CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

Parent: CWE-319 - Cleartext Transmission of Sensitive Information

The Secure attribute for sensitive cookies in HTTPS sessions is not set.

58 vulnerabilities with CWE-614
CVE-2026-53661 HIGH
boruta-server sent sensitive session cookies without the Secure attribute
CVE-2026-11956 LOW
TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute
CVSS 3.7
CVE-2026-46398 HIGH
haxtheweb haxcms-php - HAX CMS Missing Secure Flag on Cookie
CVE-2026-41017 MEDIUM
Apache Airflow: JWT cookie missing Secure flag in JWTRefreshMiddleware behind HTTPS-terminating proxy
CVSS 5.9
CVE-2026-43828 MEDIUM
Apache Shiro: Shiro's native session and rememberMe cookies do not have secure flag set by default
CVSS 6.5
CVE-2026-22617 MEDIUM
Eaton IPP Software <2.0 - Auth Bypass
CVSS 5.7
CVE-2026-4820 MEDIUM
IBM Maximo Application Suite was vulnerable to because Cookie ltpatoken2_<workspace_name> was not set with secure flag
CVSS 4.3
CVE-2026-32745 MEDIUM
JetBrains Datalore <2026.1 - Session Hijacking
CVSS 6.3
CVE-2026-1697 MEDIUM
PcVue 12.0.0-16.3.3 - Sensitive Cookie Exposure via Missing Secure and SameSite Attributes
CVSS 6.5
CVE-2025-52608 LOW
HCL iControl was affected by Missing Cookie Attributes vulnerability.
CVSS 3.1
CVE-2025-36249 LOW
IBM Jazz for Service Management <1.1.3.25 - Open Redirect
CVSS 3.7
CVE-2025-52614 LOW
HCL Unica Platform - Info Disclosure
CVSS 3.5
CVE-2025-52632 MEDIUM
HCL AION 2.0 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CVSS 6.5
CVE-2025-36011 MEDIUM
IBM Jazz for Service Management <1.1.3.24 - Open Redirect
CVSS 4.3
CVE-2025-8037 CRITICAL
Firefox < 141, Firefox ESR < 140.1, Thunderbird < 141, Thunderbird ...
CVSS 9.1
CVE-2025-53757 HIGH
Digisol DG-GR6821AC Router - Info Disclosure
CVE-2025-27450 MEDIUM
MEAC300-FNADE4 Firmware < 0.16.0 - Sensitive Cookie Exposure via Missing Secure Attribute
CVSS 6.5
CVE-2025-36026 MEDIUM
IBM Datacap <9.1.7-9.1.9 - Open Redirect
CVSS 4.3
CVE-2025-24897 HIGH
Misskey 12.109.0-2025.2.0 - Cross-Site Request Forgery via Bull Dashboard Authentication Cookies
CVSS 8.2
CVE-2025-24390 MEDIUM
OTRS 7.0.x 8.0.x 2023.x 2024.x - Session Hijacking via Sensitive Cookie Without Secure Attribute
CVSS 6.8
CVE-2025-0479 HIGH
CP Plus CP-XR-DE21-S Router >=DE21_S_india_hx806_1.057.043_0023 - Sensitive Cookie Without 'HttpOnly' Flag
CVE-2024-58317 MEDIUM
Kentico Xperience < 13.0.164 - Sensitive Cookie Exposure via web.config requireSSL Misconfiguration
CVSS 5.3
CVE-2024-10718 HIGH
phpipam < 1.7.0 - Cleartext Transmission of Sensitive Information via Cookie Secure Attribute
CVSS 7.5
CVE-2024-28771 MEDIUM
IBM Security Directory Integrator <7.2.0, IBM Security Verify Direc...
CVSS 4.8
CVE-2024-28770 MEDIUM
IBM Security Directory Integrator <7.2.0, IBM Security Verify Direc...
CVSS 4.8
Details
Vulnerabilities 58
Links
MITRE CWE Entry Search this CWE With Exploits