CWE-613— Insufficient Session Expiration
According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."— MITRE CWE catalog
531 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-613page 9 of 11
- CVE-2025-4528MEDIUMCVSS 4.3EG 4.32025-05-11
A weakness has been identified in Dígitro NGC Explorer up to 3.44.15/3.48.21. This affects an unknown function. Executing a manipulation can lead to session expiration. The attack can be launched remotely. Upgrading to version 3.48.22 mit…
- CVE-2025-46336MEDIUMCVSS 4.2EG 4.22025-05-08
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), …
- CVE-2025-46344MEDIUMCVSS 4.9EG 4.92025-04-29
The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, …
- CVE-2025-4643MEDIUMCVSS 6.3EG 6.32025-08-29
Payload uses JSON Web Tokens (JWT) for authentication. After log out JWT is not invalidated, which allows an attacker who has stolen or intercepted token to freely reuse it until expiration date (which is by default set to 2 hours, but can…
- CVE-2025-46741MEDIUMCVSS 5.7EG 5.72025-05-12
A suspended or recently logged-out user could continue to interact with Blueframe until the time-out period occurred.
- CVE-2025-4677MEDIUMCVSS 6.5EG 6.52026-01-07
Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.
- CVE-2025-46815HIGHCVSS 8.0EG 8.02025-05-06
The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the cli…
- CVE-2025-4754LOWCVSS 2.3EG 2.32025-06-17
Insufficient Session Expiration vulnerability in ash-project ash_authentication_phoenix allows Session Hijacking. This vulnerability is associated with program files lib/ash_authentication_phoenix/controller.ex. This issue affects ash_aut…
- CVE-2025-48061MEDIUMCVSS 5.6EG 5.62025-05-22
wire-webapp is the web application for the open-source messaging service Wire. A change caused a regression resulting in sessions not being properly invalidated. A user that logged out of the Wire webapp, could have been automatically logg…
- CVE-2025-48929MEDIUMCVSS 4.0EG 4.02025-05-28
The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary.
- CVE-2025-49152HIGHCVSS 8.7EG 7.52025-06-25
The affected products contain JSON Web Tokens (JWT) that do not expire, which could allow an attacker to gain access to the system.
- CVE-2025-50484HIGHCVSS 7.1EG 7.12025-07-28
Improper session invalidation in the component /crm/change-password.php of PHPGurukul Small CRM v3.0 allows attackers to execute a session hijacking attack.
- CVE-2025-50485HIGHCVSS 7.1EG 7.12025-07-28
Improper session invalidation in the component /crm/change-password.php of PHPGurukul Online Course Registration v3.1 allows attackers to execute a session hijacking attack.
- CVE-2025-50486HIGHCVSS 7.1EG 7.12025-07-28
Improper session invalidation in the component /carrental/update-password.php of PHPGurukul Car Rental Project v3.0 allows attackers to execute a session hijacking attack.
- CVE-2025-50487HIGHCVSS 7.1EG 7.12025-07-28
Improper session invalidation in the component /bbdms/change-password.php of PHPGurukul Blood Bank & Donor Management System v2.4 allows attackers to execute a session hijacking attack.
- CVE-2025-50488HIGHCVSS 7.1EG 7.12025-07-28
Improper session invalidation in the component /library/change-password.php of PHPGurukul Online Library Management System v3.0 allows attackers to execute a session hijacking attack.
- CVE-2025-50491HIGHCVSS 7.1EG 7.12025-07-28
Improper session invalidation in the component /banker/change-password.php of PHPGurukul Bank Locker Management System v1 allows attackers to execute a session hijacking attack.
- CVE-2025-52661LOWCVSS 2.4EG 2.42026-01-19
HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised.
- CVE-2025-53642MEDIUMCVSS 4.8EG 4.82025-07-11
haxcms-nodejs and haxcms-php are backends for HAXcms. The logout function within the application does not terminate a user's session or clear their cookies. Additionally, the application issues a refresh token when logging out. This vulner…
- CVE-2025-53826CRITICALCVSS 9.8EG 9.82025-07-15
File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that…
- CVE-2025-53896HIGHCVSS 7.1EG 7.12025-11-29
Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue ha…
- CVE-2025-54547MEDIUMCVSS 5.3EG 5.32025-10-29
On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired
- CVE-2025-54592CRITICALCVSS 9.8EG 9.82025-09-29
FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the session cookie remains active and unchanged. The unchanged cookie could be reused b…
- CVE-2025-55162MEDIUMCVSS 6.3EG 6.32025-09-03
Envoy is an open source L7 proxy and communication bus designed for large modern service oriented architectures. In versions below 1.32.10 and 1.33.0 through 1.33.6, 1.34.0 through 1.34.4 and 1.35.0, insufficient Session Expiration in the …
- CVE-2025-55254LOWCVSS 3.7EG 3.72025-12-17
Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.
