Total
348 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-12390 | 2025-10-30 | N/A | 6.0 MEDIUM | ||
| A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. | |||||
| CVE-2025-64100 | 2025-10-30 | N/A | 6.1 MEDIUM | ||
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4 | |||||
| CVE-2024-49709 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | N/A | 4.4 MEDIUM |
| Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed. This vulnerability has been patched in version 79.0 | |||||
| CVE-2025-56746 | 1 Creativeitem | 1 Academy Lms | 2025-10-23 | N/A | 2.2 LOW |
| Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers. | |||||
| CVE-2025-51471 | 1 Ollama | 1 Ollama | 2025-10-17 | N/A | 6.9 MEDIUM |
| Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | |||||
| CVE-2025-10228 | 2025-10-14 | N/A | 8.8 HIGH | ||
| Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.This issue affects Agentis: before 4.44. | |||||
| CVE-2024-37829 | 1 Getoutline | 1 Outline | 2025-10-10 | N/A | 8.8 HIGH |
| An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. | |||||
| CVE-2024-42207 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | N/A | 5.5 MEDIUM |
| HCL iAutomate is affected by a session fixation vulnerability. An attacker could hijack a victim's session ID from their authenticated session. | |||||
| CVE-2025-0251 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | N/A | 2.6 LOW |
| HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | |||||
| CVE-2025-0253 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | N/A | 2.0 LOW |
| HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | |||||
| CVE-2025-59841 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 9.8 CRITICAL |
| Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1. | |||||
| CVE-2024-38513 | 1 Gofiber | 1 Fiber | 2025-10-02 | N/A | 10.0 CRITICAL |
| Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies. | |||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost Server | 2025-10-01 | N/A | 3.1 LOW |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | |||||
| CVE-2025-54761 | 1 Yandaozi | 1 Ppress | 2025-09-25 | N/A | 8.0 HIGH |
| An issue was discovered in PPress 0.0.9 allowing attackers to gain escilated privlidges via crafted session cookie. | |||||
| CVE-2023-3711 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2025-09-12 | N/A | 6.4 MEDIUM |
| Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). | |||||
| CVE-2024-13279 | 1 Two-factor Authentication Project | 1 Two-factor Authentication | 2025-09-02 | N/A | 9.8 CRITICAL |
| Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0. | |||||
| CVE-2025-4644 | 2025-08-29 | N/A | N/A | ||
| A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload. | |||||
| CVE-2025-8517 | 1 Vvveb | 1 Vvveb | 2025-08-27 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue. The patch is identified as d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. You should upgrade the affected component. | |||||
| CVE-2025-53895 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.8 HIGH |
| ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | |||||
| CVE-2025-46815 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.0 HIGH |
| The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a predefined URI. These id and token can then be used to authenticate the user or their session. However, prior to versions 3.0.0, 2.71.9, and 2.70.10, it was possible to exploit this feature by repeatedly using intents. This allowed an attacker with access to the application’s URI to retrieve the id and token, enabling them to authenticate on behalf of the user. It's important to note that the use of additional factors (MFA) prevents a complete authentication process and, consequently, access to the ZITADEL API. Versions 3.0.0, 2.71.9, and 2.70.10 contain a fix for the issue. No known workarounds other than upgrading are available. | |||||