Total
394 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-43827 | 1 Apache | 1 Shiro | 2026-05-28 | N/A | 6.5 MEDIUM |
| Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID. | |||||
| CVE-2026-45773 | 1 Vercel | 1 Turborepo | 2026-05-19 | N/A | 6.5 MEDIUM |
| Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a request to the local callback server with an attacker-controlled token. If accepted before the legitimate callback, the CLI could complete login with the wrong credentials. This affects users authenticating the turbo CLI against self-hosted remote cache/auth endpoints. Vercel-hosted login flows using device authorization are not affected. This vulnerability is fixed in 2.9.14. | |||||
| CVE-2026-41613 | 1 Microsoft | 1 Visual Studio Code | 2026-05-15 | N/A | 8.8 HIGH |
| Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network. | |||||
| CVE-2026-30808 | 1 Artica | 1 Pandora Fms | 2026-05-13 | N/A | 8.1 HIGH |
| Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800 | |||||
| CVE-2025-65415 | 2026-05-12 | N/A | 5.4 MEDIUM | ||
| docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application. | |||||
| CVE-2025-46605 | 1 Dell | 1 Data Domain Operating System | 2026-05-08 | N/A | 6.2 MEDIUM |
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | |||||
| CVE-2026-40010 | 1 Apache | 1 Wicket | 2026-05-07 | N/A | 9.1 CRITICAL |
| Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | |||||
| CVE-2026-34454 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-23 | N/A | 3.5 LOW |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2 | |||||
| CVE-2026-31940 | 1 Chamilo | 1 Chamilo Lms | 2026-04-17 | N/A | 7.5 HIGH |
| Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | |||||
| CVE-2026-25101 | 1 Bludit | 1 Bludit | 2026-04-02 | N/A | 9.8 CRITICAL |
| Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2. | |||||
| CVE-2026-33946 | 1 Lfprojects | 1 Mcp Ruby Sdk | 2026-04-02 | N/A | 5.9 MEDIUM |
| MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch. | |||||
| CVE-2026-33757 | 1 Openbao | 1 Openbao | 2026-03-30 | N/A | 9.6 CRITICAL |
| OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao. | |||||
| CVE-2025-55266 | 1 Hcltech | 1 Aftermarket Cloud | 2026-03-26 | N/A | 5.9 MEDIUM |
| HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user. | |||||
| CVE-2026-33492 | 1 Wwbn | 1 Avideo | 2026-03-24 | N/A | 7.3 HIGH |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch. | |||||