CWE-613 · Insufficient Session Expiration

549 CVEs classified under CWE-613 (Insufficient Session Expiration). Browse by severity and year.

Top CVEs for CWE-613
CVESeverityScorePublishedSummary
CVE-2024-8888Critical10.02024-09-18An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have…
CVE-2026-21622Critical9.82026-03-05Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset toke…
CVE-2025-59786Critical9.82026-03-042N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web appli…
CVE-2026-26342Critical9.82026-02-24Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expirati…
CVE-2026-1435Critical9.82026-02-18Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. T…
CVE-2024-13996Critical9.82025-10-30Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-exis…
CVE-2025-54592Critical9.82025-09-29FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the ses…
CVE-2025-59841Critical9.82025-09-25Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation…
CVE-2025-53826Critical9.82025-07-15File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version…
CVE-2024-13280Critical9.82025-01-09Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0…
CVE-2024-43685Critical9.82024-10-04Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 be…
CVE-2024-42447Critical9.82024-08-05Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache A…
CVE-2024-29401Critical9.82024-03-26xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything.
CVE-2024-25718Critical9.82024-02-11In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Sam…
CVE-2023-5865Critical9.82023-10-31Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2.
CVE-2023-5838Critical9.82023-10-29Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9.
CVE-2023-4005Critical9.82023-07-31Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5.
CVE-2023-35857Critical9.82023-06-19In Siren Investigate before 13.2.2, session keys remain active even after logging out.
CVE-2023-1788Critical9.82023-04-05Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6.
CVE-2022-36179Critical9.82022-11-22Fusiondirectory 1.3 suffers from Improper Session Handling.