CVEs classified under CWE-614, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (34)
CVE-2025-8037 — CVSS 9.1 (critical): Setting a nameless cookie with an equals sign in the value shadowed other cookies. Even if the nameless cookie was set over HTTP and the…
CVE-2026-53661: Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity…
CVE-2026-46398: HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the…
CVE-2025-53757: This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies…
CVE-2025-0479: This vulnerability exists in the CP Plus Router due to insecure handling of cookie flags used within its web interface. A remote attacker…
CVE-2024-2493 — CVSS 7.5 (high): Session Hijacking vulnerability in Hitachi Ops Center Analyzer.This issue affects Hitachi Ops Center Analyzer: from 10.0.0-00 before…
CVE-2026-57948 — CVSS 6.8 (medium): Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt…
CVE-2025-24390 — CVSS 6.8 (medium): A vulnerability in OTRS Application Server and reverse proxy settings allows session hijacking due to missing attributes for sensitive…
CVE-2026-43828 — CVSS 6.5 (medium): Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro…
CVE-2026-1697 — CVSS 6.5 (medium): The Secure and SameSite attribute are missing in the GraphicalData web services and WebClient web app of PcVue in version 12.0.0 through…
CVE-2025-52632 — CVSS 6.5 (medium): A Missing Secure Attribute in Encrypted Session (SSL) Cookie vulnerability in HCL AION.This issue affects AION: 2.0.
CVE-2025-27450 — CVSS 6.5 (medium): The Secure attribute is missing on multiple cookies provided by the MEAC300-FNADE4. An attacker can trick a user to establish an…
CVE-2026-41017 — CVSS 5.9 (medium): Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server…
CVE-2026-22617 — CVSS 5.7 (medium): Eaton Intelligent Power Protector (IPP) uses an insecure cookie configuration, which could allow a network‑based attacker to intercept…
CVE-2023-5866 — CVSS 5.7 (medium): Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository thorsten/phpmyfaq prior to 3.2.1.
CVE-2024-35211 — CVSS 5.5 (medium): A vulnerability has been identified in SINEC Traffic Analyzer (6GK8822-1BG01-0BA0) (All versions < V1.2). The affected web server, after a…
CVE-2026-46550 — CVSS 5.4 (medium): NocoDB is software for building databases as spreadsheets. Prior to 2026.04.1, the refresh-token cookie was set with httpOnly: true but…
CVE-2024-58317 — CVSS 5.3 (medium): A cookie security configuration vulnerability in Kentico Xperience allows attackers to bypass SSL requirements when setting administration…
CVE-2024-41684 — CVSS 5.3 (medium): This vulnerability exists in SyroTech SY-GPON-1110-WDONT Router due to missing secure flag for the session cookies associated with the…
CVE-2023-33860 — CVSS 5.3 (medium): IBM Security QRadar EDR 3.12 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the…
CVE-2024-28771 — CVSS 4.8 (medium): IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on…
CVE-2024-28770 — CVSS 4.8 (medium): IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 does not set the secure attribute on…
CVE-2023-3520 — CVSS 4.6 (medium): Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository it-novum/openitcockpit prior to 4.6.6.
CVE-2025-36011 — CVSS 4.3 (medium): IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies…
CVE-2025-36026 — CVSS 4.3 (medium): IBM Datacap 9.1.7, 9.1.8, and 9.1.9 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to…
CVE-2024-55897 — CVSS 4.3 (medium): IBM PowerHA SystemMirror for i 7.4 and 7.5 does not set the secure attribute on authorization tokens or session cookies. Attackers may be…
CVE-2023-46179 — CVSS 4.3 (medium): IBM Sterling Secure Proxy 6.0.3 and 6.1.0 does not set the secure attribute on authorization tokens or session cookies. Attackers may be…
CVE-2024-30142 — CVSS 3.8 (low): HCL BigFix Compliance is affected by a missing secure flag on a cookie. If a secure flag is not set, cookies may be stolen by an attacker…
CVE-2026-11956 — CVSS 3.7 (low): A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the…
CVE-2025-36249 — CVSS 3.7 (low): IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies…
CVE-2024-0349 — CVSS 3.7 (low): A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as problematic. Affected by this…
CVE-2025-52614 — CVSS 3.5 (low): HCL Unica Platform is affected by a Cookie without HTTPOnly Flag Set vulnerability. A malicious agent may be able to induce this event by…
CVE-2023-4654 — CVSS 3.5 (low): Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository instantsoft/icms2 prior to 2.16.1.
CVE-2025-52608 — CVSS 3.1 (low): HCL iControl was affected by Missing Cookie Attributes vulnerability. It was observed that the application is missing several critical…