Total
370 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2025-55668 | 1 Apache | 1 Tomcat | 2025-08-18 | 6.5 Medium |
| Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. Users are recommended to upgrade to version 11.0.8, 10.1.42 or 9.0.106, which fix the issue. | ||||
| CVE-2025-8517 | 1 Givanz | 1 Vvveb | 2025-08-18 | 6.3 Medium |
| A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.7 is recommended to address this issue. The patch is identified as d4b1e030066417b77d15b4ac505eed5ae7bf2c5e. You should upgrade the affected component. | ||||
| CVE-2025-36117 | 1 Ibm | 1 Db2 Mirror For I | 2025-08-18 | 6.3 Medium |
| IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2024-49344 | 3 Ibm, Linux, Microsoft | 3 Openpages With Watson, Linux Kernel, Windows | 2025-08-15 | 4.3 Medium |
| IBM OpenPages with Watson 8.3 and 9.0 IBM OpenPages with Watson Assistant chat feature enabled the application establishes a session when a user logs in and uses chat, but the chat session is still left active after logout. | ||||
| CVE-2023-38002 | 1 Ibm | 1 Storage Scale | 2025-08-04 | 5 Medium |
| IBM Storage Scale 5.1.0.0 through 5.1.9.2 could allow an authenticated user to steal or manipulate an active session to gain access to the system. IBM X-Force ID: 260208. | ||||
| CVE-2025-53102 | 1 Discourse | 1 Discourse | 2025-07-31 | N/A |
| Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn challenge, which the client signs. The challenge is not cleared from the user’s session after authentication, potentially allowing reuse and increasing security risk. This is fixed in versions 3.4.7 and 3.5.0.beta.8. | ||||
| CVE-2025-51471 | 1 Ollama | 1 Ollama | 2025-07-25 | 6.9 Medium |
| Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint. | ||||
| CVE-2025-0251 | 2025-07-25 | 2.6 Low | ||
| HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks. | ||||
| CVE-2025-0253 | 2025-07-25 | 2 Low | ||
| HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities. | ||||
| CVE-2025-53895 | 1 Zitadel | 1 Zitadel | 2025-07-16 | N/A |
| ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a session if they know its ID, due to a missing permission check. This flaw enables session hijacking, allowing an attacker to impersonate another user and access sensitive resources. Versions prior to `2.53.0` are not affected, as they required the session token for updates. Versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14 fix the issue. | ||||
| CVE-2025-52689 | 2025-07-16 | 9.8 Critical | ||
| Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the access point. | ||||
| CVE-2024-38513 | 1 Gofiber | 1 Fiber | 2025-07-13 | 10 Critical |
| Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions 2 and above. This vulnerability allows users to supply their own session_id value, resulting in the creation of a session with that key. If a website relies on the mere presence of a session for security purposes, this can lead to significant security risks, including unauthorized access and session fixation attacks. All users utilizing GoFiber's session middleware in the affected versions are impacted. The issue has been addressed in version 2.52.5. Users are strongly encouraged to upgrade to version 2.52.5 or higher to mitigate this vulnerability. Users who are unable to upgrade immediately can apply the following workarounds to reduce the risk: Either implement additional validation to ensure session IDs are not supplied by the user and are securely generated by the server, or regularly rotate session IDs and enforce strict session expiration policies. | ||||
| CVE-2025-29928 | 1 Goauthentik | 1 Authentik | 2025-07-13 | 8 High |
| authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the API would not revoke the session and the session holder would continue to have access to authentik. authentik 2025.2.3 and 2024.12.4 fix this issue. Switching to the cache-based session storage until the authentik instance can be upgraded is recommended. This will however also delete all existing sessions and users will have to re-authenticate. | ||||
| CVE-2025-1412 | 1 Mattermost | 1 Mattermost | 2025-07-12 | 3.1 Low |
| Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot. | ||||
| CVE-2018-1000519 | 1 Aio-libs | 1 Aiohttp Session | 2025-07-11 | 6.5 Medium |
| aio-libs aiohttp-session contains a Session Fixation vulnerability in load_session function for RedisStorage (see: https://github.com/aio-libs/aiohttp-session/blob/master/aiohttp_session/redis_storage.py#L42) that can result in Session Hijacking. This attack appear to be exploitable via Any method that allows setting session cookies (?session=<>, or meta tags or script tags with Set-Cookie). | ||||
| CVE-2024-23590 | 2 Apache, Apache Software Foundation | 2 Kylin, Apache Kylin | 2025-07-10 | 9.1 Critical |
| Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue. | ||||
| CVE-2021-3740 | 1 Chatwoot | 1 Chatwoot | 2025-07-10 | 6.8 Medium |
| A Session Fixation vulnerability exists in chatwoot/chatwoot versions prior to 2.4.0. The application does not invalidate existing sessions on other devices when a user changes their password, allowing old sessions to persist. This can lead to unauthorized access if an attacker has obtained a session token. | ||||
| CVE-2025-53021 | 1 Moodle | 1 Moodle | 2025-07-09 | 4.2 Medium |
| A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, resulting in the victim's session being linked to the attacker's. Successful exploitation results in full account takeover. According to the Moodle Releases page, "Bug fixes for security issues in 3.11.x ended 11 December 2023." NOTE: This vulnerability only affects products that are no longer supported by the maintainer. | ||||
| CVE-2022-40916 | 1 Tiny File Manager Project | 1 Tiny File Manager | 2025-07-03 | 9.8 Critical |
| Tiny File Manager v2.4.7 and below is vulnerable to session fixation. | ||||
| CVE-2024-57052 | 1 Youdiancms | 1 Youdiancms | 2025-06-27 | 9.8 Critical |
| An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. | ||||