AI Threat Alert

CVE-2026-57948

MEDIUM
Published June 29, 2026

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Microsoft APM pip No patch
3.0K Pushed yesterday 50% patched ~1d to patch Full package profile →

Do you use Microsoft APM? You're affected.

How severe is it?

CVSS 3.1
6.8 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC High
PR None
UI Required
S Unchanged
C High
I High
A None

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-57948?

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

Is CVE-2026-57948 actively exploited?

No confirmed active exploitation of CVE-2026-57948 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-57948?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-57948?

CVE-2026-57948 has a CVSS v3.1 base score of 6.8 (MEDIUM).

What are the technical details?

Original Advisory

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

Weaknesses (CWE)

CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-1004 — Sensitive Cookie Without 'HttpOnly' Flag: The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

  • [Implementation] Leverage the HttpOnly flag when setting a sensitive cookie in a response.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

References

Timeline

Published
June 29, 2026
Last Modified
June 29, 2026
First Seen
June 29, 2026

Related Vulnerabilities

CRITICAL CVE-2026-46858 9.1

Oracle APM: unauthenticated write/DoS via JVM Diagnostics

Same package: apm
HIGH CVE-2026-57947 8.5

Analysis pending

Same package: apm
HIGH CVE-2026-45539 7.4

Microsoft APM: symlink attack leaks host files in agent deps

Same package: apm
MEDIUM GHSA-rf84-wr5g-m3rp 5.5

CAPM3: cross-namespace auth bypass exposes K8s secrets

Same package: apm
MEDIUM CVE-2026-55375 5.3

canto-saas-api: OAuth credentials logged via query params

Same package: apm
Back to Threat Feed