CWE-384 · Session Fixation

410 CVEs classified under CWE-384 (Session Fixation). Browse by severity and year.

Top CVEs for CWE-384
CVESeverityScorePublishedSummary
CVE-2025-63224Critical10.02025-11-19The Itel DAB Encoder (IDEnc build 25aec8d) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid JW…
CVE-2025-63216Critical10.02025-11-18The Itel DAB Gateway (IDGat build c041640a) is vulnerable to Authentication Bypass due to improper JWT validation across devices. Attackers can reuse a valid J…
CVE-2024-11317Critical10.02024-12-05Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session takeover on a product.  …
CVE-2024-38513Critical10.02024-07-01Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue in GoFiber versions…
CVE-2021-20151Critical10.02021-12-30Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software manages web sessions base…
CVE-2025-67446Critical9.82026-06-04Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a weak/predictable cookie value for…
CVE-2026-25101Critical9.82026-03-27Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behavior enable…
CVE-2026-24352Critical9.82026-02-27PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour…
CVE-2026-23796Critical9.82026-02-05Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour…
CVE-2025-59841Critical9.82025-09-25Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation…
CVE-2025-53102Critical9.82025-07-29Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the `tests-passed` branch…
CVE-2025-52689Critical9.82025-07-16Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator privileges by spoofing the…
CVE-2025-45949Critical9.82025-04-28A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-password.php file of the…
CVE-2025-28242Critical9.82025-04-18Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
CVE-2025-28238Critical9.82025-04-18Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session hijacking attack.
CVE-2022-40916Critical9.82025-02-06Tiny File Manager v2.4.7 and below is vulnerable to session fixation.
CVE-2024-57052Critical9.82025-01-27An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php file.
CVE-2024-13279Critical9.82025-01-09Session Fixation vulnerability in Drupal Two-factor Authentication (TFA) allows Session Fixation.This issue affects Two-factor Authentication (TFA): from 0.0.0…
CVE-2024-8643Critical9.82024-09-27Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0.
CVE-2024-23679Critical9.82024-01-19Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior sessions due to the lack of…