Total
393 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2009-10007 | 2026-06-09 | N/A | 9.1 CRITICAL | ||
| Catalyst::Plugin::Authentication versions before 0.10_027 for Perl is susceptible to session fixation attacks. Catalyst::Plugin::Authentication does not automatically change the session id after authentication. An attacker that obtains a session id cookie can use this to impersonate the victim. | |||||
| CVE-2026-41839 | 2026-06-09 | N/A | 4.2 MEDIUM | ||
| A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 through 5.3.48. | |||||
| CVE-2026-11335 | 2026-06-05 | 7.5 HIGH | 6.3 MEDIUM | ||
| A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation of the argument UserAuthData can lead to session fixiation. The attack can be launched remotely. The exploit has been published and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | |||||
| CVE-2025-7015 | 1 Akinsoft | 1 Qr Menu | 2026-06-05 | N/A | 5.7 MEDIUM |
| Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12. | |||||
| CVE-2025-7014 | 1 Qrmenumpro | 1 Menu Panel | 2026-06-05 | N/A | 5.7 MEDIUM |
| Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | |||||
| CVE-2025-10228 | 2026-06-05 | N/A | 8.8 HIGH | ||
| Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking. This issue affects Agentis: before 4.44. | |||||
| CVE-2025-67446 | 2026-06-04 | N/A | 9.8 CRITICAL | ||
| Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value (e.g., setting it to "admin"), an attacker can bypass the authentication schema and gain unauthorized access to admin functionalities. | |||||
| CVE-2024-8643 | 1 Oceanicsoft | 1 Valeapp | 2026-06-02 | N/A | 9.8 CRITICAL |
| Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0. | |||||
| CVE-2026-48545 | 1 Gradio Project | 1 Gradio | 2026-06-02 | N/A | 6.8 MEDIUM |
| Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint. Attackers controlling any HF Space can return a parent-domain cookie that the shared client stores and automatically replays into all subsequent proxy requests to other legitimate Spaces, affecting all users of the same Gradio deployment. | |||||
| CVE-2026-33384 | 2026-05-29 | N/A | N/A | ||
| QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in a patch to version 6.8 published on 15.05.2026, deployments without this patch are still vulnerable. | |||||
| CVE-2026-43827 | 1 Apache | 1 Shiro | 2026-05-28 | N/A | 6.5 MEDIUM |
| Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID. | |||||
| CVE-2026-24352 | 1 Pluxml | 1 Pluxml | 2026-05-19 | N/A | 9.8 CRITICAL |
| PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2026-45773 | 1 Vercel | 1 Turborepo | 2026-05-19 | N/A | 6.5 MEDIUM |
| Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14. | |||||
| CVE-2026-41613 | 1 Microsoft | 1 Visual Studio Code | 2026-05-15 | N/A | 8.8 HIGH |
| Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-30808 | 1 Artica | 1 Pandora Fms | 2026-05-13 | N/A | 8.1 HIGH |
| Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800 | |||||
| CVE-2017-12225 | 1 Cisco | 1 Prime Lan Management Solution | 2026-05-13 | 4.3 MEDIUM | 6.5 MEDIUM |
| A vulnerability in the web functionality of the Cisco Prime LAN Management Solution could allow an authenticated, remote attacker to hijack another user's administrative session, aka a Session Fixation Vulnerability. The vulnerability is due to the reuse of a preauthentication session token as part of the postauthentication session. An attacker could exploit this vulnerability by obtaining the presession token ID. An exploit could allow an attacker to hijack an existing user's session. Known Affected Releases 4.2(5). Cisco Bug IDs: CSCvf58392. | |||||
| CVE-2017-14263 | 1 Honeywell | 14 Enterprise Dvr, Enterprise Dvr Firmware, Fusion Iv Rev C and 11 more | 2026-05-13 | 9.3 HIGH | 8.1 HIGH |
| Honeywell NVR devices allow remote attackers to create a user account in the admin group by leveraging access to a guest account to obtain a session ID, and then sending that session ID in a userManager.addUser request to the /RPC2 URI. The attacker can login to the device with that new user account to fully control the device. | |||||
| CVE-2017-5831 | 1 Revive-adserver | 1 Revive Adserver | 2026-05-13 | 5.5 MEDIUM | 5.9 MEDIUM |
| Session fixation vulnerability in the forgot password mechanism in Revive Adserver before 4.0.1, when setting a new password, allows remote attackers to hijack web sessions via the session ID. | |||||
| CVE-2017-1000150 | 1 Mahara | 1 Mahara | 2026-05-13 | 6.5 MEDIUM | 8.8 HIGH |
| Mahara 15.04 before 15.04.7 and 15.10 before 15.10.3 are vulnerable to prevent session IDs from being regenerated on login or logout. This makes users of the site more vulnerable to session fixation attacks. | |||||
| CVE-2016-0721 | 3 Clusterlabs, Fedoraproject, Redhat | 3 Pcs, Fedora, Enterprise Linux | 2026-05-13 | 4.3 MEDIUM | 8.1 HIGH |
| Session fixation vulnerability in pcsd in pcs before 0.9.157. | |||||