{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28678", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-02T21:43:19.927Z", "datePublished": "2026-03-07T16:06:51.072Z", "dateUpdated": "2026-03-09T18:26:07.074Z"}, "containers": {"cna": {"title": "dsa-hub-server: Clear-Text Storage of Sensitive Data", "problemTypes": [{"descriptions": [{"cweId": "CWE-311", "lang": "en", "description": "CWE-311: Missing Encryption of Sensitive Data", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-522", "lang": "en", "description": "CWE-522: Insufficiently Protected Credentials", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg"}, {"name": "https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4", "tags": ["x_refsource_MISC"], "url": "https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4"}], "affected": [{"vendor": "toxicbishop", "product": "DSA-with-tsx", "versions": [{"version": "< d527fba", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:06:51.072Z"}, "descriptions": [{"lang": "en", "value": "DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba."}], "source": {"advisory": "GHSA-vmxr-562h-rcgg", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-09T17:39:45.530637Z", "id": "CVE-2026-28678", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T18:26:07.074Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28678", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-09T17:39:45.530637Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-09T17:39:46.619Z"}}], "cna": {"title": "dsa-hub-server: Clear-Text Storage of Sensitive Data", "source": {"advisory": "GHSA-vmxr-562h-rcgg", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "toxicbishop", "product": "DSA-with-tsx", "versions": [{"status": "affected", "version": "< d527fba"}]}], "references": [{"url": "https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg", "name": "https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4", "name": "https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-311", "description": "CWE-311: Missing Encryption of Sensitive Data"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522: Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-07T16:06:51.072Z"}}}, "cveMetadata": {"cveId": "CVE-2026-28678", "state": "PUBLISHED", "dateUpdated": "2026-03-09T18:26:07.074Z", "dateReserved": "2026-03-02T21:43:19.927Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-07T16:06:51.072Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:toxicbishop:dsa_study_hub:*:*:*:*:*:node.js:*:*", "matchCriteriaId": "A52FD77D-F07C-4B6D-96D8-7D96ED185304", "versionEndExcluding": "2026-02-21", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba."}, {"lang": "es", "value": "DSA Study Hub es una aplicaci\u00f3n web educativa interactiva. Antes del commit d527fba, el sistema de autenticaci\u00f3n de usuarios en server/routes/auth.js se encontr\u00f3 que era vulnerable a Credenciales Insuficientemente Protegidas. Los tokens de autenticaci\u00f3n (JWTs) se almacenaban en cookies HTTP sin protecci\u00f3n criptogr\u00e1fica de la carga \u00fatil. Este problema ha sido parcheado mediante el commit d527fba."}], "id": "CVE-2026-28678", "lastModified": "2026-03-11T17:35:39.667", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-07T16:15:54.010", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4"}, {"source": "security-advisories@github.com", "tags": ["Vendor Advisory"], "url": "https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-311"}, {"lang": "en", "value": "CWE-522"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-522"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "code_commit", "value": "[0,d527fba)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "DSA-with-tsx", "source": "cna", "vendor": "toxicbishop"}, "product": "dsa-with-tsx", "vendor": "toxicbishop"}], "analysis": {"en": {"generated_at": "2026-04-17T12:09:12.310830+00:00", "value": {"mitigation_remediation": ["Update the application to commit d527fba3b3c15f185b9d1e730322dff9248391e4, which fixes the cookie storage logic.", "Configure authentication cookies with the HTTPOnly and Secure flags and enforce HTTPS for all connections.", "Ensure that JSON Web Tokens are signed with a strong algorithm and that the payload is encrypted or contains minimal sensitive data."], "summary": {"action": "Immediate patch", "impact": "Credential theft via clear-text token storage"}, "threat_synthesis": {"affected_systems": "The affected application is toxicbishop DSA-with-tsx, a Node.js\u2011based educational web service. Any deployment of the application prior to commit d527fba3b3c15f185b9d1e730322dff9248391e4 is vulnerable. Versions that have not applied the patch that changed the cookie handling logic are at risk.", "description_and_impact": "Anonymous or authenticated users could steal authentication cookies because the server stores JSON Web Tokens without cryptographic protection of the payload. The vulnerability is an instance of insufficiently protected credentials, allowing an attacker to obtain a valid token and impersonate a user, thereby compromising confidentiality of user accounts and any data accessed under that session.", "risk_and_exploitability": "The vulnerability scores a CVSS of 8.1, indicating high potential impact. However, the EPSS score of less than 1% suggests a very low probability of active exploitation at the time of this analysis, and the issue is not listed in the CISA KEV catalog. An attacker would generally need to acquire the cookie through network sniffing, cross\u2011site scripting, or other client\u2011side manipulation, and then use the unprotected JWT to authenticate as a legitimate user. The exploit path is inferred from the nature of the flaw; no additional remediation is required beyond the official patch."}}}}, "created": "2026-03-09T10:05:04.753217+00:00", "updated": "2026-04-17T12:15:18.167275+00:00", "vendors": ["toxicbishop", "toxicbishop$PRODUCT$dsa-with-tsx"]}