Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.

Project Subscriptions

Vendors Products
Pinpoint Subscribe
Pinpoint Booking System Subscribe
Pinpoint-apm Subscribe
Pinpoint Subscribe
Wordpress Subscribe
Wordpress Subscribe
Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.


Workaround

No workaround given by the vendor.

History

Thu, 02 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Pinpoint
Pinpoint pinpoint Booking System
Wordpress
Wordpress wordpress
Vendors & Products Pinpoint
Pinpoint pinpoint Booking System
Wordpress
Wordpress wordpress

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Pinpoint-apm
Pinpoint-apm pinpoint
CPEs cpe:2.3:a:pinpoint:pinpoint_booking_system:*:*:*:*:*:wordpress:*:* cpe:2.3:a:pinpoint-apm:pinpoint:*:*:*:*:*:*:*:*
Vendors & Products Pinpoint
Pinpoint pinpoint Booking System
Pinpoint-apm
Pinpoint-apm pinpoint

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
Title Pinpoint - Insecure Session Cookie Attributes in pinpointJwt
First Time appeared Pinpoint
Pinpoint pinpoint Booking System
Weaknesses CWE-1004
CWE-614
CPEs cpe:2.3:a:pinpoint:pinpoint_booking_system:*:*:*:*:*:wordpress:*:*
Vendors & Products Pinpoint
Pinpoint pinpoint Booking System
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Projects

Sign in to view the affected projects.

cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-02T13:39:14.442Z

Reserved: 2026-06-26T13:57:16.356Z

Link: CVE-2026-57948

cve-icon Vulnrichment

Updated: 2026-06-30T13:57:54.897Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T10:03:58Z

Weaknesses