CVE-2026-28678 identifies a vulnerability in the DSA-with-tsx product, an interactive educational web application developed by toxicbishop. The flaw is categorized under CWE-311 (Missing Encryption of Sensitive Data) and CWE-522 (Insufficiently Protected Credentials). Specifically, the authentication system stored JSON Web Tokens (JWTs) in HTTP cookies without cryptographic protection of the payload, meaning the tokens were not encrypted or adequately secured. This exposure allows attackers to intercept these tokens via network sniffing or cross-site scripting (XSS) attacks, leading to potential session hijacking or unauthorized access. The vulnerability affects all versions prior to commit d527fba, which introduced proper cryptographic protections for the tokens. The CVSS v3.1 score is 8.1, reflecting high severity due to network attack vector, low attack complexity, no privileges required, but requiring user interaction. The impact primarily concerns confidentiality and integrity of user authentication data, with no direct availability impact. Although no exploits are currently known in the wild, the vulnerability poses a significant risk if exploited. The patch ensures that JWTs are cryptographically protected when stored in cookies, mitigating token theft risks.

The vulnerability allows attackers to capture authentication tokens transmitted in HTTP cookies without encryption, enabling session hijacking and unauthorized access to user accounts. This compromises the confidentiality and integrity of user credentials and sensitive data within the application. Organizations relying on DSA-with-tsx for educational or other interactive services risk user account compromise, data breaches, and potential lateral movement within their networks. The lack of encryption in token storage increases susceptibility to man-in-the-middle attacks, especially on unsecured or public networks. Although availability is not directly affected, the breach of authentication can lead to further exploitation, including privilege escalation or data manipulation. The impact is significant for organizations with sensitive user data or critical educational content, potentially damaging reputation and violating data protection regulations.

Organizations should immediately update DSA-with-tsx to the version including commit d527fba or later, which implements cryptographic protection of JWTs in HTTP cookies. Additionally, enforce the use of secure cookie flags such as Secure and HttpOnly to prevent token theft via client-side scripts and ensure cookies are only transmitted over HTTPS. Implement Content Security Policy (CSP) headers to reduce the risk of XSS attacks that could expose tokens. Regularly audit authentication flows and token storage mechanisms to verify encryption and secure handling. Employ network security measures like TLS to protect data in transit. Educate users about phishing and social engineering risks to minimize user interaction exploitation. Finally, monitor application logs for suspicious authentication activity indicative of token misuse.