CWE-1004 (Sensitive Cookie Without 'HttpOnly' Flag) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
Extended context from the CWE catalog (rendered from MITRE XHTML).
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | Web Based | Undetermined | — |
| technology | Web Server | — | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-42239 | 2026-05-07 | Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.t… |
| CVE-2026-39338 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 7.1.0, a Blind Reflected Cross-Site Scripting vulnerability exists in the search parameter accepted by the ChurchCRM dashboard. The appli… |
| CVE-2026-35575 | 2026-04-07 | ChurchCRM is an open-source church management system. Prior to 6.5.3, a Stored Cross-Site Scripting (Stored XSS) vulnerability in the admin panel’s group-creation feature allows any user with group-cr… |
| CVE-2026-25736 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 hav… |
| CVE-2026-25735 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 hav… |
| CVE-2026-25734 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 hav… |
| CVE-2026-25733 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. Versions prior to 35.8.3, 38.5.4, and 39.3.1 hav… |
| CVE-2026-25136 | 2026-02-25 | Rucio is a software framework that provides functionality to organize, manage, and access large volumes of scientific data using customizable policies. A reflected Cross-site Scripting vulnerability w… |
| CVE-2026-0696 | 2026-01-16 | In ConnectWise PSA versions older than 2026.1, certain session cookies were not set with the HttpOnly attribute. In some scenarios, this could allow client-side scripts access to session cookie values… |
| CVE-2026-22081 | 2026-01-09 | This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the missing HTTPOnly flag for session cookies associated with the web-based administr… |
| CVE-2025-27223 | 2025-10-27 | TRUfusion Enterprise through 7.10.4.0 exposes the encrypted COOKIEID as an authentication mechanism for some endpoints such as /trufusionPortal/getProjectList. However, the application uses a static k… |
| CVE-2025-12031 | 2025-10-21 | HTTP Security Misconfiguration - Lacking Secure and HTTPOnly Attribute may allow reading the sensitive cookies from the javascript contextThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1… |
| CVE-2025-42909 | 2025-10-14 | SAP Cloud Appliance Library Appliances allows an attacker with high privileges to leverage an insecure S/4HANA default profile setting in an existing SAP CAL appliances to gain access to other applian… |
| CVE-2025-57424 | 2025-09-29 | A stored cross-site scripting (XSS) vulnerability exists in the MyCourts v3 application within the LTA number profile field. An attacker can insert arbitrary JavaScript into their profile, which execu… |
| CVE-2025-53757 | 2025-07-16 | This vulnerability exists in Digisol DG-GR6821AC Router due to misconfiguration of both Secure and HttpOnly flags on session cookies associated with the router web interface. A remote attacker could e… |
| CVE-2025-27453 | 2025-07-03 | The HttpOnly flag is set to false on the PHPSESSION cookie. Therefore, the cookie can be accessed by other sources such as JavaScript. |
| CVE-2025-49189 | 2025-06-12 | The HttpOnlyflag of the session cookie \"@@\" is set to false. Since this flag helps preventing access to cookies via client-side scripts, setting the flag to false can lead to a higher possibility of… |
| CVE-2025-47289 | 2025-06-02 | CE Phoenix is a free, open-source eCommerce platform. A stored cross-site scripting (XSS) vulnerability was discovered in CE Phoenix versions 1.0.9.9 through 1.1.0.2 where an attacker can inject malic… |
| CVE-2025-26844 | 2025-05-08 | An issue was discovered in Znuny through 7.1.3. A cookie is set without the HttpOnly flag. |
| CVE-2025-24318 | 2025-02-28 | Cookie policy is observable via built-in browser tools. In the presence of XSS, this could lead to full session compromise. |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, References, Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Applicable_Platforms, Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2023-10-26 | CWE Content Team | 4.13 | — | updated Observed_Examples |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Applicable_Platforms, Observed_Examples, References, Relationships, Weakness_Ordinalities |
| 2026-04-30 | CWE Content Team | 4.20 | — | updated Background_Details, Description, Diagram |