VDB
KO
MEDIUM 5.3

PYSEC-2026-885

nsupdate.info has Sensitive Cookie Without 'HttpOnly' Flag

Details

A vulnerability classified as problematic has been found in nsupdate.info. This affects an unknown part of the file `src/nsupdate/settings/base.py` of the component `CSRF Cookie Handler`. The manipulation of the argument `CSRF_COOKIE_HTTPONLY` leads to cookie without `httponly` flag. It is possible to initiate the attack remotely. The name of the patch is 60a3fe559c453bc36b0ec3e5dd39c1303640a59a. It is recommended to apply a patch to fix this issue. The identifier VDB-216909 was assigned to this vulnerability.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / nsupdate
Introduced in: 0 Fixed in: 0.13.0
Fix pip install --upgrade 'nsupdate>=0.13.0'

References