Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in
🔥 Daily Hot!
💪🏽 CPE Enhanced Advisories
🕶 Shadow Exploits
🕵🏼 Vulners CPE
🔐 Security news
💻 Exploit updates
📑 Blogs review
🐧 Linux vulnerabilities
🐞 Bugbounty
🤖 AI High Score
📰 CVE Feed
show all

276 matches found

Snyk
Snykadded 2026/05/25 11:19 p.m.1 views

Sensitive Cookie in HTTPS Session Without "Secure" Attribute

Overview org.apache.shiro:shiro-web is a powerful and easy-to-use Java security framework that performs authentication, authorization, cryptography, and session management. Affected versions of this package are vulnerable to Sensitive Cookie in HTTPS Session Without "Secure" Attribute in the form...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References2
NVD
NVDadded 2026/05/25 9:16 p.m.9 views

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

6.5CVSS0.00024EPSS
Exploits0References2
OSV
OSVadded 2026/05/25 9:16 p.m.3 views

UBUNTU-CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References5
UbuntuCve
UbuntuCveadded 2026/05/25 9:16 p.m.6 views

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References4
EUVD
EUVDadded 2026/05/25 8:19 p.m.5 views

EUVD-2026-31734

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS5.8AI score0.00024EPSS
Exploits0References1
CVE
CVEadded 2026/05/25 8:19 p.m.16 views

CVE-2026-43828

CVE-2026-43828 affects Apache Shiro. The issue: Shiro-native session manager and Remember-Me manager set cookies (JSESSIONID and rememberMe) without the Secure attribute by default, leaking sensitive cookies over non-HTTPS channels. Affected versions: 1.0 to 2.1.0, and 3.0.0-alpha-1. Remediation:...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References2Affected Software1
ATTACKERKB
ATTACKERKBadded 2026/05/25 8:19 p.m.7 views

CVE-2026-43828

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS5.8AI score0.00024EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichmentadded 2026/05/25 8:19 p.m.7 views

CVE-2026-43828 Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS5.8AI score0.00024EPSS
Exploits0References1
Cvelist
Cvelistadded 2026/05/25 8:19 p.m.17 views

CVE-2026-43828 Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected...

5.9CVSS0.00024EPSS
Exploits0References1
Positive Technologies
Positive Technologiesadded 2026/05/25 12:0 a.m.9 views

PT-2026-43119

Name of the Vulnerable Software and Affected Versions Apache Shiro versions 1.0 through 2.1.0 Apache Shiro version 3.0.0-alpha-1 Description Default configurations cause the Shiro-native session manager and the Remember-Me manager to send JSESSIONID and rememberMe cookies without the 'Secure'...

6.5CVSS5.8AI score0.00024EPSS
Exploits0References4
CVE
CVEadded 2026/05/20 1:25 a.m.8 views

CVE-2026-6456

The CVE-2026-6456 entry documents a Privilege Escalation in the WordPress Account Switcher plugin up to version 1.0.2. The root cause is the rememberLogin REST API endpoint using a loose comparison (!=) instead of strict (!==) for secret validation at app/RestAPI.php:111, plus validation that the...

8.8CVSS5.8AI score0.00045EPSS
Exploits0References4
GithubExploit
GithubExploitadded 2026/05/14 8:31 p.m.51 views

Apache-Shiro-RememberMe-RCE

No d...

5.8AI score
Exploits0
Cvelist
Cvelistadded 2026/04/21 5:12 p.m.26 views

CVE-2026-40588 blueprintUE: Authenticated Password Change Does Not Verify Current Password

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, the password change form at /profile/slug/edit/ does not include a currentpassword field and does not verify the user's existing password before accepting a new one. Any attacker who obtains a valid authenticated session —...

8.1CVSS0.00036EPSS
Exploits0References1
RedhatCVE
RedhatCVEadded 2026/04/10 7:23 p.m.1 views

CVE-2026-33266

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a...

7.5CVSS5.8AI score0.00055EPSS
Exploits0References1
Github Security Blog
Github Security Blogadded 2026/04/09 6:31 p.m.2 views

Apache OpenMeetings Uses Hard-coded Cryptographic Key

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a...

7.5CVSS5.8AI score0.00055EPSS
Exploits0References4Affected Software1
OSV
OSVadded 2026/04/09 6:31 p.m.3 views

GHSA-WQXQ-W68R-WG85 Apache OpenMeetings Uses Hard-coded Cryptographic Key

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a...

8.7CVSS5.8AI score0.00055EPSS
Exploits0References4
Snyk
Snykadded 2026/04/09 6:31 p.m.1 views

Use of Hard-coded Cryptographic Key

Overview Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the remember-me cookie encryption key and salt. An attacker can obtain full user credentials by stealing a cookie from a logged-in user if the default encryption key has not been changed. Remediati...

8.7CVSS5.8AI score0.00055EPSS
Exploits0References2
Snyk
Snykadded 2026/04/09 6:31 p.m.4 views

Use of Hard-coded Cryptographic Key

Overview Affected versions of this package are vulnerable to Use of Hard-coded Cryptographic Key in the remember-me cookie encryption key and salt. An attacker can obtain full user credentials by stealing a cookie from a logged-in user if the default encryption key has not been changed. Remediati...

8.7CVSS5.8AI score0.00055EPSS
Exploits0References2
EUVD
EUVDadded 2026/04/09 6:31 p.m.2 views

EUVD-2026-20936

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a...

5.9AI score0.00055EPSS
Exploits0References3
Vulnrichment
Vulnrichmentadded 2026/04/09 3:52 p.m.0 views

CVE-2026-33266 Apache OpenMeetings: Hardcoded Remember-Me Cookie Encryption Key and Salt

Use of Hard-coded Cryptographic Key vulnerability in Apache OpenMeetings. The remember-me cookie encryption key is set to default value in openmeetings.properties and not being auto-rotated. In case OM admin hasn't changed the default encryption key, an attacker who has stolen a cookie from a...

5.8AI score0.00055EPSS
Exploits0References1
Rows per page
Query Builder