CVE-2026-46398

Published: Giu 05, 2026 Last Modified: Giu 05, 2026

ExploitDB:

Other exploit source:

Google Dorks:

HIGH 8,8

Source: [email protected]

Attack Vector: network

Attack Complexity: low

Privileges Required: none

User Interaction: none

Confidentiality: N/A

Integrity: N/A

Availability: N/A

Description

AI Translation Available

HAX CMS helps manage microsite universe with PHP or NodeJs backends. Starting in version 25.0.0 and prior to version 26.0.0, the haxcms_refresh_token cookie is set without the Secure flag. This allows it to be transmitted over unencrypted HTTP, making it vulnerable to theft via packet sniffing on the network. Version 26.0.0 fixes the issue.

614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Draft

Abstraction: Variant Structure: Simple

Common Consequences

Security Scopes Affected:

Confidentiality

Potential Impacts:

Read Application Data

Applicable Platforms

Technologies: Web Based

View CWE Details

https://github.com/haxtheweb/issues/security/advisories/GHS…

https://github.com/haxtheweb/issues/security/advisories/GHSA-g7v2-r32q-jf5v

CVE-2026-46398

Description

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Common Consequences

Applicable Platforms

Iscriviti alla newsletter