The SameSite attribute for sensitive cookies is not set, or an insecure value is used.

What CVEs are caused by CWE-1275?

15 recorded CVEs are attributed to CWE-1275, including CVE-2023-53957, CVE-2024-6611, CVE-2022-38386.

How do you prevent CWE-1275?

Set the SameSite attribute of a sensitive cookie to 'Lax' or 'Strict'. This instructs the browser to apply this cookie only to same-domain requests, which provides a good Defense in Depth against CSRF attacks. When the 'Lax' value is in use, cookies are also sent for top-level cross-domain navigation via HTTP GET, HEAD, OPTIONS, and TRACE methods, but not for other HTTP methods that are more like to cause side-effects of state mutation.

How is CWE-1275 detected?

Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)

What are the consequences of CWE-1275?

Exploiting CWE-1275 can lead to: Modify Application Data.

Is CWE-1275 actively exploited?

15 recorded CVEs are caused by CWE-1275; none are currently in CISA's KEV catalog of actively exploited flaws.

CWE-1275: Sensitive Cookie with Improper SameSite Attribute

Real-world CVEs

15 recorded CVEs are caused by CWE-1275 (Sensitive Cookie with Improper SameSite Attribute). The highest-severity and most recent are shown first. 7 new CWE-1275 CVEs have been recorded so far in 2026 (5 in 2025).

CVE-2023-53957
Kimai 1.30.10 SameSite Cookie Vulnerability Session Hijacking
Critical · CVSS 9.8 · EPSS 35th
2025-12-19
CVE-2024-6611
Incorrect handling of SameSite cookies
Critical · CVSS 9.8 · EPSS 70th
2024-07-09
CVE-2022-38386
Medium · CVSS 5.9 · EPSS 21th
2024-05-01
CVE-2024-30155
Medium · CVSS 5.5 · EPSS 34th
2025-03-26
CVE-2024-42212
Medium · CVSS 5.4 · EPSS 39th
2025-05-05
CVE-2025-24387
Missing CSRF protection
Medium · CVSS 4.8 · EPSS 24th
2025-03-10
CVE-2025-52628
HCL AION is susceptible to Missing SameSite vulnerability
Medium · CVSS 4.6 · EPSS 23th
2026-02-03
CVE-2025-36134
IBM Sterling B2B Integrator and IBM Sterling File Gateway information disclosure
Low · CVSS 3.7 · EPSS 8th
2025-11-25
CVE-2024-43173
Low · CVSS 3.7 · EPSS 26th
2024-10-22
CVE-2026-8416
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file addFavoriteFolder($id)
Low · CVSS 2.3 · EPSS 5th
2026-05-21
CVE-2026-8427
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file removeFavoriteFolder($id)
Low · CVSS 2.3 · EPSS 5th
2026-05-21
CVE-2026-8432
Concrete CMS 9 before 9.5.0 is vulnerable to Cross Site Request Forgery (CSRF) at concrete/controllers/backend/file star()
Low · CVSS 2.3 · EPSS 5th
2026-05-21

Showing 12 of 15 recorded CWE-1275 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-1275 vulnerabilities

CWE-1275: Sensitive Cookie with Improper SameSite Attribute

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

In this example, a cookie is used to store a session ID for a client's interaction with a website. The snippet of code below establishes a new cookie to hold the sessionID.

Attack input

xml

<form id=evil action="http://local:3002/setEmail" method="POST">

Real-world CVEs

CWE-1275: Sensitive Cookie with Improper SameSite Attribute

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Attack patterns

Frequently asked questions

What is CWE-1275?

What CVEs are caused by CWE-1275?

How do you prevent CWE-1275?

How is CWE-1275 detected?

What are the consequences of CWE-1275?

Is CWE-1275 actively exploited?

References

Stay ahead of CWE-1275

Real-world CVEs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Applies to

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Can precede

Attack patterns

Frequently asked questions

What is CWE-1275?

What CVEs are caused by CWE-1275?

How do you prevent CWE-1275?

How is CWE-1275 detected?

What are the consequences of CWE-1275?

Is CWE-1275 actively exploited?

References

Stay ahead of CWE-1275