Skip to main content

KTM System e-BOK EUVDEUVD-2026-40322

| CVE-2026-35095 MEDIUM
Session Fixation (CWE-384)
2026-06-30 CERT-PL GHSA-7vjj-gwc4-wgq7
4.8
CVSS 4.0 · Vendor: CERT-PL
Share

Severity by source

Vendor (CERT-PL) PRIMARY
4.8 MEDIUM
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
5.4 MEDIUM

e-BOK is a network-accessible web portal (AV:N), exploitation requires no privileges (PR:N) but demands victim login (UI:R), with limited account-level confidentiality and integrity impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CERT-PL).

CVSS VectorVendor: CERT-PL

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

2
Patch available
Jun 30, 2026 - 15:01 EUVD
Analysis Generated
Jun 30, 2026 - 14:31 vuln.today

DescriptionCVE.org

KTM System e-BOK allows the session identifier to be set by the client prior to authentication. If a cookie with a valid name is set, its value remains unchanged after successful login. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session.

This issue was fixed in the patch published in June 2026.

AnalysisAI

Session fixation in KTM System e-BOK (an online customer service portal) enables an attacker to preset a session identifier in a victim's browser before authentication, which the application then retains unchanged after successful login. Because the server accepts a client-supplied cookie value and never regenerates it at the authentication boundary, an attacker who controls the initial session token can hijack the victim's fully authenticated session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker generates known session ID
Delivery
Delivers crafted session cookie to victim's browser
Exploit
Victim authenticates to e-BOK portal
Execution
Application retains pre-set session ID post-login
Persist
Attacker submits known session ID
Impact
Attacker accesses victim's authenticated session

Vulnerability AssessmentAI

Exploitation The attacker must have a mechanism to set a specific session cookie value in the victim's browser before the victim logs in - for example, by inducing the victim to visit a crafted URL that triggers a session cookie to be stored with an attacker-known value, or through a shared browsing context. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 4.8 (Medium) appropriately reflects a constrained threat model: the attacker requires no privileges (PR:N) and the application complexity is low (AC:L/AT:N), but passive victim interaction is mandatory (UI:P) and the impact is bounded to low confidentiality and integrity compromise of the vulnerable system with no availability or scope-change effects (VC:L/VI:L/VA:N/SC:N/SI:N/SA:N). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a URL or uses another delivery mechanism (e.g., a phishing email) to load the e-BOK login page in the victim's browser with a pre-chosen, attacker-known session cookie value already set. The victim proceeds to authenticate normally; because the application does not regenerate the session token at login, the attacker's pre-set value is now associated with the victim's authenticated session. …
Remediation Apply the patch released by KTM System in June 2026 as described in the CERT-PL advisory at https://cert.pl/posts/2026/06/CVE-2026-35095/. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2025-28242 CRITICAL POC
9.8 Apr 18

Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session

CVE-2025-45949 CRITICAL POC
9.8 Apr 28

A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /login

CVE-2025-45953 CRITICAL POC
9.1 Apr 28

A vulnerability was found in PHPGurukul Hostel Management System 2.1 in the /hostel/change-password.php file of the user

CVE-2025-28238 CRITICAL
9.8 Apr 18

Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers t

CVE-2026-41613 HIGH
8.8 May 12

Session fixation in Visual Studio Code allows an unauthorized attacker to elevate privileges over a network.

CVE-2025-67446 CRITICAL
9.8 Jun 04

Authentication bypass in Neterbit NW-431F routers running firmware 20241014-IR03 and earlier allows remote unauthenticat

CVE-2026-2177 MEDIUM POC
5.5 Feb 08

SourceCodester Prison Management System 1.0 contains a session fixation vulnerability in its login component that allows

CVE-2026-56425 CRITICAL
9.3 Jun 22

Multiple OAuth 2.0 flow weaknesses in the MISP AAD (Azure Active Directory) authentication plugin allow session hijackin

CVE-2025-27661 CRITICAL
9.1 Mar 05

Vasion Print (formerly PrinterLogic) before Virtual Appliance Host 22.0.843 Application 20.0.1923 allows Session Fixatio

CVE-2026-40010 CRITICAL
9.1 May 06

Session fixation in Apache Wicket AuthenticatedWebSession allows remote unauthenticated attackers to hijack user session

CVE-2025-10228 HIGH
8.8 Oct 14

Session hijacking against Rolantis Information Technologies Agentis prior to version 4.44 is possible because the applic

CVE-2025-52557 HIGH
8.6 Jun 21

CVE-2025-52557 is a stored/reflected XSS vulnerability in Mail-0's Zero email solution (version 0.8) that allows unauthe

Share

EUVD-2026-40322 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy