Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-11956

Summary
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
Published At-11 Jun, 2026 | 11:30
Updated At-11 Jun, 2026 | 12:52
Rejected At-
Credits

TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
â–¼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:VulDB
Assigner Org ID:1af790b2-7ee1-4545-860a-a788eba489b5
Published At:11 Jun, 2026 | 11:30
Updated At:11 Jun, 2026 | 12:52
Rejected At:
â–¼CVE Numbering Authority (CNA)
TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".

Affected Products
Vendor
TwiN
Product
gatus
CPEs
  • cpe:2.3:a:twin:gatus:*:*:*:*:*:*:*:*
Modules
  • OIDC Session Cookie Handler
Versions
Affected
  • 5.36.0
Problem Types
TypeCWE IDDescription
CWECWE-614Sensitive Cookie Without Secure Attribute
CWECWE-1004Cookie Without 'HttpOnly' Flag
Type: CWE
CWE ID: CWE-614
Description: Sensitive Cookie Without Secure Attribute
Type: CWE
CWE ID: CWE-1004
Description: Cookie Without 'HttpOnly' Flag
Metrics
VersionBase scoreBase severityVector
4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R
3.03.7LOW
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R
2.02.6N/A
AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R
Version: 3.0
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R
Version: 2.0
Base score: 2.6
Base severity: N/A
Vector:
AV:N/AC:H/Au:N/C:P/I:N/A:N/E:ND/RL:ND/RC:UR
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
geochen (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-06-11 00:00:00
VulDB entry created2026-06-11 02:00:00
VulDB entry last update2026-06-11 09:01:08
Event: Advisory disclosed
Date: 2026-06-11 00:00:00
Event: VulDB entry created
Date: 2026-06-11 02:00:00
Event: VulDB entry last update
Date: 2026-06-11 09:01:08
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/370343
vdb-entry
technical-description
https://vuldb.com/vuln/370343/cti
signature
permissions-required
https://vuldb.com/cve/CVE-2026-11956
third-party-advisory
https://vuldb.com/submit/836328
third-party-advisory
https://github.com/TwiN/gatus/issues/1689
issue-tracking
https://github.com/TwiN/gatus/
product
Hyperlink: https://vuldb.com/vuln/370343
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/370343/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/cve/CVE-2026-11956
Resource:
third-party-advisory
Hyperlink: https://vuldb.com/submit/836328
Resource:
third-party-advisory
Hyperlink: https://github.com/TwiN/gatus/issues/1689
Resource:
issue-tracking
Hyperlink: https://github.com/TwiN/gatus/
Resource:
product
â–¼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/submit/836328
exploit
https://github.com/TwiN/gatus/issues/1689
exploit
Hyperlink: https://vuldb.com/submit/836328
Resource:
exploit
Hyperlink: https://github.com/TwiN/gatus/issues/1689
Resource:
exploit
Information is not available yet
â–¼National Vulnerability Database (NVD)
nvd.nist.gov
Source:cna@vuldb.com
Published At:11 Jun, 2026 | 13:16
Updated At:11 Jun, 2026 | 14:42

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.06.3MEDIUM
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Secondary3.13.7LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Secondary2.02.6LOW
AV:N/AC:H/Au:N/C:P/I:N/A:N
Type: Secondary
Version: 4.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Secondary
Version: 3.1
Base score: 3.7
Base severity: LOW
Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 2.0
Base score: 2.6
Base severity: LOW
Vector:
AV:N/AC:H/Au:N/C:P/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-614Secondarycna@vuldb.com
CWE-1004Secondarycna@vuldb.com
CWE ID: CWE-614
Type: Secondary
Source: cna@vuldb.com
CWE ID: CWE-1004
Type: Secondary
Source: cna@vuldb.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/TwiN/gatus/cna@vuldb.com
N/A
https://github.com/TwiN/gatus/issues/1689cna@vuldb.com
N/A
https://vuldb.com/cve/CVE-2026-11956cna@vuldb.com
N/A
https://vuldb.com/submit/836328cna@vuldb.com
N/A
https://vuldb.com/vuln/370343cna@vuldb.com
N/A
https://vuldb.com/vuln/370343/cticna@vuldb.com
N/A
https://github.com/TwiN/gatus/issues/1689134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
https://vuldb.com/submit/836328134c704f-9b21-4f2e-91b3-4a467353bcc0
N/A
Hyperlink: https://github.com/TwiN/gatus/
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/TwiN/gatus/issues/1689
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/cve/CVE-2026-11956
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/submit/836328
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/370343
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://vuldb.com/vuln/370343/cti
Source: cna@vuldb.com
Resource: N/A
Hyperlink: https://github.com/TwiN/gatus/issues/1689
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A
Hyperlink: https://vuldb.com/submit/836328
Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

7Records found
CVE-2022-43845
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.09% / 24.83%
||
7 Day CHG~0.00%
Published-24 Sep, 2024 | 10:11
Updated-26 Sep, 2024 | 13:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Aspera Console information disclosure

IBM Aspera Console 3.4.0 through 3.4.4 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie.

