CWE-384— Session Fixation
365 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-384page 7 of 8
- CVE-2024-57052CRITICALCVSS 9.8EG 9.82025-01-27
An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.
- CVE-2024-7341HIGHCVSS 7.1EG 7.12024-09-09
A session fixation issue was discovered in the SAML adapters provided by Keycloak. The session ID and JSESSIONID cookie are not changed at login time, even when the turnOffChangeSessionIdOnLogin option is configured. This flaw allows an at…
- CVE-2024-8643CRITICALCVSS 9.8EG 9.82024-09-27
Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0.
- CVE-2025-0126HIGHCVSS 8.3EG 0.02025-04-11
When configured using SAML, a session fixation vulnerability in the GlobalProtect™ login enables an attacker to impersonate a legitimate authorized user and perform actions as that GlobalProtect user. This requires the legitimate user to…
- CVE-2025-0251LOWCVSS 2.6EG 2.62025-07-25
HCL IEM is affected by a concurrent login vulnerability. The application allows multiple concurrent sessions using the same user credentials, which may introduce security risks.
- CVE-2025-0253LOWCVSS 2.0EG 2.02025-07-25
HCL IEM is affected by a cookie attribute not set vulnerability due to inconsistency of certain security-related configurations which could increase exposure to potential vulnerabilities.
- CVE-2025-10228HIGHCVSS 8.8EG 8.82025-10-14
Session Fixation vulnerability in Rolantis Information Technologies Agentis allows Session Hijacking.This issue affects Agentis: before 4.44.
- CVE-2025-12390MEDIUMCVSS 6.0EG 6.02025-10-28
A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up…
- CVE-2025-1412LOWCVSS 3.1EG 3.12025-02-24
Mattermost versions 9.11.x <= 9.11.6, 10.4.x <= 10.4.1 fail to invalidate all active sessions when converting a user to a bot, with allows the converted user to escalate their privileges depending on the permissions granted to the bot.
- CVE-2025-22216MEDIUMCVSS 5.4EG 5.42025-01-31
A UAA configured with multiple identity zones, does not properly validate session information across those zones. A User authenticated against a corporate IDP can re-use their jsessionid to access other zones.
- CVE-2025-24502MEDIUMCVSS 5.3EG 0.02025-01-30
An improper session validation allows an unauthenticated attacker to cause certain request notifications to be executed in the context of an incorrect user by spoofing the client IP address.
- CVE-2025-24503CRITICALCVSS 9.3EG 0.02025-01-30
A malicious actor can fix the session of a PAM user by tricking the user to click on a specially crafted link to the PAM server.
- CVE-2025-26658MEDIUMCVSS 6.8EG 6.82025-03-11
The Service Layer in SAP Business One, allows attackers to potentially gain unauthorized access and impersonate other users in the application to perform unauthorized actions. Due to the improper session management, the attackers can eleva…
- CVE-2025-27661CRITICALCVSS 9.1EG 9.12025-03-05
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixation OVE-20230524-0004.
- CVE-2025-28238CRITICALCVSS 9.8EG 9.82025-04-18
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.
- CVE-2025-28242CRITICALCVSS 9.8EG 9.82025-04-18
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
- CVE-2025-29928HIGHCVSS 8.0EG 8.02025-03-28
authentik is an open-source identity provider. Prior to versions 2024.12.4 and 2025.2.3, when authentik was configured to use the database for session storage (which is a non-default setting), deleting sessions via the Web Interface or the…
- CVE-2025-36115MEDIUMCVSS 6.3EG 6.32026-01-20
IBM Sterling Connect:Express Adapter for Sterling B2B Integrator 5.2.0.00 through 5.2.0.12 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-36117MEDIUMCVSS 6.3EG 6.32025-07-23
IBM Db2 Mirror for i 7.4, 7.5, and 7.6 does not disallow the session id after use which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-37159MEDIUMCVSS 5.8EG 5.82025-11-18
A vulnerability in the web management interface of the AOS-CX OS user authentication service could allow an authenticated remote attacker to hijack an active user session. Successful exploitation may enable the attacker to maintain unautho…
- CVE-2025-42602HIGHCVSS 8.2EG 0.02025-04-23
This vulnerability exists in Meon KYC solutions due to improper handling of access and refresh tokens in certain API endpoints of authentication process. A remote attacker could exploit this vulnerability by intercepting and manipulating t…
- CVE-2025-43516LOWCVSS 3.3EG 3.32025-12-12
A session management issue was addressed with improved checks. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. A user with Voice Control enabled may be able to transcribe another user's activity.
