CWE-384 · Session Fixation
410 CVEs classified under CWE-384 (Session Fixation). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2025-63224 | Critical | 10.0 | 2025-11-19 | The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JW… |
CVE-2025-63216 | Critical | 10.0 | 2025-11-18 | The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid J… |
CVE-2024-11317 | Critical | 10.0 | 2024-12-05 | Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product. … |
CVE-2024-38513 | Critical | 10.0 | 2024-07-01 | Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions… |
CVE-2021-20151 | Critical | 10.0 | 2021-12-30 | Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions base… |
CVE-2025-67446 | Critical | 9.8 | 2026-06-04 | Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for… |
CVE-2026-25101 | Critical | 9.8 | 2026-03-27 | Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enable… |
CVE-2026-24352 | Critical | 9.8 | 2026-02-27 | PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour… |
CVE-2026-23796 | Critical | 9.8 | 2026-02-05 | Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour… |
CVE-2025-59841 | Critical | 9.8 | 2025-09-25 | Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation… |
CVE-2025-53102 | Critical | 9.8 | 2025-07-29 | Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch… |
CVE-2025-52689 | Critical | 9.8 | 2025-07-16 | Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the… |
CVE-2025-45949 | Critical | 9.8 | 2025-04-28 | A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the… |
CVE-2025-28242 | Critical | 9.8 | 2025-04-18 | Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack. |
CVE-2025-28238 | Critical | 9.8 | 2025-04-18 | Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack. |
CVE-2022-40916 | Critical | 9.8 | 2025-02-06 | Tiny File Manager v2.4.7 and below is vulnerable to session fixation. |
CVE-2024-57052 | Critical | 9.8 | 2025-01-27 | An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file. |
CVE-2024-13279 | Critical | 9.8 | 2025-01-09 | Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0… |
CVE-2024-8643 | Critical | 9.8 | 2024-09-27 | Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0. |
CVE-2024-23679 | Critical | 9.8 | 2024-01-19 | Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of… |