Monthly
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication, allowing attackers with revoked or downgraded JWT tokens to maintain the original access level for up to 72 hours. This affects self-hosted task management deployments where link shares are used for collaboration, enabling unauthorized information disclosure and modification of shared projects even after a project owner explicitly revokes or restricts access.
JWT token reuse vulnerability in Apache Airflow 3.0.0 through 3.1.x allows unauthenticated remote attackers to impersonate authenticated users by intercepting and replaying tokens after legitimate logout. The framework failed to invalidate JWT authentication tokens during user logout operations, enabling session persistence beyond intended termination. Attackers with network access to intercept tokens can achieve unauthorized access to high-integrity operations. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.
Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.
Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.
Session inactivity timeouts fail to trigger in runZero Platform due to automatic page reloading, allowing authenticated administrators to maintain unauthorized access beyond intended session expiration windows. This CWE-613 resource control vulnerability affects runZero Platform versions prior to 4.0.260203.0 and requires high-privilege authentication, with confirmed confidentiality and integrity impacts. No public exploit code or active exploitation has been reported.
Session fixation in listmonk v6.0.0 allows authenticated sessions to persist after password reset or password change, enabling attackers with stolen session cookies to maintain account access despite credential recovery by the victim. Authenticated remote attackers (PR:L) can exploit this to retain high confidentiality impact access. No public exploit code identified at time of analysis, though the vulnerability is trivially reproducible per the detailed proof-of-concept. EPSS data not available; vulnerability confirmed in production release v6.0.0 via GitHub Security Advisory.
IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.
WebSocket session fixation in OpenClaw before version 2026.3.28 enables attackers to maintain unauthorized access after credential revocation. The vulnerability permits unauthenticated remote attackers (CVSS PR:N) to exploit persistent WebSocket connections that fail to terminate when device tokens are revoked, resulting in high confidentiality impact. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity. EPSS data not available; affects OpenClaw deployments with WebSocket-based device communication.
Fleet's password reset token invalidation logic fails to revoke previously issued tokens when a user changes their password, allowing attackers with a captured token to perform account takeover by resetting the password again within the token's 24-hour validity window. The vulnerability affects Fleet versions distributed via the Go package github.com/fleetdm/fleet/v4 and requires prior compromise of a valid password reset token to exploit, limiting real-world impact to scenarios where token interception has already occurred.
WebSocket token validation bypass in WWBN AVideo versions up to 26.0 allows authenticated attackers to retain permanent real-time access to sensitive connection metadata after account revocation. The verifyTokenSocket() function fails to enforce token expiration despite generating 12-hour timeouts, enabling captured tokens to grant indefinite access to admin-level data including IP addresses, browser fingerprints, and user page locations. Authenticated users (PR:L per CVSS vector) can exploit this to maintain surveillance capabilities even after account deletion or privilege demotion. No public exploit identified at time of analysis.
Vikunja prior to version 2.3.0 fails to validate link share permissions against server state during JWT authentication, allowing attackers with revoked or downgraded JWT tokens to maintain the original access level for up to 72 hours. This affects self-hosted task management deployments where link shares are used for collaboration, enabling unauthorized information disclosure and modification of shared projects even after a project owner explicitly revokes or restricts access.
JWT token reuse vulnerability in Apache Airflow 3.0.0 through 3.1.x allows unauthenticated remote attackers to impersonate authenticated users by intercepting and replaying tokens after legitimate logout. The framework failed to invalidate JWT authentication tokens during user logout operations, enabling session persistence beyond intended termination. Attackers with network access to intercept tokens can achieve unauthorized access to high-integrity operations. EPSS indicates low observed exploitation activity; no public exploit identified at time of analysis.
Insufficient session expiration in parisneo/lollms allows authenticated attackers with high privileges to maintain unauthorized account access after a victim resets their password, due to failure to invalidate active sessions and excessively long default session duration (31 days). The vulnerability requires prior compromise and high privileges but enables persistent access to accounts with confidentiality, integrity, and availability impact. No public exploit code or active exploitation has been confirmed.
Papra API key expiration validation bypass in versions before 26.4.0 allows authenticated users with expired API keys to maintain indefinite access to protected endpoints. An attacker who obtains or retains a valid API key can continue authenticating even after the key's expiresAt timestamp has passed, enabling persistent unauthorized data access. This affects all Papra deployments using API key authentication without the 26.4.0 patch, though exploitation requires initial possession of a valid API key.
Session inactivity timeouts fail to trigger in runZero Platform due to automatic page reloading, allowing authenticated administrators to maintain unauthorized access beyond intended session expiration windows. This CWE-613 resource control vulnerability affects runZero Platform versions prior to 4.0.260203.0 and requires high-privilege authentication, with confirmed confidentiality and integrity impacts. No public exploit code or active exploitation has been reported.
Session fixation in listmonk v6.0.0 allows authenticated sessions to persist after password reset or password change, enabling attackers with stolen session cookies to maintain account access despite credential recovery by the victim. Authenticated remote attackers (PR:L) can exploit this to retain high confidentiality impact access. No public exploit code identified at time of analysis, though the vulnerability is trivially reproducible per the detailed proof-of-concept. EPSS data not available; vulnerability confirmed in production release v6.0.0 via GitHub Security Advisory.
IBM Aspera Shares versions 1.9.9 through 1.11.0 fail to invalidate user sessions following password reset operations, enabling authenticated users to maintain access to compromised accounts and impersonate other users. The vulnerability requires prior authentication and allows limited confidentiality and integrity impact through account takeover. IBM has released a patch to address this session management defect.
WebSocket session fixation in OpenClaw before version 2026.3.28 enables attackers to maintain unauthorized access after credential revocation. The vulnerability permits unauthenticated remote attackers (CVSS PR:N) to exploit persistent WebSocket connections that fail to terminate when device tokens are revoked, resulting in high confidentiality impact. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity. EPSS data not available; affects OpenClaw deployments with WebSocket-based device communication.
Fleet's password reset token invalidation logic fails to revoke previously issued tokens when a user changes their password, allowing attackers with a captured token to perform account takeover by resetting the password again within the token's 24-hour validity window. The vulnerability affects Fleet versions distributed via the Go package github.com/fleetdm/fleet/v4 and requires prior compromise of a valid password reset token to exploit, limiting real-world impact to scenarios where token interception has already occurred.
WebSocket token validation bypass in WWBN AVideo versions up to 26.0 allows authenticated attackers to retain permanent real-time access to sensitive connection metadata after account revocation. The verifyTokenSocket() function fails to enforce token expiration despite generating 12-hour timeouts, enabling captured tokens to grant indefinite access to admin-level data including IP addresses, browser fingerprints, and user page locations. Authenticated users (PR:L per CVSS vector) can exploit this to maintain surveillance capabilities even after account deletion or privilege demotion. No public exploit identified at time of analysis.