CWE-1004 · Sensitive Cookie Without 'HttpOnly' Flag
37 CVEs classified under CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2026-42239 | High | 8.1 | 2026-05-07 | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false a… |
CVE-2026-25136 | High | 8.1 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A refle… |
CVE-2021-42115 | High | 8.1 | 2021-11-30 | Missing HTTPOnly flag in Web Applications operating on Business-DNA Solutions GmbH’s TopEase® Platform Version <= 7.1.27 allows an unauthenticated remote attac… |
CVE-2026-35575 | High | 8.0 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creat… |
CVE-2022-21939 | High | 7.5 | 2023-02-09 | Sensitive Cookie Without 'HttpOnly' Flag vulnerability in Johnson Controls System Configuration Tool (SCT) version 14 prior to 14.2.3 and version 15 prior to 1… |
CVE-2022-25172 | High | 7.5 | 2022-05-12 | An information disclosure vulnerability exists in the web interface session cookie functionality of InHand Networks InRouter302 V3.5.4. The session cookie miss… |
CVE-2021-3706 | High | 7.4 | 2021-09-15 | adminlte is vulnerable to Sensitive Cookie Without 'HttpOnly' Flag |
CVE-2026-25733 | High | 7.3 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Version… |
CVE-2020-27658 | High | 7.1 | 2020-10-29 | Synology Router Manager (SRM) before 1.2.4-8081 does not include the HTTPOnly flag in a Set-Cookie header for the session cookie, which makes it easier for rem… |
CVE-2025-24318 | Medium | 6.8 | 2025-02-28 | Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise. |
CVE-2026-0696 | Medium | 6.5 | 2026-01-16 | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-sid… |
CVE-2021-39210 | Medium | 6.5 | 2021-09-15 | GLPI is a free Asset and IT management software package. In versions prior to 9.5.6, the cookie used to store the autologin cookie (when a user uses the "remem… |
CVE-2025-47289 | Medium | 6.3 | 2025-06-02 | CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1… |
CVE-2020-6267 | Medium | 6.3 | 2020-07-14 | Some sensitive cookies in SAP Disclosure Management, version 10.1, are missing HttpOnly flag, leading to sensitive cookie without Http Only flag. |
CVE-2026-25736 | Medium | 6.1 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Version… |
CVE-2026-25735 | Medium | 6.1 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Version… |
CVE-2026-25734 | Medium | 6.1 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Version… |
CVE-2025-27453 | Medium | 5.3 | 2025-07-03 | The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript. |
CVE-2025-49189 | Medium | 5.3 | 2025-06-12 | The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to… |
CVE-2024-6739 | Medium | 5.3 | 2024-07-15 | The session cookie in MailGates and MailAudit from Openfind does not have the HttpOnly flag enabled, allowing remote attackers to potentially steal the session… |