CVE-2026-28678

DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba.

CVSS v3 8.1 HIGH

8.1^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4	Patch
https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:toxicbishop:dsa_study_hub:*:*:*:*:*:node.js:*:*

History

11 Mar 2026, 17:35

Type	Values Removed	Values Added
CPE		cpe:2.3:a:toxicbishop:dsa_study_hub::::::node.js::*
Summary		(es) DSA Study Hub es una aplicación web educativa interactiva. Antes del commit d527fba, el sistema de autenticación de usuarios en server/routes/auth.js se encontró que era vulnerable a Credenciales Insuficientemente Protegidas. Los tokens de autenticación (JWTs) se almacenaban en cookies HTTP sin protección criptográfica de la carga útil. Este problema ha sido parcheado mediante el commit d527fba.
First Time		Toxicbishop Toxicbishop dsa Study Hub
References	~~() https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4 -~~	() https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4 - Patch
References	~~() https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg -~~	() https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg - Vendor Advisory

07 Mar 2026, 16:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-07 16:15

Updated : 2026-03-11 17:35

NVD link : CVE-2026-28678

Mitre link : CVE-2026-28678

CVE.ORG link : CVE-2026-28678

JSON object : View

Products Affected

toxicbishop

dsa_study_hub

CWE

CWE-311

Missing Encryption of Sensitive Data

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-28678", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 2.8}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.1, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 3.9}]}, "published": "2026-03-07T16:15:54.010", "references": [{"url": "https://github.com/toxicbishop/DSA-with-tsx/commit/d527fba3b3c15f185b9d1e730322dff9248391e4", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/toxicbishop/DSA-with-tsx/security/advisories/GHSA-vmxr-562h-rcgg", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-311"}, {"lang": "en", "value": "CWE-522"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "DSA Study Hub is an interactive educational web application. Prior to commit d527fba, the user authentication system in server/routes/auth.js was found to be vulnerable to Insufficiently Protected Credentials. Authentication tokens (JWTs) were stored in HTTP cookies without cryptographic protection of the payload. This issue has been patched via commit d527fba."}, {"lang": "es", "value": "DSA Study Hub es una aplicaci\u00f3n web educativa interactiva. Antes del commit d527fba, el sistema de autenticaci\u00f3n de usuarios en server/routes/auth.js se encontr\u00f3 que era vulnerable a Credenciales Insuficientemente Protegidas. Los tokens de autenticaci\u00f3n (JWTs) se almacenaban en cookies HTTP sin protecci\u00f3n criptogr\u00e1fica de la carga \u00fatil. Este problema ha sido parcheado mediante el commit d527fba."}], "lastModified": "2026-03-11T17:35:39.667", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:toxicbishop:dsa_study_hub:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "A52FD77D-F07C-4B6D-96D8-7D96ED185304", "versionEndExcluding": "2026-02-21"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}