Total
394 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2017-12965 | 1 Apache2triad | 1 Apache2triad | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter. | |||||
| CVE-2017-5141 | 1 Honeywell | 1 Xl Web Ii Controller | 2026-05-13 | 6.5 MEDIUM | 6.0 MEDIUM |
| An issue was discovered in Honeywell XL Web II controller XL1000C500 XLWebExe-2-01-00 and prior, and XLWeb 500 XLWebExe-1-02-08 and prior. An attacker can establish a new user session, without invalidating any existing session identifier, which gives the opportunity to steal authenticated sessions (SESSION FIXATION). | |||||
| CVE-2016-9125 | 1 Revive-adserver | 1 Revive Adserver | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifiers to be forced and, at the same time, by not invalidating the existing session upon a successful authentication. Under some circumstances, that could have been an opportunity for an attacker to steal an authenticated session. | |||||
| CVE-2017-1152 | 1 Ibm | 1 Financial Transaction Manager | 2026-05-13 | 4.0 MEDIUM | 4.3 MEDIUM |
| IBM Financial Transaction Manager 3.0.1 and 3.0.2 does not properly update the SESSIONID with each request, which could allow a user to obtain the ID in further attacks against the system. IBM X-Force ID: 122293. | |||||
| CVE-2017-0892 | 1 Nextcloud | 1 Nextcloud Server | 2026-05-13 | 4.3 MEDIUM | 3.5 LOW |
| Nextcloud Server before 11.0.3 is vulnerable to an improper session handling allowed an application specific password without permission to the files access to the users file. | |||||
| CVE-2015-1174 | 1 Unit4 | 1 Teta Web | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| Session fixation vulnerability in Unit4 Polska TETA Web (formerly TETA Galactica) 22.62.3.4 and earlier allows remote attackers to hijack web sessions via a session id. | |||||
| CVE-2016-8638 | 1 Ipsilon Project | 1 Ipsilon | 2026-05-13 | 6.4 MEDIUM | 9.1 CRITICAL |
| A vulnerability in ipsilon 2.0 before 2.0.2, 1.2 before 1.2.1, 1.1 before 1.1.2, and 1.0 before 1.0.3 was found that allows attacker to log out active sessions of other users. This issue is related to how it tracks sessions, and allows an unauthenticated attacker to view and terminate active sessions from other users. It is also called a "SAML2 multi-session vulnerability." | |||||
| CVE-2017-12868 | 2 Php, Simplesamlphp | 2 Php, Simplesamlphp | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows attackers to conduct session fixation attacks or possibly bypass authentication by leveraging missing character conversions before an XOR operation. | |||||
| CVE-2017-12873 | 2 Debian, Simplesamlphp | 2 Debian Linux, Simplesamlphp | 2026-05-13 | 7.5 HIGH | 9.8 CRITICAL |
| SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified other impacts by leveraging incorrect persistent NameID generation when an Identity Provider (IdP) is misconfigured. | |||||
| CVE-2025-65415 | 2026-05-12 | N/A | 5.4 MEDIUM | ||
| docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application. | |||||
| CVE-2025-46605 | 1 Dell | 1 Data Domain Operating System | 2026-05-08 | N/A | 6.2 MEDIUM |
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | |||||
| CVE-2026-40010 | 1 Apache | 1 Wicket | 2026-05-07 | N/A | 9.1 CRITICAL |
| Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | |||||
| CVE-2014-4789 | 1 Ibm | 1 Initiate Master Data Service | 2026-05-06 | 6.8 MEDIUM | N/A |
| Session fixation vulnerability in IBM Initiate Master Data Service 9.5 before 9.5.093013, 9.7 before 9.7.093013, 10.0 before 10.0.093013, and 10.1 before 10.1.093013 allows remote attackers to hijack web sessions via unspecified vectors. | |||||
| CVE-2015-4594 | 1 Eclinicalworks | 1 Population Health | 2026-05-06 | 7.5 HIGH | 9.8 CRITICAL |
| eClinicalWorks Population Health (CCMR) suffers from a session fixation vulnerability. When authenticating a user, the application does not assign a new session ID, making it possible to use an existent session ID. | |||||
| CVE-2025-8517 | 1 Vvveb | 1 Vvveb | 2026-04-29 | 6.5 MEDIUM | 6.3 MEDIUM |
| A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue. The patch is identified as d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. You should upgrade the affected component. | |||||
| CVE-2026-2177 | 1 Fast5 | 1 Prison Management System | 2026-04-29 | 7.5 HIGH | 7.3 HIGH |
| A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | |||||
| CVE-2026-34454 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-23 | N/A | 3.5 LOW |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2 | |||||
| CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2026-04-23 | 5.8 MEDIUM | N/A |
| Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | |||||
| CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2026-04-23 | 9.3 HIGH | N/A |
| Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | |||||
| CVE-2026-31940 | 1 Chamilo | 1 Chamilo Lms | 2026-04-17 | N/A | 7.5 HIGH |
| Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | |||||