Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
This issue was fixed in version 3.17.2.
AnalysisAI
Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.
Technical ContextAI
Session fixation vulnerabilities (CWE-384) occur when an application fails to regenerate or invalidate session identifiers upon authentication state changes. In Bludit's case, the session management implementation permits an attacker to predetermine a session ID value before the user authenticates, and critically, this identifier is not regenerated post-authentication. The affected product is identified via CPE cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:* with all versions prior to 3.17.2 in scope. This is a classic session handling flaw where the application trusts a client-supplied or pre-set session identifier rather than generating a fresh one after credential validation, allowing an attacker who can influence the session ID (via network access, shared hosting, or other vectors) to maintain control over an authenticated session without possessing valid credentials.
RemediationAI
Upgrade Bludit to version 3.17.2 or later immediately (see vendor release notes at https://github.com/bludit/bludit/releases/tag/3.17.2). Until patching is feasible, implement session security controls: configure the application to enforce secure session cookie flags (HttpOnly, Secure, SameSite=Strict if using cookies), enforce HTTPS-only connections to prevent session ID interception, and consider implementing IP-based session binding or device fingerprinting to detect anomalous session reuse. For shared hosting or multi-tenant environments, isolate Bludit instances and restrict session cookie scope to prevent cross-instance session fixation. Additionally, educate users to clear browser cookies and restart sessions when accessing sensitive administrative functions.
More in Session Fixation
View allSession fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa
Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti
An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe
A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex
Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab
Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera
An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v
clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be
Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-16581
GHSA-fjj5-fj78-h28j