EUVD-2026-31736
GHSA-fcvm-3cpj-f9qx
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:L/U:Amber
Lifecycle Timeline
1DescriptionNVD
Default configurations of Apache Shiro have a session fixation vulnerability.
This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1.
Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue.
In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.
Analysis
Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. …
Sign in for full analysis, threat intelligence, and remediation guidance.
More from same product – last 7 days
Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve
Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig
Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue
With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu
Apache Shiro’s Jakarta EE module used the HTTP Referer header in certain cases to issue redirect after a user login. In
Share
External POC / Exploit Code
Leaving vuln.today