CWE•Variant•Incomplete•4 recent CVEs

CWE-1004Sensitive Cookie Without 'HttpOnly' Flag

Description

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Common consequences

Confidentiality→Read Application Data
If the HttpOnly flag is not set, then sensitive information stored in the cookie may be exposed to unintended parties.
Integrity→Gain Privileges or Assume Identity
If the cookie in question is an authentication cookie, then not setting the HttpOnly flag may allow an adversary to steal authentication data (e.g., a session ID) and assume the identity of the user.

Potential mitigations

Implementation
Leverage the HttpOnly flag when setting a sensitive cookie in a response.

Related CWEs

CWE-732Incorrect Permission Assignment for Critical Resource

Recent CVEs classified under this CWE

CVE-2026-119563.72026-06-11 CVE-2026-422398.12026-05-07 CVE-2026-393386.12026-04-07 CVE-2026-355758.02026-04-07