Total
400 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-24352 | 1 Pluxml | 1 Pluxml | 2026-03-02 | 9.8 Critical |
| PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only versions 5.8.21 and 5.9.0-rc7 were tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-71057 | 1 D-link | 1 Wireless N 300 Adsl2+ Modem Router | 2026-02-27 | 8.2 High |
| Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user. | ||||
| CVE-2025-26658 | 2026-02-26 | 6.8 Medium | ||
| The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can elevate themselves to higher privilege and can read, modify and/or write new data. To gain authenticated sessions of other users, the attacker must invest considerable time and effort. This vulnerability has a high impact on the confidentiality and integrity of the application with no effect on the availability of the application. | ||||
| CVE-2025-37159 | 1 Hpe | 1 Arubaos-cx | 2026-02-26 | 5.8 Medium |
| A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unauthorized access to the session, potentially leading to the view or modification of sensitive configuration data. | ||||
| CVE-2022-2820 | 1 Namelessmc | 1 Nameless | 2026-02-25 | 7 High |
| Session Fixation in GitHub repository namelessmc/nameless prior to v2.0.2. | ||||
| CVE-2026-2177 | 2 Fast5, Sourcecodester | 2 Prison Management System, Prison Management System | 2026-02-23 | 7.3 High |
| A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-24894 | 1 Php | 1 Frankenphp | 2026-02-20 | 7.5 High |
| FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2. | ||||
| CVE-2026-23796 | 1 Opensolution | 1 Quick.cart | 2026-02-19 | 9.8 Critical |
| Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | ||||
| CVE-2025-69602 | 1 Altumcode | 1 66biolinks | 2026-02-09 | 9.1 Critical |
| A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session. | ||||
| CVE-2025-68139 | 2 Everest, Linuxfoundation | 2 Everest-core, Everest | 2026-02-06 | 4.3 Medium |
| EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to the EV. In this configuration, any errors encountered by the module are logged but do not trigger countermeasures such as session and connection reset or termination. This could be abused by a malicious user in order to exploit other weaknesses or vulnerabilities. While the default will stay at the setting that is described as potentially problematic in this reported issue, a mitigation is available by changing the `terminate_connection_on_failed_response` setting to `true`. However this cannot be set to this value by default since it can trigger errors in vehicle ECUs requiring ECU resets and lengthy unavailability in charging for vehicles. The maintainers judge this to be a much more important workaround then short-term unavailability of an EVSE, therefore this setting will stay at the current value. | ||||
| CVE-2026-23624 | 1 Glpi-project | 1 Glpi | 2026-02-06 | 4.3 Medium |
| GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . | ||||
| CVE-2025-36115 | 1 Ibm | 2 Sterling Connect\, Sterling Connectexpress Adapter For Sterling B2b Integrator 520 | 2026-02-03 | 6.3 Medium |
| IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system. | ||||
| CVE-2025-7015 | 1 Akinsoft | 1 Qr Menu | 2026-01-30 | 5.7 Medium |
| Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. | ||||
| CVE-2025-7014 | 1 Qr Menu Pro Smart Menu Systems | 1 Menu Panel | 2026-01-30 | 5.7 Medium |
| Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2024-7341 | 1 Redhat | 8 Build Keycloak, Build Of Keycloak, Enterprise Linux and 5 more | 2026-01-26 | 7.1 High |
| A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an attacker who hijacks the current session before authentication to trigger session fixation. | ||||
| CVE-2025-63216 | 1 Itel | 3 Dab Gateway, Idgateway, Idgateway Firmware | 2026-01-15 | 10 Critical |
| The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | ||||
| CVE-2025-63224 | 1 Itel | 3 Dab Encoder, Idenc, Idenc Firmware | 2026-01-15 | 10 Critical |
| The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access to any other device running the same firmware, even if the passwords and networks are different. This allows full compromise of affected devices. | ||||
| CVE-2026-22082 | 1 Tenda | 2 F3, N300 | 2026-01-13 | N/A |
| This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could exploit this vulnerability by intercepting network traffic and capturing the session ID during insecure transmission. Successful exploitation of this vulnerability could allow the attacker to hijack an authenticated session and compromise sensitive configuration information on the targeted device. | ||||
| CVE-2020-36913 | 1 All-dynamics | 1 Digital Signage System | 2026-01-08 | 5.3 Medium |
| All-Dynamics Software enlogic:show 2.0.2 contains a session fixation vulnerability that allows attackers to set a predefined PHP session identifier during the login process. Attackers can forge HTTP GET requests to welcome.php with a manipulated session token to bypass authentication and potentially execute cross-site request forgery attacks. | ||||
| CVE-2025-12390 | 1 Redhat | 1 Build Keycloak | 2026-01-06 | 6 Medium |
| A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As a result, one user may receive tokens that belong to another user. | ||||