CWE · MITRE source
CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
The Secure attribute for sensitive cookies in HTTPS sessions is not set.
Last updated: 09 May 2026 03:25 UTC
NIST 800-53 r5 controls that address this weakness (2)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SC-23 | Session Authenticity | SC | Forces the Secure flag on session cookies, preventing their transmission over unauthenticated HTTP channels. |
SC-8 | Transmission Confidentiality and Integrity | SC | Enforcing confidentiality on transmitted sensitive cookies requires the Secure attribute, preventing exposure on insecure channels. |
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2025-8037 | 1.8 | 9.1 | 0.0006 | 2025-07-22 |
CVE-2025-24897 | 1.6 | 8.2 | 0.0004 | 2025-02-11 |
CVE-2021-27764 | 1.5 | 7.4 | 0.0011 | 2022-05-06 |
CVE-2022-25151 | 1.5 | 7.5 | 0.0029 | 2022-06-09 |
CVE-2022-3174 | 1.5 | 7.5 | 0.0018 | 2022-09-13 |
CVE-2022-4409 | 1.5 | 7.5 | 0.0015 | 2022-12-11 |
CVE-2022-21940 | 1.5 | 7.5 | 0.0013 | 2023-02-09 |
CVE-2024-2493 | 1.5 | 7.5 | 0.0004 | 2024-04-23 |
CVE-2024-10718 | 1.5 | 7.5 | 0.0008 | 2025-03-20 |
CVE-2021-3882 | 1.4 | 6.8 | 0.0012 | 2021-10-14 |
CVE-2022-24045 | 1.4 | 6.5 | 0.0094 | 2022-05-20 |
CVE-2025-24390 | 1.4 | 6.8 | 0.0005 | 2025-01-27 |
CVE-2022-4683 | 1.3 | 6.5 | 0.0014 | 2022-12-23 |
CVE-2024-47833 | 1.3 | 6.5 | 0.0008 | 2024-10-09 |
CVE-2025-27450 | 1.3 | 6.5 | 0.0016 | 2025-07-03 |
CVE-2025-52632 | 1.3 | 6.5 | 0.0002 | 2025-10-10 |
CVE-2026-1697 | 1.3 | 6.5 | 0.0002 | 2026-02-26 |
CVE-2026-32745 | 1.3 | 6.3 | 0.0000 | 2026-03-13 |
CVE-2020-27650 | 1.2 | 5.8 | 0.0017 | 2020-10-29 |
CVE-2020-27651 | 1.2 | 5.8 | 0.0032 | 2020-10-29 |
CVE-2020-29024 | 1.1 | 5.3 | 0.0010 | 2021-02-16 |
CVE-2015-3207 | 1.1 | 5.3 | 0.0020 | 2022-07-07 |
CVE-2022-3250 | 1.1 | 5.3 | 0.0037 | 2022-09-21 |
CVE-2022-3251 | 1.1 | 5.3 | 0.0018 | 2022-09-21 |
CVE-2023-0055 | 1.1 | 5.3 | 0.0014 | 2023-01-04 |