Total
472 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-4677 | 2026-01-08 | N/A | 6.5 MEDIUM | ||
|
Insufficient Session Expiration vulnerability in ABB WebPro SNMP Card PowerValue, ABB WebPro SNMP Card PowerValue UL.This issue affects WebPro SNMP Card PowerValue: through 1.1.8.K; WebPro SNMP Card PowerValue UL: through 1.1.8.K.
|
|||||
| CVE-2025-62329 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-01-07 | N/A | 5.0 MEDIUM |
|
HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.
|
|||||
| CVE-2025-55254 | 1 Hcltechsw | 2 Hcl Devops Deploy, Hcl Launch | 2026-01-06 | N/A | 3.7 LOW |
|
Improper management of Path-relative stylesheet import in HCL BigFix Remote Control Lite Web Portal (versions 10.1.0.0326 and lower) may allow to execute malicious code in certain web pages.
|
|||||
| CVE-2021-47740 | 2025-12-31 | N/A | 7.5 HIGH | ||
|
KZTech JT3500V 4G LTE CPE 2.0.1 contains a session management vulnerability that allows attackers to reuse old session credentials without proper expiration. Attackers can exploit the weak session handling to maintain unauthorized access and potentially compromise device authentication mechanisms.
|
|||||
| CVE-2025-56643 | 1 Requarks | 1 Wiki.js | 2025-12-31 | N/A | 9.1 CRITICAL |
|
Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a token is compromised. The issue is present in the authentication resolver logic and affects both the GraphQL endpoint and the logout mechanism.
|
|||||
| CVE-2024-21492 | 1 Authcrunch | 1 Caddy-security | 2025-12-23 | N/A | 4.8 MEDIUM |
|
All versions of the package github.com/greenpau/caddy-security are vulnerable to Insufficient Session Expiration due to improper user session invalidation upon clicking the "Sign Out" button. User sessions remain valid even after requests are sent to /logout and /oauth2/google/logout. Attackers who gain access to an active but supposedly logged-out session can perform unauthorized actions on behalf of the user.
|
|||||
| CVE-2025-65883 | 1 Genexis | 2 Platinum 4410, Platinum 4410 Firmware | 2025-12-23 | N/A | 8.4 HIGH |
|
A vulnerability has been identified in Genexis Platinum P4410 router (Firmware P4410-V2–1.41) that allows a local network attacker to achieve Remote Code Execution (RCE) with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs out, the session token remains valid. An attacker on the local network can reuse this stale token to send crafted requests via the router’s diagnostic endpoint, resulting in command execution as root ...
Show More |
|||||
| CVE-2025-12110 | 2025-12-19 | N/A | 5.4 MEDIUM | ||
|
A flaw was found in Keycloak. An offline session continues to be valid when the offline_access scope is removed from the client. The refresh token is accepted and you can continue to request new tokens for the session. As it can lead to a situation where an administrator removes the scope, and assumes that offline sessions are no longer available, but they are.
|
|||||
| CVE-2025-11429 | 2025-12-19 | N/A | 5.4 MEDIUM | ||
|
A flaw was found in Keycloak. Keycloak does not immediately enforce the disabling of the "Remember Me" realm setting on existing user sessions. Sessions created while "Remember Me" was active retain their extended session lifetime until they expire, overriding the administrator's recent security configuration change. This is a logic flaw in session management increases the potential window for successful session hijacking or unauthorized long-term access persistence. The flaw lies in the session ...
Show More |
|||||
| CVE-2025-11699 | 1 Nopcommerce | 1 Nopcommerce | 2025-12-19 | N/A | 7.1 HIGH |
|
nopCommerce v4.70 and prior, and version 4.80.3, does not invalidate session cookies after logout or session termination, allowing an attacker who has a
a valid session cookie access to privileged endpoints (such as /admin) even after the legitimate user has logged out, enabling session hijacking. Any version above 4.70 that is not 4.80.3 fixes the vulnerability.
|
|||||
| CVE-2025-36360 | 1 Ibm | 2 Devops Deploy, Urbancode Deploy | 2025-12-18 | N/A | 5.0 MEDIUM |
|
IBM UCD - IBM UrbanCode Deploy 7.1 through 7.1.2.27, 7.2 through 7.2.3.20, and 7.3 through 7.3.2.15 and IBM UCD - IBM DevOps Deploy 8.0 through 8.0.1.10, and 8.1 through 8.1.2.3 is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated, potentially enabling unauthorized access under certain network conditions.
|
|||||
| CVE-2025-43819 | 1 Liferay | 2 Digital Experience Platform, Liferay Portal | 2025-12-15 | N/A | 6.5 MEDIUM |
|
A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated attacker to reuse old user session by SLO API
|
|||||
| CVE-2023-25562 | 1 Datahub | 1 Datahub | 2025-12-03 | N/A | 6.9 MEDIUM |
|
DataHub is an open-source metadata platform. In versions of DataHub prior to 0.8.45 Session cookies are only cleared on new sign-in events and not on logout events. Any authentication checks using the `AuthUtils.hasValidSessionCookie()` method could be bypassed by using a cookie from a logged out session, as a result any logged out session cookie may be accepted as valid and therefore lead to an authentication bypass to the system. Users are advised to upgrade. There are no known workarounds for ...
Show More |
|||||
| CVE-2025-66289 | 1 Orangehrm | 1 Orangehrm | 2025-12-03 | N/A | 8.8 HIGH |
|
OrangeHRM is a comprehensive human resource management (HRM) system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, or an attacker using a compromised account, can continue to access protected pages and perform operations as long as a prior session remains active. Because the server performs no session revocation or ...
