CWE-614— Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
53 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-614page 2 of 2
- CVE-2026-43828MEDIUMCVSS 6.5EG 6.52026-05-25
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.…
- CVE-2026-46550MEDIUMCVSS 5.4EG 5.42026-05-21
NocoDB: Refresh Token Cookie Set Without `secure` and `sameSite` Flags ### Summary The refresh-token cookie was set with `httpOnly: true` but missing both the `secure` flag and the `sameSite` attribute. Over plain HTTP the cookie could b…
- CVE-2026-4820MEDIUMCVSS 4.3EG 4.32026-04-01
IBM Maximo Application Suite 9.1, 9.0, 8.11, and 8.10 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link…
Map vulnerabilities like CWE-614 to your infrastructure
EchelonGraph correlates every CVE — across CWE-614 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →