CWE-613 · Insufficient Session Expiration
549 CVEs classified under CWE-613 (Insufficient Session Expiration). Browse by severity and year.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2024-8888 | Critical | 10.0 | 2024-09-18 | An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the web, since these have… |
CVE-2026-21622 | Critical | 9.8 | 2026-03-05 | Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module) allows Account Takeover. Password reset toke… |
CVE-2025-59786 | Critical | 9.8 | 2026-03-04 | 2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after logout in web appli… |
CVE-2026-26342 | Critical | 9.8 | 2026-02-24 | Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with insufficient expirati… |
CVE-2026-1435 | Critical | 9.8 | 2026-02-18 | Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. T… |
CVE-2024-13996 | Critical | 9.8 | 2025-10-30 | Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-exis… |
CVE-2025-54592 | Critical | 9.8 | 2025-09-29 | FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a user logs out, the ses… |
CVE-2025-59841 | Critical | 9.8 | 2025-09-25 | Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation… |
CVE-2025-53826 | Critical | 9.8 | 2025-07-15 | File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version… |
CVE-2024-13280 | Critical | 9.8 | 2025-01-09 | Insufficient Session Expiration vulnerability in Drupal Persistent Login allows Forceful Browsing.This issue affects Persistent Login: from 0.0.0 before 1.8.0… |
CVE-2024-43685 | Critical | 9.8 | 2024-10-04 | Improper Authentication vulnerability in Microchip TimeProvider 4100 (login modules) allows Session Hijacking.This issue affects TimeProvider 4100: from 1.0 be… |
CVE-2024-42447 | Critical | 9.8 | 2024-08-05 | Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache A… |
CVE-2024-29401 | Critical | 9.8 | 2024-03-26 | xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything. |
CVE-2024-25718 | Critical | 9.8 | 2024-02-11 | In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access control because Sam… |
CVE-2023-5865 | Critical | 9.8 | 2023-10-31 | Insufficient Session Expiration in GitHub repository thorsten/phpmyfaq prior to 3.2.2. |
CVE-2023-5838 | Critical | 9.8 | 2023-10-29 | Insufficient Session Expiration in GitHub repository linkstackorg/linkstack prior to v4.2.9. |
CVE-2023-4005 | Critical | 9.8 | 2023-07-31 | Insufficient Session Expiration in GitHub repository fossbilling/fossbilling prior to 0.5.5. |
CVE-2023-35857 | Critical | 9.8 | 2023-06-19 | In Siren Investigate before 13.2.2, session keys remain active even after logging out. |
CVE-2023-1788 | Critical | 9.8 | 2023-04-05 | Insufficient Session Expiration in GitHub repository firefly-iii/firefly-iii prior to 6. |
CVE-2022-36179 | Critical | 9.8 | 2022-11-22 | Fusiondirectory 1.3 suffers from Improper Session Handling. |