CVE-2026-11956
3.7 LOWA vulnerability was determined in TwiN gatus 5.36.0
Published: 2026-06-11 · Last updated: 2026-06-11
Severity and scoring
- CVSS
- 3.7 LOW
- Vector
- CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
- CWE
- CWE-1004, CWE-614
Description
A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attack is characterized by high complexity. The exploitability is considered difficult. The reported GitHub issue was closed with the label "not planned".
Source: NVD
References
- [NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-11956
- [Other]https://github.com/TwiN/gatus/
- [Other]https://github.com/TwiN/gatus/issues/1689
- [Other]https://vuldb.com/cve/CVE-2026-11956
- [Other]https://vuldb.com/submit/836328
- [Other]https://vuldb.com/vuln/370343
- [Other]https://vuldb.com/vuln/370343/cti
- [Other]https://github.com/TwiN/gatus/issues/1689
- [Other]https://vuldb.com/submit/836328
Related CVEs
Same CWE
- CVE-2026-53661 — Boruta is a standalone authorization server that aims to implement OAuth 2.0 and Openid Connect up to decentralized identity specifications
- CVE-2026-46398 — HAX CMS helps manage microsite universe with PHP or NodeJs backends
- CVE-2025-52608 — HCL iControl was affected by Missing Cookie Attributes vulnerability (3.1 LOW)
- CVE-2026-41017 — Apache Airflow's `JWTRefreshMiddleware` set the JWT auth cookie without the `Secure` flag, so deployments running the Airflow API server ... (5.9 MEDIUM)
- CVE-2026-43828 — Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute (6.5 MEDIUM)