Total
394 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-24502 | 2026-04-15 | N/A | N/A | ||
| An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address. | |||||
| CVE-2025-26658 | 2026-04-15 | N/A | 6.8 MEDIUM | ||
| The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application. | |||||
| CVE-2024-25977 | 2026-04-15 | N/A | 7.3 HIGH | ||
| The application does not change the session token when using the login or logout functionality. An attacker can set a session token in the victim's browser (e.g. via XSS) and prompt the victim to log in (e.g. via a redirect to the login page). This results in the victim's account being taken over. | |||||
| CVE-2025-22216 | 2026-04-15 | N/A | 5.4 MEDIUM | ||
| A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones. | |||||
| CVE-2023-52268 | 2026-04-15 | N/A | 9.1 CRITICAL | ||
| The End-User Portal module before 1.0.65 for FreeScout sometimes allows an attacker to authenticate as an arbitrary user because a session token can be sent to the /auth endpoint. NOTE: this module is not part of freescout-helpdesk/freescout on GitHub. | |||||
| CVE-2025-12390 | 2026-04-15 | N/A | 6.0 MEDIUM | ||
| A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. | |||||
| CVE-2025-70973 | 1 Scadabr | 1 Scadabr | 2026-04-07 | N/A | 4.8 MEDIUM |
| ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created prior to login becomes authenticated once the victim logs in, allowing an attacker who knows the session ID to hijack an authenticated session. | |||||
| CVE-2026-25101 | 1 Bludit | 1 Bludit | 2026-04-02 | N/A | 9.8 CRITICAL |
| Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session. This issue was fixed in version 3.17.2. | |||||
| CVE-2025-43516 | 1 Apple | 1 Macos | 2026-04-02 | N/A | 3.3 LOW |
| A session management issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. A user with Voice Control enabled may be able to transcribe another user's activity. | |||||
| CVE-2026-33946 | 1 Lfprojects | 1 Mcp Ruby Sdk | 2026-04-02 | N/A | 5.9 MEDIUM |
| MCP Ruby SDK is the official Ruby SDK for Model Context Protocol servers and clients. Prior to version 0.9.2, the Ruby SDK's streamable_http_transport.rb implementation contains a session hijacking vulnerability. An attacker who obtains a valid session ID can completely hijack the victim's Server-Sent Events (SSE) stream and intercept all real-time data. Version 0.9.2 contains a patch. | |||||
| CVE-2026-33757 | 1 Openbao | 1 Openbao | 2026-03-30 | N/A | 9.6 CRITICAL |
| OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the attacker. Despite being based on the authorization code flow, the `direct` mode calls back directly to the API and allows an attacker to poll for an OpenBao token until it is issued. Version 2.5.2 includes an additional confirmation screen for `direct` type logins that requires manual user interaction in order to finish the authentication. This issue can be worked around either by removing any roles with `callback_mode=direct` or enforcing confirmation for every session on the token issuer side for the Client ID used by OpenBao. | |||||
| CVE-2024-7341 | 1 Redhat | 4 Build Of Keycloak, Enterprise Linux, Keycloak and 1 more | 2026-03-27 | N/A | 7.1 HIGH |
| A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. | |||||
| CVE-2025-55266 | 1 Hcltech | 1 Aftermarket Cloud | 2026-03-26 | N/A | 5.9 MEDIUM |
| HCL Aftermarket DPC is affected by Session Fixation which allows attacker to takeover the user's session and use it carry out unauthorized transaction behalf of the user. | |||||
| CVE-2026-33492 | 1 Wwbn | 1 Avideo | 2026-03-24 | N/A | 7.3 HIGH |
| WWBN AVideo is an open source video platform. In versions up to and including 26.0, AVideo's `_session_start()` function accepts arbitrary session IDs via the `PHPSESSID` GET parameter and sets them as the active PHP session. A session regeneration bypass exists for specific blacklisted endpoints when the request originates from the same domain. Combined with the explicitly disabled session regeneration in `User::login()`, this allows a classic session fixation attack where an attacker can fix a victim's session ID before authentication and then hijack the authenticated session. Commit 5647a94d79bf69a972a86653fe02144079948785 contains a patch. | |||||
| CVE-2026-30224 | 1 Olivetin | 1 Olivetin | 2026-03-12 | N/A | 5.4 MEDIUM |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1. | |||||
| CVE-2022-2820 | 1 Namelessmc | 1 Nameless | 2026-02-25 | N/A | 7.0 HIGH |
| Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. | |||||
| CVE-2026-24894 | 1 Php | 1 Frankenphp | 2026-02-20 | N/A | 7.5 HIGH |
| FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2. | |||||
| CVE-2026-23796 | 1 Opensolution | 1 Quick.cart | 2026-02-19 | N/A | 9.8 CRITICAL |
| Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | |||||
| CVE-2025-69602 | 1 Altumcode | 1 66biolinks | 2026-02-09 | N/A | 9.1 CRITICAL |
| A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session. | |||||
| CVE-2025-68139 | 1 Linuxfoundation | 1 Everest | 2026-02-06 | N/A | 4.3 MEDIUM |
| EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. | |||||