CVE-2026-57948
MediumCVSS 6.8Exploitation Probability (EPSS)
Low risk3th percentile — higher than 3% of all known CVEs
Summary
Pinpoint through version 3.1.0 contains an insecure session management vulnerability where the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows attackers to access the cookie via JavaScript (document.cookie) and transmit it in cleartext over HTTP.
Risk Assessment
Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing, leading to session hijacking and unauthorized access to the system.
Recommendation
Immediately upgrade Pinpoint to a version later than 3.1.0 that fixes the session management issue. Additionally, configure session cookies with HttpOnly and Secure attributes and implement XSS protection mechanisms.
Original NVD description (English source)
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

