CVE-2026-42239— Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-42239
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Budibase auth session cookies are set with httpOnly:false — any XSS can lead to full account takeover
Source: NVD (National Vulnerability Database)
Vulnerability Description
Budibase is an open-source low-code platform. Prior to version 3.35.10, the budibase:auth cookie containing the JWT session token is set with httpOnly: false at packages/backend-core/src/utils/utils.ts:218. JavaScript can read this cookie via document.cookie. This means every XSS becomes a full account takeover — the attacker steals the JWT and has persistent access to the victim's account. The cookie also lacks secure: true (sent over plaintext HTTP) and sameSite attribute. This issue has been patched in version 3.35.10.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:H/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
没有’HttpOnly’标志的敏感Cookie
Source: NVD (National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-42239
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCVerified env Premium
Qwen3.6-35B-A3B · 5426 chars
Paid plan includes:
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month
III. Intelligence Information for CVE-2026-42239
Please Login to view more intelligence information
- Release 3.35.10 · Budibase/budibase · GitHubx_refsource_MISC
- https://nvd.nist.gov/vuln/detail/CVE-2026-42239
IV. Related Vulnerabilities
Same product: budibase
- CVE-2026-41428
Budibase: Authentication Bypass via Unanchored Regex in Publ - CVE-2026-35218
Budibase: Stored XSS via unsanitized entity names rendered w - CVE-2026-35216
Budibase: Unauthenticated Remote Code Execution via Webhook - CVE-2026-35214
Budibase: Path traversal in plugin file upload enables arbit - CVE-2026-31818
Budibase: Server-Side Request Forgery via REST Connector wit
Same vendor: Budibase
- CVE-2026-41428
Budibase: Authentication Bypass via Unanchored Regex in Publ - CVE-2026-35218
Budibase: Stored XSS via unsanitized entity names rendered w - CVE-2026-35216
Budibase: Unauthenticated Remote Code Execution via Webhook - CVE-2026-35214
Budibase: Path traversal in plugin file upload enables arbit - CVE-2026-31818
Budibase: Server-Side Request Forgery via REST Connector wit
Same weakness: CWE-1004
- CVE-2026-0696
Session Cookies Missing HttpOnly Attribute - CVE-2026-22081
Cookie without HTTPOnly Flag Vulnerability in Tenda Wireless - CVE-2025-12031
HTTP Security Misconfiguration - Lacking Secure and HTTPOnly - CVE-2025-42909
Security Misconfiguration vulnerability in SAP Cloud Applian - CVE-2025-27453
CVE-2025-27453
V. Comments for CVE-2026-42239
No comments yet