Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
e-BOK is a network-accessible web portal (AV:N), exploitation requires no privileges (PR:N) but demands victim login (UI:R), with limited account-level confidentiality and integrity impact and no availability effect.
Primary rating from Vendor (CERT-PL).
CVSS VectorVendor: CERT-PL
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.
This issue was fixed in the patch published in June 2026.
AnalysisAI
Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must have a mechanism to set a specific session cookie value in the victim's browser before the victim logs in - for example, by inducing the victim to visit a crafted URL that triggers a session cookie to be stored with an attacker-known value, or through a shared browsing context. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 score of 4.8 (Medium) appropriately reflects a constrained threat model: the attacker requires no privileges (PR:N) and the application complexity is low (AC:L/AT:N), but passive victim interaction is mandatory (UI:P) and the impact is bounded to low confidentiality and integrity compromise of the vulnerable system with no availability or scope-change effects (VC:L/VI:L/VA:N/SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a URL or uses another delivery mechanism (e.g., a phishing email) to load the e-BOK login page in the victim's browser with a pre-chosen, attacker-known session cookie value already set. The victim proceeds to authenticate normally; because the application does not regenerate the session token at login, the attacker's pre-set value is now associated with the victim's authenticated session. … |
| Remediation | Apply the patch released by KTM System in June 2026 as described in the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-35095/. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Session Fixation
View allImproper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session
A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login
A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user
Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers t
Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.
Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticat
SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows
Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin
Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixatio
Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user session
Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the applic
CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthe
Same weakness CWE-384 – Session Fixation
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40322
GHSA-7vjj-gwc4-wgq7