- CVE-2025-55278HIGHCVSS 8.1EG 8.12025-11-05
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentia…
- CVE-2025-55705HIGHCVSS 7.3EG 7.32026-01-22
This vulnerability occurs when the system permits multiple simultaneous connections to the backend using the same charging station ID. This can result in unauthorized access, data inconsistency, or potential manipulation of charging ses…
- CVE-2025-56643CRITICALCVSS 9.1EG 9.12025-11-18
Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects ses…
- CVE-2025-57735CRITICALCVSS 9.1EG 9.12026-04-09
When user logged out, the JWT token the user had authtenticated with was not invalidated, which could lead to reuse of that token in case it was intercepted. In Airflow 3.2 we implemented the mechanism that implements token invalidation at…
- CVE-2025-57766MEDIUMCVSS 4.8EG 4.82025-09-08
Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained …
- CVE-2025-58352MEDIUMCVSS 6.5EG 6.52025-09-05
Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the s…
- CVE-2025-58437HIGHCVSS 8.1EG 8.12025-09-06
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automati…
- CVE-2025-59335HIGHCVSS 7.1EG 7.12025-09-22
CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a locat…
- CVE-2025-59841CRITICALCVSS 9.8EG 9.82025-09-25
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/pr…
- CVE-2025-61775MEDIUMCVSS 6.9EG 6.92025-10-13
Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email ad…
- CVE-2025-62174LOWCVSS 3.5EG 3.52025-10-13
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts mo…
- CVE-2025-62329MEDIUMCVSS 5.0EG 5.02025-12-16
HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized …
- CVE-2025-62340MEDIUMCVSS 5.3EG 3.12026-06-17
HCL iControl was affected by Inadequate Session Timeout vulnerability. The vulnerability involves a security risk where a web application fails to automatically terminate user sessions after a period of inactivity
- CVE-2025-62631MEDIUMCVSS 5.6EG 5.62025-12-09
An insufficient session expiration vulnerability [CWE-613] vulnerability in Fortinet FortiOS 7.4.0, FortiOS 7.2 all versions, FortiOS 7.0 all versions, FortiOS 6.4 all versions allows attacker to maintain access to network resources via an…
- CVE-2025-62781MEDIUMCVSS 5.0EG 5.02025-10-27
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except fo…
- CVE-2025-63226MEDIUMCVSS 5.7EG 5.72025-11-18
The Sencore SMP100 SMP Media Platform (firmware versions V4.2.160, V60.1.4, V60.1.29) is vulnerable to session hijacking due to improper session management on the /UserManagement.html endpoint. Attackers who are on the same network as the …
- CVE-2025-64386HIGHCVSS 7.7EG 7.72025-10-31
The equipment grants a JWT token for each connection in the timeline, but during an active valid session, a hijacking of the token can be done. This will allow an attacker with the token modify parameters of security, access or even steal …
- CVE-2025-64708MEDIUMCVSS 5.3EG 5.82025-11-19
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up …
- CVE-2025-65430MEDIUMCVSS 5.4EG 5.42025-12-15
An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.
- CVE-2025-65883HIGHCVSS 8.4EG 8.42025-12-04
A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2–1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session inva…
- CVE-2025-66223HIGHCVSS 8.4EG 8.42025-11-29
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitati…
- CVE-2025-66289HIGHCVSS 8.8EG 8.82025-11-29
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies t…
- CVE-2025-66483MEDIUMCVSS 6.3EG 6.32026-04-01
IBM Aspera Shares 1.9.9 through 1.11.0 does not invalidate session after a password reset which could allow an authenticated user to impersonate another user on the system.
- CVE-2025-68954MEDIUMCVSS 5.4EG 5.42026-01-06
Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access ov…
- CVE-2025-71335HIGHCVSS 8.1EG 8.12026-06-25
Flowise before 3.0.10 (affected versions 3.0.7 and earlier) fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session tok…
Map vulnerabilities like CWE-613 to your infrastructure
EchelonGraph correlates every CVE — across CWE-613 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →