Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable but requires a prior authenticated session token (PR:L); limited confidentiality and integrity impact via session hijacking, no availability consequence.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was identified in SourceCodester Online Boat Reservation System 1.0. Affected by this vulnerability is an unknown functionality. Such manipulation leads to session expiration. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
AnalysisAI
Insufficient session expiration in SourceCodester Online Boat Reservation System 1.0 allows a remote, low-privileged attacker to reuse a previously issued session token after it should have been invalidated, gaining unauthorized access to authenticated application functionality. The CWE-613 root cause indicates the application fails to properly terminate sessions on logout or timeout. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must possess a valid session token previously issued to a low-privileged authenticated user - this is the primary limiting condition. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 2.1 with vector CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N reflects a genuinely low-severity issue. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with a low-privileged account (or who has obtained a session token via a shared device or network interception) logs into the Online Boat Reservation System and captures their session cookie. After the legitimate user logs out, the attacker sends HTTP requests using the stale session token and gains continued access to the authenticated user's reservation data and application functions. … |
| Remediation | No vendor-released patch or official security advisory has been identified at the time of analysis. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability has been found in SourceCodester/code-projects Online Boat Reservation System 1.0 and classified as prob
Improper authorization across multiple administrative endpoints in SourceCodester Online Boat Reservation System 1.0 all
Same weakness CWE-613 – Insufficient Session Expiration
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41737
GHSA-4957-h36g-34j9