CVE-2026-57948 | Pinpoint through version 3.1.0 contains an insecure session … | CVSS 6.8 MEDIUM

Description

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

Metadata

CVE ID: CVE-2026-57948
State: PUBLISHED
Assigner: VulnCheck
Reserved: 2026-06-26 13:57 UTC
Published: 2026-06-29 17:19 UTC
Last updated: 2026-06-29 17:19 UTC
Primary CWE: CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
Vendor / Product: pinpoint-apm / pinpoint
Sources: cve.org · NVD

Severity & Metrics

6.8 MEDIUM CVSS 3.1

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

Affected products (1)

Vendor	Product	Platform	Versions
pinpoint-apm	pinpoint	—	0 ≤ 3.1.0

Weakness (CWE)

CWE	Source	Description
CWE-1004	cna	Sensitive Cookie Without 'HttpOnly' Flag
CWE-614	cna	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CVSS scores (2)

Score	Severity	Version	Source	Vector
7.6	HIGH	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
6.8	MEDIUM	3.1	cna	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References (2)