Total
377 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55668 | 1 Apache | 1 Tomcat | 2025-11-04 | 6.5 Medium |
| Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | ||||
| CVE-2024-28144 | 2025-11-03 | 5.5 Medium | ||
| An attacker who can spoof the IP address and the User-Agent of a logged-in user can takeover the session because of flaws in the self-developed session management. If two users access the web interface from the same IP they are logged in as the other user. | ||||
| CVE-2025-12390 | 1 Redhat | 1 Build Keycloak | 2025-10-30 | 6 Medium |
| A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. | ||||
| CVE-2025-64100 | 1 Ckan | 1 Ckan | 2025-10-30 | 6.1 Medium |
| CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4 | ||||
| CVE-2024-49709 | 1 Softcom.wroc | 1 Iksoris | 2025-10-28 | 4.4 Medium |
| Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not destroy the old sessions when creating new ones, what expands the time frame in which an attack might be performed. This vulnerability has been patched in version 79.0 | ||||
| CVE-2025-56746 | 1 Creativeitem | 1 Academy Lms | 2025-10-23 | 2.2 Low |
| Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers. | ||||
| CVE-2025-10228 | 1 Rolantis Information Technologies | 1 Agentis | 2025-10-20 | 8.8 High |
| Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.This issue affects Agentis: before 4.44. | ||||
| CVE-2025-51471 | 1 Ollama | 1 Ollama | 2025-10-17 | 6.9 Medium |
| Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | ||||
| CVE-2024-37829 | 1 Getoutline | 1 Outline | 2025-10-10 | 8.8 High |
| An issue in Outline <= v0.76.1 allows attackers to execute a session hijacking attack via user interaction with a crafted magic sign-in link. | ||||
| CVE-2024-42207 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | 5.5 Medium |
| HCL iAutomate is affected by a session fixation vulnerability. An attacker could hijack a victim's session ID from their authenticated session. | ||||
| CVE-2025-0251 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | 2.6 Low |
| HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | ||||
| CVE-2025-0253 | 1 Hcltech | 1 Intelliops Event Management | 2025-10-09 | 2 Low |
| HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | ||||
| CVE-2025-59841 | 2 Flagforge, Flagforgectf | 2 Flagforge, Flagforge | 2025-10-08 | 9.8 Critical |
| Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1. | ||||
| CVE-2024-38513 | 1 Gofiber | 1 Fiber | 2025-10-02 | 10 Critical |
| Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies. | ||||
| CVE-2025-1412 | 1 Mattermost | 2 Mattermost, Mattermost Server | 2025-10-01 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | ||||
| CVE-2025-54761 | 2 Ppress, Yandaozi | 2 Cms, Ppress | 2025-09-25 | 8 High |
| An issue was discovered in PPress 0.0.9 allowing attackers to gain escilated privlidges via crafted session cookie. | ||||
| CVE-2024-7341 | 1 Redhat | 8 Build Keycloak, Build Of Keycloak, Enterprise Linux and 5 more | 2025-09-23 | 7.1 High |
| A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. | ||||
| CVE-2023-3711 | 1 Honeywell | 2 Pm43, Pm43 Firmware | 2025-09-12 | 6.4 Medium |
| Session Fixation vulnerability in Honeywell PM43 on 32 bit, ARM (Printer web page modules) allows Session Credential Falsification through Prediction.This issue affects PM43 versions prior to P10.19.050004. Update to the latest available firmware version of the respective printers to version MR19.5 (e.g. P10.19.050006). | ||||
| CVE-2024-31221 | 1 Lizardbyte | 1 Sunshine | 2025-09-11 | 5.9 Medium |
| Sunshine is a self-hosted game stream host for Moonlight. Starting in version 0.10.0 and prior to version 0.23.0, after unpairing all devices in the web UI interface and then pairing only one device, all of the previously devices will be temporarily paired. Version 0.23.0 contains a patch for the issue. As a workaround, restarting Sunshine after unpairing all devices prevents the vulnerability. | ||||
| CVE-2024-13279 | 1 Two-factor Authentication Project | 1 Two-factor Authentication | 2025-09-02 | 9.8 Critical |
| Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0 before 1.8.0. | ||||