Skip to main content

Session Fixation EUVDEUVD-2026-16581

| CVE-2026-25101 MEDIUM
Session Fixation (CWE-384)
2026-03-27 CERT-PL GHSA-fjj5-fj78-h28j
4.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
3.17.2
EUVD ID Assigned
Mar 27, 2026 - 12:15 euvd
EUVD-2026-16581
Analysis Generated
Mar 27, 2026 - 12:15 vuln.today
CVE Published
Mar 27, 2026 - 11:55 nvd
MEDIUM 4.8

DescriptionCVE.org

Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in version 3.17.2.

AnalysisAI

Bludit versions prior to 3.17.2 allow attackers to fix a victim's session identifier before authentication, with the session ID persisting unchanged after successful login, enabling authenticated session hijacking via session fixation. The vulnerability affects all Bludit instances below version 3.17.2 and requires local access and user interaction to exploit. No public exploit code or active exploitation has been identified at the time of analysis, though the session fixation mechanism poses a moderate risk in multi-user or shared-access environments.

Technical ContextAI

Session fixation vulnerabilities (CWE-384) occur when an application fails to regenerate or invalidate session identifiers upon authentication state changes. In Bludit's case, the session management implementation permits an attacker to predetermine a session ID value before the user authenticates, and critically, this identifier is not regenerated post-authentication. The affected product is identified via CPE cpe:2.3:a:bludit:bludit:*:*:*:*:*:*:*:* with all versions prior to 3.17.2 in scope. This is a classic session handling flaw where the application trusts a client-supplied or pre-set session identifier rather than generating a fresh one after credential validation, allowing an attacker who can influence the session ID (via network access, shared hosting, or other vectors) to maintain control over an authenticated session without possessing valid credentials.

RemediationAI

Upgrade Bludit to version 3.17.2 or later immediately (see vendor release notes at https://github.com/bludit/bludit/releases/tag/3.17.2). Until patching is feasible, implement session security controls: configure the application to enforce secure session cookie flags (HttpOnly, Secure, SameSite=Strict if using cookies), enforce HTTPS-only connections to prevent session ID interception, and consider implementing IP-based session binding or device fingerprinting to detect anomalous session reuse. For shared hosting or multi-tenant environments, isolate Bludit instances and restrict session cookie scope to prevent cross-instance session fixation. Additionally, educate users to clear browser cookies and restart sessions when accessing sensitive administrative functions.

CVE-2017-12965 CRITICAL POC
9.8 Aug 23

Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID pa

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2022-40916 CRITICAL POC
9.8 Feb 06

Tiny File Manager v2.4.7 and below is vulnerable to session fixation. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2023-48929 CRITICAL POC
9.8 Dec 08

Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. Rated criti

CVE-2023-41012 CRITICAL POC
9.8 Sep 05

An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to exe

CVE-2023-31498 CRITICAL POC
9.8 May 11

A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to ex

CVE-2022-3269 CRITICAL POC
9.8 Sep 23

Session Fixation in GitHub repository ikus060/rdiffweb prior to 2.4.7. Rated critical severity (CVSS 9.8), this vulnerab

CVE-2021-39290 CRITICAL POC
9.8 Aug 23

Certain NetModule devices allow Limited Session Fixation via PHPSESSID. Rated critical severity (CVSS 9.8), this vulnera

CVE-2020-11729 CRITICAL POC
9.8 Apr 15

An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Rated critical severity (CVSS 9.8), this v

CVE-2019-18418 CRITICAL POC
9.8 Oct 24

clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests be

CVE-2018-18925 CRITICAL POC
9.8 Nov 04

Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." s

Share

EUVD-2026-16581 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy