CVE-2026-57948 HIGH

CVE-2026-57948: Pinpoint - Insecure Session Cookie Attributes in pinpointJwt

Vendor Pinpoint-Apm

Product pinpoint

Weakness CWE-1004

Published June 29, 2026

Last update June 30, 2026

View on NVD All CVEs

CVSS base score

7.6/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

Key dates

02Disclosure timeline

June 29, 2026 CVE published

June 30, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-57948 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/1004.html

Related vulnerabilities

CVE-2026-57948: Pinpoint - Insecure Session Cookie Attributes in pinpointJwt

01Description

02Disclosure timeline

03References

04Related CVE