EIP-2026-107546

This exploit demonstrates an insecure cookie handling vulnerability in H2O-CMS <= 3.4, allowing an attacker to set an 'admin' cookie via JavaScript to bypass authentication.