Action-Not Available
Vendor-IBM Corporation
Product-Aspera Console
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CVE-2019-25091
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.7||LOW
EPSS-0.25% / 48.85%
||
7 Day CHG~0.00%
Published-27 Dec, 2022 | 22:42
Updated-17 May, 2024 | 01:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nsupdate.info CSRF Cookie base.py cookie httponly flag

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file src/nsupdate/settings/base.py of the component CSRF Cookie Handler. The manipulation of the argument CSRF_COOKIE_HTTPONLY leads to cookie without 'httponly' flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

Action-Not Available
Vendor-nsupdaten/a
Product-nsupdate.infonsupdate.info
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CVE-2022-33167
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.09% / 24.73%
||
7 Day CHG~0.00%
Published-30 Jul, 2024 | 17:05
Updated-13 Aug, 2024 | 14:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Security Directory Integrator information disclosure

IBM Security Directory Integrator 7.2.0 and IBM Security Verify Directory Integrator 10.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to set the HTTPOnly flag. A remote attacker could exploit this vulnerability to obtain sensitive information from the cookie. IBM X-Force ID: 228587.

Action-Not Available
Vendor-IBM Corporation
Product-security_verify_directory_integratorsecurity_directory_integratorSecurity Directory IntegratorSecurity Verify Directory Integrator
CWE ID-CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE ID-CWE-732
Incorrect Permission Assignment for Critical Resource
CVE-2020-27650
Matching Score-4
Assigner-Synology Inc.
ShareView Details
Matching Score-4
Assigner-Synology Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.17% / 37.75%
||
7 Day CHG~0.00%
Published-29 Oct, 2020 | 09:00
Updated-14 Jan, 2025 | 19:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Synology DiskStation Manager (DSM) before 6.2.3-25426-2 does not set the Secure flag for the session cookie in an HTTPS session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an HTTP session.

Action-Not Available
Vendor-Synology, Inc.
Product-diskstation_managerskynasskynas_firmwareDiskStation Manager (DSM)
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-311
Missing Encryption of Sensitive Data
CVE-2025-36249
Matching Score-4
Assigner-IBM Corporation
ShareView Details
Matching Score-4
Assigner-IBM Corporation
CVSS Score-3.7||LOW
EPSS-0.01% / 2.17%
||
7 Day CHG-0.00%
Published-31 Oct, 2025 | 13:05
Updated-05 Nov, 2025 | 19:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
IBM Jazz for Service Management is vulnerable to "filter" cookie not sent over SSL

IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic.

Action-Not Available
Vendor-IBM Corporation
Product-jazz_for_service_managementJazz for Service Management
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CVE-2024-0349
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.7||LOW
EPSS-0.05% / 15.21%
||
7 Day CHG~0.00%
Published-09 Jan, 2024 | 22:31
Updated-17 Apr, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Engineers Online Portal missing secure attribute

A vulnerability was found in SourceCodester Engineers Online Portal 1.0. It has been declared as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to sensitive cookie without secure attribute. The attack can be launched remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier VDB-250117 was assigned to this vulnerability.

Action-Not Available
Vendor-janobeSourceCodester
Product-engineers_online_portalEngineers Online Portal
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CVE-2018-25060
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-3.7||LOW
EPSS-0.16% / 36.67%
||
7 Day CHG~0.00%
Published-30 Dec, 2022 | 11:47
Updated-05 Aug, 2024 | 12:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Macaron csrf csrf.go missing secure attribute

A vulnerability was found in Macaron csrf and classified as problematic. Affected by this issue is some unknown functionality of the file csrf.go. The manipulation of the argument Generate leads to sensitive cookie without secure attribute. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The patch is identified as dadd1711a617000b70e5e408a76531b73187031c. It is recommended to apply a patch to fix this issue. VDB-217058 is the identifier assigned to this vulnerability.

Action-Not Available
Vendor-go-macaronMacaron
Product-csrfcsrf
CWE ID-CWE-614
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE ID-CWE-311
Missing Encryption of Sensitive Data
Details not found