Monthly
Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).
Session fixation vulnerability in docuFORM Managed Print Service Client 11.11c allows unauthenticated remote attackers to hijack user sessions via the login page, enabling unauthorized access to application functions and potential disclosure of sensitive print job data. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 5.4. No public exploit code or active exploitation has been confirmed at the time of analysis.
Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.
Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).
Cross-Space session fixation in Gradio before 6.15.0 lets an attacker who controls any Hugging Face Space poison a process-wide httpx.AsyncClient shared by the framework's /proxy= reverse-proxy endpoint. Because that single client keeps one cookie jar, a Set-Cookie header returned by a malicious upstream Space is stored and automatically replayed on every subsequent proxied request to sibling *.hf.space URLs, allowing the attacker to fix a parent-domain cookie across all users of the same Gradio deployment. SSVC rates exploitation as proof-of-concept with total technical impact; the issue is not in CISA KEV and is fixed in release 6.15.0 (GHSA-2mr9-9r47-px2g).
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Session fixation in Pandora FMS versions 777-800 enables session hijacking when attackers supply crafted session IDs to users. Successful exploitation grants attackers complete access to victim user sessions with high confidentiality and integrity impact. No public exploit code identified at time of analysis, though attack complexity is low with network-based delivery requiring only user interaction (CVSS 7.6).
Session fixation vulnerability in docuFORM Managed Print Service Client 11.11c allows unauthenticated remote attackers to hijack user sessions via the login page, enabling unauthorized access to application functions and potential disclosure of sensitive print job data. The vulnerability requires user interaction (clicking a malicious link) and affects confidentiality and integrity with a CVSS score of 5.4. No public exploit code or active exploitation has been confirmed at the time of analysis.
Privilege escalation in Open WebUI ≤0.8.12 allows demoted administrators to retain elevated access to collaborative documents via stale Socket.IO sessions. When an admin user is demoted or deleted, their active WebSocket connection preserves cached admin privileges indefinitely through heartbeat mechanisms, enabling unauthorized read/write access to any user's notes. Official patch released in version 0.9.0 addresses the session invalidation gap. CVSS 8.1 (High) with network attack vector and low complexity; no public exploit identified at time of analysis.
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user sessions and escalate privileges by fixing session identifiers before authentication completes. Affects Wicket 8.0.0-8.17.0, 9.0.0-9.22.0, and 10.0.0-10.8.0. EPSS score of 0.02% (5th percentile) indicates low observed exploitation probability despite critical CVSS 9.1, suggesting this requires specific deployment conditions. Not listed in CISA KEV; no public POC identified at time of analysis. Apache has published vendor advisories with fix versions across all three major release branches.
Dell PowerProtect Data Domain DD OS versions 8.4-8.5 contain a session fixation vulnerability allowing high-privileged remote attackers to hijack authenticated sessions and gain unauthorized access without requiring user interaction. CVSS 6.2 reflects the high-complexity attack surface (AC:H) offset by elevated attacker privileges (PR:H) and direct confidentiality/integrity impact; no public exploit or active exploitation has been identified at time of analysis.
Session fixation in Chamilo LMS versions prior to 1.11.38 and 2.0.0-RC.3 enables unauthenticated remote attackers to hijack user sessions via main/lp/aicc_hacp.php. User-controlled request parameters directly manipulate PHP session IDs before application bootstrap, allowing attackers to force victims into attacker-controlled sessions. Successful exploitation grants high-severity access to confidential data and platform integrity. No public exploit identified at time of analysis.
Session hijacking in the Model Context Protocol Ruby SDK (mcp gem) allows attackers to intercept Server-Sent Events streams by reusing valid session identifiers. The streamable_http_transport.rb implementation overwrites existing SSE stream objects when a duplicate session ID connects, silently disconnecting legitimate users and redirecting all tool responses and real-time data to the attacker. A proof-of-concept demonstration has been provided showing successful stream hijacking, where the attacker receives confidential tool call responses intended for the victim. Patch available per vendor advisory (release v0.9.2 per references).