- CVE-2025-45949CRITICALCVSS 9.8EG 9.82025-04-28
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the user panel - Change Password component. Improper handling of session data allows…
- CVE-2025-45953CRITICALCVSS 9.1EG 9.12025-04-28
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user panel - Change Password component. Improper handling of session data allows a Session Hijacking attack, exploitable re…
- CVE-2025-4644MEDIUMCVSS 5.3EG 0.02025-08-29
A Session Fixation vulnerability existed in Payload's SQLite adapter due to identifier reuse during account creation. A malicious attacker could create a new account, save its JSON Web Token (JWT), and then delete the account, which did no…
- CVE-2025-46605MEDIUMCVSS 6.2EG 6.22026-04-17
Dell PowerProtect Data Domain with Data Domain Operating System (DD OS) of Feature Release versions 8.4 through 8.5 contain a session fixation vulnerability. A high privileged attacker with remote access could potentially exploit this vuln…
- CVE-2025-46815HIGHCVSS 8.0EG 8.02025-05-06
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the cli…
- CVE-2025-51471MEDIUMCVSS 6.9EG 6.92025-07-22
Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /ap…
- CVE-2025-52689CRITICALCVSS 9.8EG 9.82025-07-16
Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the login request, potentially allowing the attacker to modify the behaviour of the…
- CVE-2025-53021MEDIUMCVSS 4.2EG 4.22025-06-24
A session fixation vulnerability in Moodle 3.x through 3.11.18 allows unauthenticated attackers to hijack user sessions via the sesskey parameter. The sesskey can be obtained without authentication and reused within the OAuth2 login flow, …
- CVE-2025-53102CRITICALCVSS 9.8EG 9.82025-07-29
Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch, upon issuing a physical security key for 2FA, the server generates a WebAuthn c…
- CVE-2025-53826CRITICALCVSS 9.8EG 9.82025-07-15
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that…
- CVE-2025-53895HIGHCVSS 8.8EG 8.82025-07-15
ZITADEL is an open source identity management system. Starting in version 2.53.0 and prior to versions 4.0.0-rc.2, 3.3.2, 2.71.13, and 2.70.14, vulnerability in ZITADEL's session management API allows any authenticated user to update a ses…
- CVE-2025-54761HIGHCVSS 8.0EG 8.02025-09-19
An issue was discovered in PPress 0.0.9 allowing attackers to gain escilated privlidges via crafted session cookie.
- CVE-2025-55668MEDIUMCVSS 6.5EG 6.52025-08-13
Session Fixation vulnerability in Apache Tomcat via rewrite valve. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0-M1 through 10.1.41, from 9.0.0.M1 through 9.0.105. Older, EOL versions may also be affected. …
- CVE-2025-56400HIGHCVSS 8.8EG 8.82025-11-24
Cross-Site Request Forgery (CSRF) vulnerability in the OAuth implementation of the Tuya SDK 6.5.0 for Android and iOS, affects the Tuya Smart and Smartlife mobile applications, as well as other third-party applications that integrate the S…
- CVE-2025-56746LOWCVSS 2.2EG 2.22025-10-15
Creativeitem Academy LMS up to and including 5.13 does not regenerate session IDs upon successful authentication, enabling session fixation attacks where attackers can hijack user sessions by predetermining session identifiers.
- CVE-2025-59841CRITICALCVSS 9.8EG 9.82025-09-25
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/pr…
- CVE-2025-63216CRITICALCVSS 10.0EG 10.02025-11-18
The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access…
- CVE-2025-63224CRITICALCVSS 10.0EG 10.02025-11-19
The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JWT token obtained from one device to authenticate and gain administrative access …
- CVE-2025-63529MEDIUMCVSS 6.1EG 6.12025-12-01
A session fixation vulnerability exists in Blood Bank Management System 1.0 in login.php that allows an attacker to set or predict a user's session identifier prior to authentication. When the victim logs in, the application continues to u…
- CVE-2025-64100MEDIUMCVSS 6.1EG 6.12025-10-29
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie…
- CVE-2025-65415MEDIUMCVSS 5.4EG 5.42026-05-11
docuFORM Managed Print Service Client 11.11c is vulnerable to a session fixation attack via the login page of the application.
- CVE-2025-65681LOWCVSS 3.3EG 3.32025-11-26
An issue was discovered in Overhang.IO (tutor-open-edx) (overhangio/tutor) 20.0.2 allowing local unauthorized attackers to gain access to sensitive information due to the absence of proper cache-control HTTP headers and client-side session…
- CVE-2025-67446CRITICALCVSS 9.8EG 9.82026-06-04
Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for authentication. By modifying the cookie value (e.g., setting it to "admin"), an…
- CVE-2025-68139MEDIUMCVSS 4.3EG 4.32026-01-21
EVerest is an EV charging software stack. In all versions up to and including 2025.12.1, the default value for `terminate_connection_on_failed_response` is `False`, which leaves the responsibility for session and connection termination to …
- CVE-2025-69602CRITICALCVSS 9.1EG 9.12026-01-28
A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users lo…
- CVE-2025-7014MEDIUMCVSS 5.7EG 5.72026-01-29
Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any …
- CVE-2025-7015MEDIUMCVSS 5.7EG 5.72026-01-29
Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12.
- CVE-2025-8517MEDIUMCVSS 6.3EG 6.32025-08-04
A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.…
Map vulnerabilities like CWE-384 to your infrastructure
EchelonGraph correlates every CVE — across CWE-384 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →