ReportizFlow
Filtered by vendor
Subscriptions
Total
411 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-40010 | 1 Apache | 1 Wicket | 2026-05-07 | 9.1 Critical |
| Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 through 10.8.0. Users are recommended to upgrade to version 10.9.0, which fixes the issue. | ||||
| CVE-2026-34454 | 1 Oauth2 Proxy Project | 1 Oauth2 Proxy | 2026-04-23 | 3.5 Low |
| OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the sign-in page as part of their logout flow, a user may be shown the sign-in page while the existing session cookie remains valid, meaning the browser session is not actually logged out. On shared workstations or devices, a subsequent user could continue to use the previous user's authenticated session. Deployments that use a dedicated logout/sign-out endpoint to terminate sessions are not affected. This issue is fixed in 7.15.2 | ||||
| CVE-2007-4188 | 1 Joomla | 1 Joomla\! | 2026-04-23 | N/A |
| Session fixation vulnerability in Joomla! before 1.0.13 (aka Sunglow) allows remote attackers to hijack administrative web sessions via unspecified vectors. | ||||
| CVE-2008-3222 | 2 Drupal, Fedoraproject | 2 Drupal, Fedora | 2026-04-23 | N/A |
| Session fixation vulnerability in Drupal 5.x before 5.9 and 6.x before 6.3, when contributed modules "terminate the current request during a login event," allows remote attackers to hijack web sessions via unknown vectors. | ||||
| CVE-2009-1580 | 2 Redhat, Squirrelmail | 2 Enterprise Linux, Squirrelmail | 2026-04-23 | N/A |
| Session fixation vulnerability in SquirrelMail before 1.4.18 allows remote attackers to hijack web sessions via a crafted cookie. | ||||
| CVE-2025-43516 | 1 Apple | 3 Macos, Macos Sequoia, Macos Sonoma | 2026-04-23 | 3.3 Low |
| A session management issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. A user with Voice Control enabled may be able to transcribe another user's activity. | ||||
| CVE-2025-46605 | 1 Dell | 1 Powerprotect Data Domain | 2026-04-20 | 6.2 Medium |
| Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to unauthorized access. | ||||
| CVE-2026-24894 | 1 Php | 1 Frankenphp | 2026-04-18 | 7.5 High |
| FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2. | ||||
| CVE-2026-24352 | 1 Pluxml | 1 Pluxml | 2026-04-18 | 9.8 Critical |
| PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2026-22082 | 1 Tenda | 2 F3, N300 | 2026-04-18 | N/A |
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device. | ||||
| CVE-2026-23624 | 1 Glpi-project | 1 Glpi | 2026-04-18 | 4.3 Medium |
| GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . | ||||
| CVE-2026-23796 | 1 Opensolution | 1 Quick.cart | 2026-04-18 | 9.8 Critical |
| Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2026-2177 | 2 Fast5, Sourcecodester | 2 Prison Management System, Prison Management System | 2026-04-18 | 7.3 High |
| A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-31940 | 1 Chamilo | 1 Chamilo Lms | 2026-04-18 | 7.5 High |
| Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session fixation. This vulnerability is fixed in 1.11.38 and 2.0.0-RC.3. | ||||
| CVE-2026-30224 | 1 Olivetin | 1 Olivetin | 2026-04-16 | 5.4 Medium |
| OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry (default ≈ 1 year). An attacker with a previously stolen or captured session cookie can continue authenticating after logout, resulting in a post-logout authentication bypass. This is a session management flaw that violates expected logout semantics. This issue has been patched in version 3000.11.1. | ||||
| CVE-1999-0428 | 1 Openssl | 1 Openssl | 2026-04-16 | 6.5 Medium |
| OpenSSL and SSLeay allow remote attackers to reuse SSL sessions and bypass access controls. | ||||
| CVE-2001-1534 | 1 Apache | 1 Http Server | 2026-04-16 | N/A |
| mod_usertrack in Apache 1.3.11 through 1.3.20 generates session ID's using predictable information including host IP address, system time and server process ID, which allows local users to obtain session ID's and bypass authentication when these session ID's are used for authentication. | ||||
| CVE-2025-42602 | 2026-04-15 | N/A | ||
| This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating the responses through API request body leading to unauthorized access of other user accounts. | ||||
| CVE-2025-4644 | 1 Payloadcms | 1 Payload | 2026-04-15 | N/A |
| A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did not invalidate the JWT. As a result, the next newly created user would receive the same identifier, allowing the attacker to reuse the JWT to authenticate and perform actions as that user. This issue has been fixed in version 3.44.0 of Payload. | ||||
| CVE-2025-22216 | 2026-04-15 | 5.4 Medium | ||
| A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones. | ||||