CWE-1004: CWE-1004

Total CVEs

Critical

High

6.7

Avg CVSS

Yearly Trend

2026

2025

2024

2023

2021

Top Affected Vendors

1 Sick 1

2 Connectwise 1

3 Endress 1

4 Syrotech 1

5 Azure Access 1

6 Phoenixcart 1

7 Znuny 1

8 Johnsoncontrols 1

9 Openfind 1

10 Businessdnasolutions 1

All CWE-1004 CVEs (12)

CVE-2025-26844

9.8

This vulnerability in Znuny (formerly OTRS) allows attackers to steal session cookies via cross-site scripting (XSS) attacks because cookies lack the ...

May 8, 2025

CVE-2021-42115

8.1

This vulnerability allows unauthenticated remote attackers to steal session-independent static cookies and escalate privileges to authenticated users ...

Nov 30, 2021

CVE-2024-41685

7.5

This vulnerability in SyroTech SY-GPON-1110-WDONT routers allows attackers to steal session cookies from the web management interface due to missing H...

Jul 26, 2024

CVE-2022-21939

7.5

This vulnerability in Johnson Controls System Configuration Tool (SCT) exposes sensitive cookies to client-side scripts because they lack the 'HttpOnl...

Feb 9, 2023

CVE-2025-24318

6.8

This vulnerability allows attackers to observe cookie policies through built-in browser developer tools. When combined with a cross-site scripting (XS...

Feb 28, 2025

CVE-2026-0696

6.5

ConnectWise PSA versions before 2026.1 fail to set HttpOnly attribute on certain session cookies, potentially allowing client-side scripts to access s...

Jan 16, 2026

CVE-2025-47289

6.3

A stored cross-site scripting (XSS) vulnerability in CE Phoenix eCommerce platform allows attackers to inject malicious JavaScript into testimonial de...

Jun 2, 2025

CVE-2025-12031

5.3

This vulnerability allows attackers to read sensitive cookies via JavaScript due to missing Secure and HttpOnly attributes. It affects BLU-IC2 and BLU...

Oct 21, 2025

CVE-2025-27453

5.3

This vulnerability allows client-side scripts (like JavaScript) to access the PHPSESSION cookie because the HttpOnly flag is disabled. This affects we...

Jul 3, 2025

CVE-2025-49189

5.3

This vulnerability involves a session cookie named '@@' being configured without the HttpOnly flag, making it accessible to client-side scripts. This ...

Jun 12, 2025

CVE-2024-6739

5.3

This vulnerability in Openfind's MailGates and MailAudit products allows remote attackers to potentially steal session cookies via cross-site scriptin...

Jul 15, 2024

CVE-2026-22081

N/A

This vulnerability allows remote attackers to capture session cookies from Tenda wireless routers due to missing HTTPOnly flags and insecure HTTP tran...

Jan 9, 2026

About CWE-1004 (CWE-1004)

Our database tracks 12 CVEs classified as CWE-1004, with 1 rated critical and 3 rated high severity. The average CVSS score for CWE-1004 vulnerabilities is 6.7.

External reference: View CWE-1004 on MITRE CWE →

Monitor CWE-1004 Vulnerabilities

Get alerted when new CWE-1004 CVEs affect your infrastructure.

Start Monitoring Free