Skip to main content

CWE-384

Session Fixation

306 CVEs Avg CVSS 7.2 MITRE
61
CRITICAL
116
HIGH
111
MEDIUM
16
LOW
67
POC
0
KEV

Monthly

CVE-2026-14609 LOW Monitor

Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.

Session Fixation Information Disclosure Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-13707 NONE Awaiting Data

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.

Session Fixation Information Disclosure PHP Oauth
NVD VulDB
EPSS
0.3%
CVE-2026-56224 MEDIUM PATCH This Month

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.

Session Fixation Information Disclosure Capgo
NVD GitHub
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-35095 MEDIUM PATCH This Month

Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Session Fixation Information Disclosure E Bok
NVD VulDB
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-56425 CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF Microsoft Misp
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-12581 HIGH This Week

Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.

Information Disclosure Session Fixation Easyflow Net
NVD
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-41839 MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java Spring Framework
NVD HeroDevs VulDB
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-11335 LOW POC Monitor

Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.

PHP Information Disclosure Session Fixation
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-67446 CRITICAL Act Now

Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticated attackers to gain administrative access by simply setting a session cookie value to a predictable string such as 'admin'. The CVSS 9.8 rating reflects trivial network exploitability with full confidentiality, integrity, and availability impact, and a public proof-of-concept exists in the referenced GitHub repository, though the issue is not currently listed in CISA KEV.

Authentication Bypass Session Fixation
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33384 MEDIUM This Month

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Information Disclosure Session Fixation
NVD
CVSS 4.0
4.8
EPSS
0.0%
EPSS 0% CVSS 2.9
LOW Monitor

Session fixation in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 enables remote attackers to pre-set a known session identifier in a victim's browser, then hijack the authenticated session after the victim logs in. The CVSS 4.0 score of 2.9 reflects limited impact scope (low confidentiality, integrity, and availability) combined with high attack complexity, though a public exploit has been released (E:P). No CISA KEV listing indicates no confirmed widespread active exploitation at time of analysis.

Session Fixation Information Disclosure Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
EPSS 0%
NONE Awaiting Data

Session fixation in the Wikimedia Foundation OAuth MediaWiki extension (src/Backend/MWOAuthServer.php) allows a network-accessible, low-privileged attacker to manipulate the OAuth authorization handshake so that a victim's authentication binds to an attacker-controlled session identifier. All four actively maintained release branches are affected through versions 1.46.0, 1.45.4, 1.44.6, and 1.43.9. No public exploit or CISA KEV listing exists at time of analysis; however, the 'Information Disclosure' tag applied to this CVE creates tension with the vendor-supplied CVSS 4.0 zero-impact scoring and warrants independent verification.

Session Fixation Information Disclosure PHP +1
NVD VulDB
EPSS 0% CVSS 5.1
MEDIUM PATCH This Month

Session fixation in the Capgo cloud console login endpoint (console.capgo.app/login) allows unauthenticated remote attackers to force victims into attacker-controlled sessions by crafting malicious URLs containing attacker-owned tokens. Versions before 12.128.2 silently accept access_token and refresh_token as URL query parameters and authenticate the user without confirmation, bypassing normal login flows. Tokens passed via URL are additionally exposed in browser history, server access logs, and HTTP Referer headers, creating secondary information-disclosure risk. No public exploit code and no CISA KEV listing exist at time of analysis.

Session Fixation Information Disclosure Capgo
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. A patch was published by KTM System in June 2026; no public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Session Fixation Information Disclosure E Bok
NVD VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijacking, session fixation, CSRF/replay against the OAuth callback, plaintext credential exposure over non-HTTPS redirect URIs, and log injection. The plugin reused the PHP session_id() as the OAuth state parameter, never rotated the session ID after login, did not enforce HTTPS on the redirect URI, and logged attacker-controlled GET parameters verbatim. No public exploit identified at time of analysis, but an upstream fix is available in MISP commit 146bc40.

Session Fixation PHP CSRF +2
NVD GitHub VulDB
EPSS 0% CVSS 7.7
HIGH This Week

Session fixation in Digiwin EasyFlow .NET allows unauthenticated remote attackers to pre-set a victim's session identifier and hijack the authenticated session once the victim logs in, inheriting the victim's privileges. No public exploit identified at time of analysis, but the CVSS 4.0 score of 7.7 and HIGH impact across confidentiality, integrity, and availability mark this as a meaningful risk for organizations using the workflow platform. The flaw is tracked under CWE-384 and was disclosed via TWCERT, with no specific patched version cited in the provided references.

Information Disclosure Session Fixation Easyflow Net
NVD
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Session fixation in Spring Framework's WebFlux reactive stack (versions 5.3.x through 7.0.x) enables a remote attacker to hijack an authenticated user's session by leveraging a compromised subdomain - typically via cross-site scripting - to plant a known session ID and exchange it for the victim's authenticated session post-login. The attack is classified as CWE-384 and requires both a prior subdomain compromise and user interaction, placing real-world exploitability well below the headline concern for most deployments. No public exploit code and no CISA KEV listing have been identified at time of analysis.

XSS Session Fixation Java +1
NVD HeroDevs VulDB
EPSS 0% CVSS 2.1
LOW POC Monitor

Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.

PHP Information Disclosure Session Fixation
NVD VulDB GitHub
EPSS 0% CVSS 9.8
CRITICAL Act Now

Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticated attackers to gain administrative access by simply setting a session cookie value to a predictable string such as 'admin'. The CVSS 9.8 rating reflects trivial network exploitability with full confidentiality, integrity, and availability impact, and a public proof-of-concept exists in the referenced GitHub repository, though the issue is not currently listed in CISA KEV.

Authentication Bypass Session Fixation
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM This Month

Session fixation in QuickCMS (OpenSolution) allows an attacker to pre-set a victim's session identifier before the victim authenticates, and because the application fails to regenerate the session ID upon login, the attacker can subsequently hijack the fully authenticated session. All QuickCMS 6.8 deployments lacking the patch published on 2026-05-15 are vulnerable. No public exploit code has been identified and the vulnerability is not listed in CISA KEV, but the attack requires no attacker privileges and only passive user interaction, making targeted abuse realistic wherever attacker session pre-positioning is feasible.

Information Disclosure Session Fixation
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy