CWE-384— Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.— MITRE CWE catalog
381 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-384page 8 of 8
- CVE-2025-70973MEDIUMCVSS 4.8EG 4.82026-03-09
ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. As a result, a session created p…
- CVE-2025-71057HIGHCVSS 8.2EG 8.22026-02-26
Improper session management in D-Link Wireless N 300 ADSL2+ Modem Router DSL-124 ME_1.00 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.
- CVE-2025-8517MEDIUMCVSS 6.3EG 6.32025-08-04
A vulnerability was detected in givanz Vvveb 1.0.6.1. Impacted is an unknown function. The manipulation results in session fixiation. The attack can be launched remotely. The exploit is now public and may be used. Upgrading to version 1.0.…
- CVE-2026-11335MEDIUMCVSS 6.3EG 6.32026-06-05
A flaw has been found in tittuvarghese CollegeManagementSystem 3e476335cfbfb9a049e09f474c7ec885f69a9df3/a38852979f7e27ae67b610dce5979500ef8ebe01. This impacts the function session_start of the file /login-form.php. Executing a manipulation…
- CVE-2026-12581HIGHCVSS 7.5EG 7.52026-06-22
EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in.
- CVE-2026-13707NONECVSS 0.0EG 0.02026-07-01
Session fixation vulnerability in Wikimedia Foundation OAuth. This vulnerability is associated with program files src/Backend/MWOAuthServer.Php. This issue affects OAuth: from * through 1.46.0, 1.45.4, 1.44.6, 1.43.9.
- CVE-2026-14609MEDIUMCVSS 5.6EG 5.62026-07-03
A vulnerability was detected in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0. This issue affects some unknown processing. The manipulation results in session fixiation. The attack can be executed remotely. T…
- CVE-2026-2177HIGHCVSS 7.3EG 7.32026-02-08
A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely.…
- CVE-2026-22082HIGHCVSS 8.8EG 8.82026-01-09
This vulnerability exists in Tenda wireless routers (300Mbps Wireless Router F3 and N300 Easy Setup Router) due to the use of login credentials as the session ID through its web-based administrative interface. A remote attacker could explo…
- CVE-2026-23624MEDIUMCVSS 4.3EG 4.32026-02-04
GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by a…
- CVE-2026-23796CRITICALCVSS 9.8EG 9.82026-02-05
Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the auth…
- CVE-2026-24352CRITICALCVSS 9.8EG 9.82026-02-27
PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authe…
- CVE-2026-24894HIGHCVSS 7.5EG 7.52026-02-12
FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to…
- CVE-2026-25101CRITICALCVSS 9.8EG 9.82026-03-27
Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticate…
- CVE-2026-30808HIGHCVSS 8.1EG 8.12026-05-12
Session Fixation vulnerability allows Session Hijacking via crafted session ID. This issue affects Pandora FMS: from 777 through 800
- CVE-2026-31940HIGHCVSS 7.5EG 7.52026-04-10
Chamilo LMS is a learning management system. Prior to 1.11.38 and 2.0.0-RC.3, in main/lp/aicc_hacp.php, user-controlled request parameters are directly used to set the PHP session ID before loading global bootstrap. This leads to session f…
- CVE-2026-33384MEDIUMCVSS 4.8EG 4.82026-05-29
QuickCMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authent…
- CVE-2026-33757HIGHCVSS 8.3EG 8.32026-03-27
OpenBao is an open source identity-based secrets management system. Prior to version 2.5.2, OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with `callback_mode` set to `direct`. This allows an attacker…
- CVE-2026-34454LOWCVSS 3.5EG 3.52026-04-14
OAuth2 Proxy is a reverse proxy that provides authentication using OAuth2 providers. A regression introduced in 7.11.0 prevents OAuth2 Proxy from clearing the session cookie when rendering the sign-in page. In deployments that rely on the …
- CVE-2026-35095MEDIUMCVSS 4.8EG 4.82026-06-30
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session I…
- CVE-2026-40010CRITICALCVSS 9.1EG 9.12026-05-06
Missing invocation of Servlet http web request method changeSessionId after session binding can be exploited for a session fixation attack in Apache Wicket. This issue affects Apache Wicket: from 8.0.0 through 8.17.0, 9.0.0, from 10.0.0 …
- CVE-2026-40082MEDIUMCVSS 5.4EG 5.42026-06-25
Cacti is an open source performance and fault management framework. Versions 1.2.30 and prior have missing session_regenerate_id() after login, leading to Session Fixation. session_regenerate_id() is NOT called after successful login. The …
- CVE-2026-41613HIGHCVSS 8.8EG 8.82026-05-12
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
- CVE-2026-41839MEDIUMCVSS 4.2EG 4.22026-06-09
A WebFlux application with a compromised subdomain (for example, compromised via cross-site scripting (XSS)) is vulnerable to an escalation attack exchanging a known session ID for that of an authenticated user. Affected versions: Spring …
- CVE-2026-43827MEDIUMCVSS 6.5EG 6.52026-05-25
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes…
- CVE-2026-45773MEDIUMCVSS 6.5EG 6.52026-05-15
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was wai…
- CVE-2026-48545MEDIUMCVSS 6.8EG 6.82026-05-27
Gradio before version 6.15.0 contains a cookie injection vulnerability that allows remote attackers to perform cross-Space session fixation by exploiting a shared module-level HTTP client used across all users in the reverse proxy endpoint…
- CVE-2026-53900MEDIUMCVSS 4.3EG 4.32026-06-16
Firefox for iOS preserved cookies set on the initial PDF request across cross-origin HTTP redirects in TemporaryDocument, allowing a malicious site to inject arbitrary cookies into requests to an unrelated target domain. This vulnerability…
- CVE-2026-56224MEDIUMCVSS 5.4EG 5.42026-07-01
Capgo console.capgo.app/login before 12.128.2 accepts access_token and refresh_token in URL query parameters, automatically authenticating users without confirmation. Attackers can craft malicious links to force victims into attacker-contr…
- CVE-2026-56425HIGHCVSS 8.8EG 8.82026-06-22
The Azure Active Directory (AAD) authentication implementation contained multiple weaknesses in its OAuth 2.0 authorization flow that could allow attackers to bypass important security guarantees provided by the protocol. The application…
- CVE-2026-59883MEDIUMCVSS 4.7EG 4.72026-07-08
Guzzle is an extensible PHP HTTP client. Prior to 7.12.3, CookieJar did not restrict cookies scoped to IP-address or bare-numeric Domain values to the exact host that set them, because SetCookie::matchesDomain() applied ordinary suffix mat…
Map vulnerabilities like CWE-384 to your infrastructure
EchelonGraph correlates every CVE — across CWE-384 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →