CVE-2026-43625
CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session
CVSS
5.9
Medio
EPSS
0.2%
p8
KEV
—
Exploit Today
3
0-100
Publicado: 1 jun 2026 · Última mod.: 14 jul 2026 · CWE-319
0.2%EPSS · 30 días0.2%
2026-06-302026-07-17
CodexBar prior to 0.32.0 contains a session cookie leakage vulnerability that allows network attackers to intercept imported browser session cookies by exploiting improper redirect handling for Amp and Ollama provider sessions. Attackers can position themselves on the network path to receive cleartext HTTP requests carrying imported session cookies when a provider-controlled redirect target issues a redirect to a cleartext HTTP endpoint within the same provider domain.
- github.comhttps://github.com/steipete/CodexBar/commit/cdd7e347c1cf616615f18aa2ac52ba2ec9cab332
- github.comhttps://github.com/steipete/CodexBar/pull/1226
- github.comhttps://github.com/steipete/CodexBar/releases/tag/v0.32.0
- www.vulncheck.comhttps://www.vulncheck.com/advisories/codexbar-session-cookie-exposure-via-http-redirect
CVECVSSEPSSKEVRExplotTítuloVis.
CVE-2023-318237.5 ALT47.0%
——14An issue found in Marui Co Marui Official app v.13.6.1 allows a remote attacker to gain access to sensitive information via the channel access token in the miniapp Marui Official Store function.9dCVE-2024-487887.5 ALT43.2%
——13An issue in YESCAM (com.yescom.YesCam.zwave) 1.0.2 allows a remote attacker to obtain sensitive information via the firmware update process.13dCVE-2024-388917.5 ALT35.4%
——11An issue in Horizon Business Services Inc. Caterease 16.0.1.1663 through 24.0.1.2405 and possibly later versions, allows a remote attacker to perform a Sniffing Network Traffic attack due to the cleartext transmission of sensitive information.12dCVE-2023-390867.5 ALT23.4%
——7ASUS RT-AC66U B1 3.0.0.4.286_51665 was discovered to transmit sensitive information in cleartext.9dCVE-2025-564479.8 CRÍ19.3%
——6TM2 Monitoring v3.04 contains an authentication bypass and plaintext credential disclosure.12dCVE-2025-671597.5 ALT17.4%
——5Vatilon v1.12.37-20240124 was discovered to transmit user credentials in plaintext.13d