Lucene search
+L

715 matches found

snyk
snyk
added 2026/06/17 6:22 p.m.9 views

Permissive List of Allowed Inputs

Overview undici is an An HTTP/1.1 client, written from scratch for Node.js Affected versions of this package are vulnerable to Permissive List of Allowed Inputs via permissive substring matching in the Set-Cookie attribute parsing. An attacker can weaken cookie SameSite enforcement by crafting a...

8.3CVSS5.9AI score0.00248EPSS
Exploits0References2
nvd
nvd
added 2026/06/17 6:17 p.m.15 views

CVE-2026-11525

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

3.7CVSS0.00248EPSS
Exploits0References2
osv
osv
added 2026/06/17 6:17 p.m.6 views

UBUNTU-CVE-2026-11525

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

3.7CVSS5.9AI score0.00248EPSS
Exploits0References3
cvelist
cvelist
added 2026/06/17 5:31 p.m.61 views

CVE-2026-11525 undici vulnerable to Set-Cookie SameSite attribute downgrade via permissive substring matching

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

3.7CVSS0.00248EPSS
Exploits0References2
debiancve
debiancve
added 2026/06/17 5:31 p.m.7 views

CVE-2026-11525

Impact: When undici parses a Set-Cookie header, it accepts any SameSite attribute value that contains Strict, Lax, or None as a substring, rather than the case-insensitive exact match specified by RFC 6265. Non-spec values are silently mapped to one of the three standard tokens. For example,...

3.7CVSS5.4AI score0.00248EPSS
Exploits0
cve
cve
added 2026/06/17 5:31 p.m.77 views

CVE-2026-11525

The issue affects undici’s cookie parsing in Set-Cookie headers. The root cause is a permissive substring match for the SameSite attribute during parsing, accepting any value containing Strict, Lax, or None instead of enforcing a case-insensitive exact match per RFC 6265. This can cause downstrea...

3.7CVSS5.4AI score0.00248EPSS
Exploits0References2Affected Software1
osv
osv
added 2026/06/17 6:43 a.m.7 views

MGASA-2026-0216 Updated python-tornado packages fix security vulnerabilities

Tornado has a DoS due to too many multipart parts. CVE-2026-31958 In Tornado, cookie attribute injection could occur because the domain, path, and samesite arguments to .RequestHandler.setcookie were not checked for crafted characters. CVE-2026-35536...

8.7CVSS5.3AI score0.00375EPSS
Exploits0References3
ptsecurity
ptsecurity
added 2026/06/17 12:0 a.m.20 views

PT-2026-50499

Name of the Vulnerable Software and Affected Versions undici versions 5.15.0 through 6.25.x undici versions 7.0.0 through 7.27.x undici versions 8.0.0 through 8.4.x Description When parsing a Set-Cookie header, the software accepts any SameSite attribute value containing Strict, Lax, or None as a...

3.7CVSS5.3AI score0.00248EPSS
Exploits0References133
cve
cve
added 2026/06/10 9:18 p.m.97 views

CVE-2026-46625

CVE-2026-46625 concerns the JavaScript Cookie library (js-cookie) prior to 3.0.7. A per-instance prototype hijack occurs in the internal assign() when merging properties from a source object produced by JSON.parse that may include an own enumerable proto key. This polluted prototype leads to atta...

7.5CVSS5.4AI score0.00432EPSS
Exploits0References8
redhat
redhat
added 2026/06/08 1:44 a.m.21 views

tornado: Tornado: Cookie attribute injection due to improper handling of cookie arguments

A flaw was found in Tornado. A remote attacker could exploit this vulnerability by injecting specially crafted characters into the domain, path, and samesite arguments when setting cookies. This could lead to cookie attribute injection, potentially allowing for information disclosure or...

7.2CVSS7AI score0.00237EPSS
Exploits0References6
redhatcve
redhatcve
added 2026/06/05 7:51 p.m.10 views

CVE-2025-52608

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

4.3CVSS5.5AI score0.00098EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:37 p.m.10 views

CVE-2026-47675

Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.21, the serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite an...

5.3CVSS5.4AI score0.00216EPSS
Exploits0References1
redhatcve
redhatcve
added 2026/06/05 7:26 p.m.12 views

CVE-2026-40929

WWBN AVideo is an open source video platform. In versions 29.0 and prior, objects/commentDelete.json.php is a state-mutating JSON endpoint that deletes comments but performs no CSRF validation. It does not call forbidIfIsUntrustedRequest, does not verify a CSRF/global token, and does not check...

5.4CVSS5.3AI score0.00113EPSS
Exploits1References1
euvd
euvd
added 2026/06/04 5:59 p.m.16 views

EUVD-2026-32925

Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection...

5.3CVSS5.8AI score0.00216EPSS
Exploits0References4
osv
osv
added 2026/06/04 5:59 p.m.11 views

GHSA-3HRH-PFW6-9M5X Hono: Cookie helper does not sanitize sameSite and priority, allowing Set-Cookie injection

Summary The serialize function in hono/cookie validates domain and path options against characters that corrupt Set-Cookie header syntax ;, \r, \n, but does not apply the same validation to sameSite and priority. An application that passes user-controlled input into either option may produce a...

4.3CVSS5.8AI score0.00216EPSS
Exploits0References5
nvd
nvd
added 2026/06/04 12:16 p.m.12 views

CVE-2025-52608

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

4.3CVSS0.00098EPSS
Exploits0References1
euvd
euvd
added 2026/06/04 11:49 a.m.10 views

EUVD-2025-210061

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

4.3CVSS5.8AI score0.00098EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/06/04 11:49 a.m.9 views

CVE-2025-52608 HCL iControl was affected by Missing Cookie Attributes vulnerability.

HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical cookie attributes, including Secure and SameSite. And also path is set to root...

3.1CVSS5.8AI score0.00098EPSS
Exploits0References1
cve
cve
added 2026/06/04 11:49 a.m.25 views

CVE-2025-52608

The CVE-2025-52608 entry concerns HCL iControl with Missing Cookie Attributes: cookies lack Secure and SameSite flags and have root path. Affected component is the web application’s session cookies; root path configuration and missing security attributes are cited as the underlying issue. The pro...

4.3CVSS5.8AI score0.00098EPSS
Exploits0References1Affected Software1
cnnvd
cnnvd
added 2026/06/04 12:0 a.m.9 views

HCL iControl 安全漏洞

HCL iControl is an IT infrastructure monitoring and automation platform developed by the Indian company HCL. HCL iControl has a security vulnerability, which stems from the lack of Cookie attributes, including Secure and SameSite, and the path is set to the root directory...

4.3CVSS5.3AI score0.00098EPSS
Exploits0References1
Rows per page
Query Builder