PYSEC-2026-905

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-905.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-905
Aliases
Published
2026-07-07T10:17:26.264021Z
Modified
2026-07-07T11:45:49.188113472Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Pyload contains Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
Details

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute in GitHub repository pyload/pyload prior to 0.5.0b3.dev32. The Secure attribute for sensitive cookies in HTTPS sessions is not set, which could cause the user agent to send those cookies in plaintext over an HTTP session. This issue is patched in version 0.5.0b3.dev32.

References

Affected packages

PyPI / pyload-ng

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.5.0b3.dev32

Affected versions

0.*
0.5.0a5.dev528
0.5.0a5.dev532
0.5.0a5.dev535
0.5.0a5.dev536
0.5.0a5.dev537
0.5.0a5.dev539
0.5.0a5.dev540
0.5.0a5.dev545
0.5.0a5.dev562
0.5.0a5.dev564
0.5.0a5.dev565
0.5.0a6.dev570
0.5.0a6.dev578
0.5.0a6.dev587
0.5.0a7.dev596
0.5.0a8.dev602
0.5.0a9.dev615
0.5.0a9.dev629
0.5.0a9.dev632
0.5.0a9.dev641
0.5.0a9.dev643
0.5.0a9.dev655
0.5.0a9.dev806
0.5.0b1.dev1
0.5.0b1.dev2
0.5.0b1.dev3
0.5.0b1.dev4
0.5.0b1.dev5
0.5.0b2.dev9
0.5.0b2.dev10
0.5.0b2.dev11
0.5.0b2.dev12
0.5.0b3.dev13
0.5.0b3.dev14
0.5.0b3.dev17
0.5.0b3.dev18
0.5.0b3.dev19
0.5.0b3.dev20
0.5.0b3.dev21
0.5.0b3.dev22
0.5.0b3.dev24
0.5.0b3.dev26
0.5.0b3.dev27
0.5.0b3.dev28
0.5.0b3.dev29
0.5.0b3.dev30
0.5.0b3.dev31

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/pyload-ng/PYSEC-2026-905.yaml"