Tag

Cookie

3 briefs RSS

js-cookie Prototype Pollution via proto Attribute Injection (CVE-2026-46625)

The js-cookie library is vulnerable to prototype pollution via the `assign()` function when processing JSON-derived objects, enabling an attacker to inject arbitrary cookie attributes by manipulating the `__proto__` property, as demonstrated by CVE-2026-46625.

js-cookie prototype-pollution javascript cookie CVE-2026-46625

2r 1t May 21, 2026

high advisory

async-http-client Cookie Header Leak on Cross-Origin Redirect

2 rules 1 TTP

The async-http-client library leaks `Cookie` headers to cross-origin redirect targets due to missing header stripping in `Redirect30xInterceptor.java`, potentially exposing sensitive information to malicious third parties.

async-http-client +1 cookie header redirect vulnerability ghsa CVE-2026-45300

2r 1t May 18, 2026

high advisory

Budibase XSS Leads to Account Takeover via JWT Theft

2 rules 1 TTP

The `budibase:auth` cookie in Budibase is set without the `httpOnly` flag, enabling attackers with XSS to steal JWTs and gain persistent access to user accounts.

Budibase xss account takeover jwt cookie

2r 1t Jan 2, 2024

Cookie

js-cookie Prototype Pollution via __proto__ Attribute Injection (CVE-2026-46625)

async-http-client Cookie Header Leak on Cross-Origin Redirect

Budibase XSS Leads to Account Takeover via JWT Theft

js-cookie Prototype Pollution via proto Attribute Injection (CVE-2026-46625)