Total
486 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-25711 | 1 Chargemap | 1 Chargemap.com | 2026-03-05 | N/A | 7.3 HIGH |
| The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests. | |||||
| CVE-2026-20895 | 1 Ev2go | 1 Ev2go.io | 2026-03-05 | N/A | 7.3 HIGH |
| The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests. | |||||
| CVE-2026-27575 | 1 Vikunja | 1 Vikunja | 2026-03-05 | N/A | 9.1 CRITICAL |
| Vikunja is an open-source self-hosted task management platform. Prior to version 2.0.0, the application allows users to set weak passwords (e.g., 1234, password) without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account (via brute-force or credential stuffing) can maintain persistent access even after the victim resets their password. Version 2.0.0 contains a fix. | |||||
| CVE-2025-59786 | 1 2n | 1 Access Commander | 2026-03-05 | N/A | 9.8 CRITICAL |
| 2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web application. | |||||
| CVE-2026-3401 | 1 Senior-walter | 1 Web-based Pharmacy Product Management System | 2026-03-03 | 2.1 LOW | 3.1 LOW |
| A weakness has been identified in SourceCodester Web-based Pharmacy Product Management System 1.0. This affects an unknown part. This manipulation causes session expiration. Remote exploitation of the attack is possible. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been made available to the public and could be used for attacks. | |||||
| CVE-2026-28396 | 1 Nocodb | 1 Nocodb | 2026-03-03 | N/A | 6.5 MEDIUM |
| NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password reset flow did not revoke existing refresh tokens, allowing an attacker with a previously stolen refresh token to continue minting valid JWTs after the victim resets their password. This issue has been patched in version 0.301.3. | |||||
| CVE-2026-27968 | 1 Packistryphp | 1 Packistry | 2026-03-02 | N/A | 4.3 MEDIUM |
| Packistry is a self-hosted Composer repository designed to handle PHP package distribution. Prior to version 0.13.0, RepositoryAwareController::authorize() verified token presence and ability, but did not enforce token expiration. As a result, an expired deploy token with the correct ability could still access repository endpoints (e.g., Composer metadata/download APIs). The fix in version 0.13.0 adds an explicit expiration check, and tests now test expired deploy tokens to ensure they are rejected. | |||||
| CVE-2026-25476 | 1 Open-emr | 1 Openemr | 2026-02-28 | N/A | 7.5 HIGH |
| OpenEMR is a free and open source electronic health records and medical practice management application. Prior to version 8.0.0, the session expiration check in `library/auth.inc.php` runs only when `skip_timeout_reset` is not present in the request. When `skip_timeout_reset=1` is sent, the entire block that calls `SessionTracker::isSessionExpired()` and forces logout on timeout is skipped. As a result, any request that includes this parameter (e.g. from auto-refresh pages like the Patient Flow Board) never runs the expiration check: expired sessions can continue to access data indefinitely, abandoned workstations stay active, and an attacker with a stolen session cookie can keep sending `skip_timeout_reset=1` to avoid being logged out. Version 8.0.0 fixes the issue. | |||||
| CVE-2026-28275 | 1 Morelitea | 1 Initiative | 2026-02-27 | N/A | 8.1 HIGH |
| Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API endpoints. This behavior allows continued authenticated access even after the account password has been updated. Version 0.32.4 fixes the issue. | |||||
| CVE-2026-27933 | 1 Manyfold | 1 Manyfold | 2026-02-27 | N/A | 6.8 MEDIUM |
| Manyfold is an open source, self-hosted web application for managing a collection of 3d models, particularly focused on 3d printing. Versions prior to 0.133.0 are vulnerable to session hijack via cookie leakage in proxy caches. Version 0.133.0 fixes the issue. | |||||
| CVE-2026-26342 | 1 Tattile | 20 Anpr Mobile, Anpr Mobile Firmware, Axle Counter and 17 more | 2026-02-27 | N/A | 9.8 CRITICAL |
| Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expiration. An attacker who obtains a valid token (for example via interception, log exposure, or token reuse on a shared system) can continue to authenticate to the management interface until the token is revoked, enabling unauthorized access to device functions and data. | |||||
| CVE-2025-27898 | 1 Ibm | 1 Db2 Recovery Expert | 2026-02-26 | N/A | 6.3 MEDIUM |
| IBM DB2 Recovery Expert for LUW 5.5 Interim Fix 002 does not invalidate session after a timeout which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2019-2386 | 1 Mongodb | 1 Mongodb | 2026-02-23 | 6.0 MEDIUM | 7.1 HIGH |
| After user deletion in MongoDB Server the improper invalidation of authorization sessions allows an authenticated user's session to persist and become conflated with new accounts, if those accounts reuse the names of deleted ones. This issue affects MongoDB Server v4.0 versions prior to 4.0.9; MongoDB Server v3.6 versions prior to 3.6.13 and MongoDB Server v3.4 versions prior to 3.4.22. Workaround: After deleting one or more users, restart any nodes which may have had active user authorization sessions. Refrain from creating user accounts with the same name as previously deleted accounts. | |||||
| CVE-2025-36376 | 1 Ibm | 1 Security Qradar Edr | 2026-02-20 | N/A | 6.3 MEDIUM |
| IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2026-1842 | 2026-02-20 | N/A | N/A | ||
| HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed. | |||||
| CVE-2024-25954 | 1 Dell | 1 Powerscale Onefs | 2026-02-20 | N/A | 5.3 MEDIUM |
| Dell PowerScale OneFS, versions 9.5.0.x through 9.7.0.x, contain an insufficient session expiration vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability, leading to denial of service. | |||||
| CVE-2026-24894 | 1 Php | 1 Frankenphp | 2026-02-20 | N/A | 7.5 HIGH |
| FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the previous request (potentially belonging to a different user) before session_start() is called. This vulnerability is fixed in 1.11.2. | |||||
| CVE-2025-36377 | 1 Ibm | 1 Qradar Edr | 2026-02-20 | N/A | 6.3 MEDIUM |
| IBM Security QRadar EDR 3.12 through 3.12.23 does not invalidate session after a session expiration which could allow an authenticated user to impersonate another user on the system. | |||||
| CVE-2026-1435 | 1 Graylog | 1 Graylog | 2026-02-18 | N/A | 9.8 CRITICAL |
| Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers, which remain valid even after multiple consecutive logins by the same user. As a result, a stolen or leaked 'sessionId' can continue to be used to authenticate valid requests. Exploiting this vulnerability would allow an attacker with access to the web service/API network (port 9000 or HTTP/S endpoint of the server) to reuse an old session token to gain unauthorized access to the application, interact with the API/web, and compromise the integrity of the affected account. | |||||
| CVE-2025-63226 | 1 Sencore | 6 Decoder-ccv2, Decoder-ccv2 Firmware, En2sdi-2hd and 3 more | 2026-02-13 | N/A | 5.7 MEDIUM |
| The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the victim and have access to the target's logged-in session can access the endpoint and add new users without any authentication. This allows attackers to gain unauthorized access to the system and perform malicious activities. | |||||