The Express web application uses the cookie-session middleware. The middleware uses a secret key to sign cookies for protection against cookie data tampering. It's very important that an attacker doesn't know the value of this secret key. Your application is using a weak/known secret key and Acunetix managed to guess this key.
Change the value of the secret key to a long random string.