GSSA-2026-04-4YYSAR2026-04-25
4.2 Medium

Missing HSTS and incomplete CSP directives in cobc-events

cobc-events <1.0.1 did not set Strict-Transport-Security and was missing key Content-Security-Policy directives (`frame-ancestors`, `object-src`, `base-uri`, `form-action`), enabling downgrade and clickjacking attacks.

cobc-events <1.0.1 did not set Strict-Transport-Security and was missing key Content-Security-Policy directives (frame-ancestors, object-src, base-uri, form-action), enabling downgrade and clickjacking attacks.