Cyber Posture

CWE · MITRE source

CWE-1004Sensitive Cookie Without 'HttpOnly' Flag

Abstraction: Variant · CVEs in our corpus: 40

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

The HttpOnly flag directs compatible browsers to prevent client-side script from accessing cookies. Including the HttpOnly flag in the Set-Cookie HTTP response header helps mitigate the risk associated with Cross-Site Scripting (XSS) where an attacker's script code might attempt to read the contents of a cookie and exfiltrate information obtained. When set, browsers that support the flag will not reveal the contents of the cookie to a third party via client-side script executed via XSS.

Last updated: 09 May 2026 03:25 UTC

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-268442.09.80.00372025-05-08
CVE-2025-272231.87.50.05512025-10-27
CVE-2021-421151.78.10.00572021-11-30
CVE-2026-251361.68.10.00082026-02-25
CVE-2026-355751.68.00.00042026-04-07
CVE-2026-422391.68.10.00032026-05-07
CVE-2021-37061.57.50.00152021-09-15
CVE-2022-219391.57.50.00222023-02-09
CVE-2024-416851.57.50.00232024-07-26
CVE-2025-574241.57.30.00032025-09-29
CVE-2026-257331.57.30.00062026-02-25
CVE-2020-276581.47.10.00262020-10-29
CVE-2025-243181.46.80.00112025-02-28
CVE-2019-82831.36.50.00302019-06-07
CVE-2021-392101.36.50.00272021-09-15
CVE-2024-478331.36.50.00082024-10-09
CVE-2025-472891.36.30.00132025-06-02
CVE-2026-06961.36.50.00022026-01-16
CVE-2022-251721.26.10.00312022-05-12
CVE-2026-257341.26.10.00092026-02-25
CVE-2026-257351.26.10.00092026-02-25
CVE-2026-257361.26.10.00092026-02-25
CVE-2026-393381.26.10.00042026-04-07
CVE-2020-62671.15.40.00172020-07-14
CVE-2022-46301.15.30.00192022-12-21