Exploits0References4
OSV
OSVadded 2025/12/05 11:15 p.m.2 views

CVE-2025-34291

Langflow versions up to and including 1.6.9 contain a chained vulnerability that enables account takeover and remote code execution. An overly permissive CORS configuration alloworigins='' with allowcredentials=True combined with a refresh token cookie configured as SameSite=None allows a malicio...

8.8CVSS8.3AI score0.32746EPSS
Exploits3References3
CVE
CVEadded 2025/12/05 10:27 p.m.28 views

CVE-2025-34291

Summary: Langflow AI

9.4CVSS8.1AI score0.32746EPSS
In wildExploits3References5Affected Software1
Rows per page
Query Builder