This is a heavily interactive web application, and JavaScript is required. Simple HTML interfaces are possible, but that is not what this is.
Post
Matteo Collina
nodeland.dev
did:plc:2q7mnid6di5sxgzzpsdvdu47
🟡 Moderate: Set-Cookie header injection (CVE-2026-9679).
parseSetCookie percent-decoded values, turning `%0D%0A`/`%00` into raw bytes. Forwarding those into response headers → injection, session fixation, open redirects, cache poisoning.
v6/v7/v8.
2026-06-18T15:59:01.563Z