CVE Catalog

CVE-2026-57948

MediumCVSS 6.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.13%

3th percentile — higher than 3% of all known CVEs

Summary

Pinpoint through version 3.1.0 contains an insecure session management vulnerability where the pinpointJwt session cookie lacks HttpOnly and Secure attributes. This allows attackers to access the cookie via JavaScript (document.cookie) and transmit it in cleartext over HTTP.

Risk Assessment

Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing, leading to session hijacking and unauthorized access to the system.

Recommendation

Immediately upgrade Pinpoint to a version later than 3.1.0 that fixes the session management issue. Additionally, configure session cookies with HttpOnly and Secure attributes and implement XSS protection mechanisms.

Original NVD description (English source)

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS