2 matches found
GHSA-3HRH-PFW6-9M5X Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection
Summary The serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a...
CVE-2026-39807
A flaw was found in bandit. An unauthenticated client can exploit this vulnerability by spoofing the transport state on plaintext HTTP connections. By declaring an HTTPS scheme over a non-secure TCP connection, the system incorrectly registers the connection as secure. This can lead to sensitive...