Show More |
|||||
| CVE-2025-53896 | 1 Accellion | 1 Kiteworks Managed File Transfer | 2025-12-02 | N/A | 7.1 HIGH |
|
Kiteworks MFT orchestrates end-to-end file transfer workflows. Prior to version 9.1.0, a bug in Kiteworks MFT could cause under certain circumstances that a user's active session would not properly time out due to inactivity. This issue has been patched in version 9.1.0.
|
|||||
| CVE-2025-66223 | 2025-12-01 | N/A | N/A | ||
|
OpenObserve is a cloud-native observability platform. Prior to version 0.16.0, organization invitation tokens do not expire once issued, remain valid even after the invited user is removed from the organization, and allow multiple invitations to the same email with different roles where all issued links remain valid simultaneously. This results in broken access control where a removed or demoted user can regain access or escalate privileges. This issue has been patched in version 0.16.0.
|
|||||
| CVE-2025-64708 | 1 Goauthentik | 1 Authentik | 2025-11-20 | N/A | 5.8 MEDIUM |
|
authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this can take up to 5 minutes because the cleanup of expired objects is scheduled to run every 5 minutes. However, with a large amount of tasks in the backlog, this might take longer. authentik versions 2025.8.5 and 2025.10.2 ...
Show More |
|||||
| CVE-2025-4528 | 1 Digitro | 1 Ngc Explorer | 2025-11-10 | 4.0 MEDIUM | 4.3 MEDIUM |
|
A vulnerability was found in Dígitro NGC Explorer up to 3.44.15 and classified as problematic. This issue affects some unknown processing. The manipulation leads to session expiration. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-12278 | 1 Azure-access | 4 Blu-ic2, Blu-ic2 Firmware, Blu-ic4 and 1 more | 2025-11-10 | N/A | 6.5 MEDIUM |
|
Logout Functionality not Working.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5.
|
|||||
| CVE-2025-55278 | 2025-11-06 | N/A | 8.1 HIGH | ||
|
Improper authentication in the API authentication middleware of HCL DevOps Loop allows authentication tokens to be accepted without proper validation of their expiration and cryptographic signature. As a result, an attacker could potentially use expired or tampered tokens to gain unauthorized access to sensitive resources and perform actions with elevated privileges.
|
|||||
| CVE-2024-13996 | 1 Nagios | 1 Nagios Xi | 2025-11-06 | N/A | 9.8 CRITICAL |
|
Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a result, any pre-existing sessions (including those potentially controlled by an attacker) remained valid after a credential update. This insufficient session expiration could allow continued unauthorized access to user data and actions even after a password change.
|
|||||
| CVE-2024-36041 | 1 Kde | 1 Plasma-workspace | 2025-11-04 | N/A | 7.8 HIGH |
|
KSmserver in KDE Plasma Workspace (aka plasma-workspace) before 5.27.11.1 and 6.x before 6.0.5.1 allows connections via ICE based purely on the host, i.e., all local connections are accepted. This allows another user on the same machine to gain access to the session manager, e.g., use the session-restore feature to execute arbitrary code as the victim (on the next boot) via earlier use of the /tmp directory.
|
|||||
| CVE-2023-49935 | 1 Schedmd | 1 Slurm | 2025-11-04 | N/A | 8.8 HIGH |
|
An issue was discovered in SchedMD Slurm 23.02.x and 23.11.x. There is Incorrect Access Control because of a slurmd Message Integrity Bypass. An attacker can reuse root-level authentication tokens during interaction with the slurmd process. This bypasses the RPC message hashes that protect against undesired MUNGE credential reuse. The fixed versions are 23.02.7 and 23.11.1.
|
|||||
| CVE-2025-62781 | 1 Thm | 1 Pilos | 2025-11-04 | N/A | 5.0 MEDIUM |
|
PILOS (Platform for Interactive Live-Online Seminars) is a frontend for BigBlueButton. Prior to 4.8.0, users with a local account can change their password while logged in. When doing so, all other active sessions are terminated, except for the currently active one. However, the current session’s token remains valid and is not refreshed. If an attacker has previously obtained this session token through another vulnerability, changing the password will not invalidate their access. As a result, th ...
Show More |
|||||
| CVE-2025-64386 | 2025-11-04 | N/A | N/A | ||
|
The
equipment grants a JWT token for each connection in the timeline, but during an
active valid session, a hijacking of the token can be done. This will allow an
attacker with the token modify parameters of security, access or even steal the
session without
the legitimate and active session detecting it. The web server allows the
attacker to reuse an old session JWT token while the legitimate session is
active.
|
|||||
| CVE-2025-54547 | 2025-10-30 | N/A | 5.3 MEDIUM | ||
|
On affected platforms, if SSH session multiplexing was configured on the client side, SSH sessions (e.g, scp, sftp) multiplexed onto the same channel could perform file-system operations after a configured session timeout expired
|
|||||
| CVE-2024-41985 | 1 Siemens | 1 Opcenter Quality | 2025-10-22 | N/A | 2.6 LOW |
|
A vulnerability has been identified in SmartClient modules Opcenter QL Home (SC) (All versions >= V13.2 < V2506), SOA Audit (All versions >= V13.2 < V2506), SOA Cockpit (All versions >= V13.2 < V2506). The affected application does not expire the session without logout. This could allow an attacker to get unauthorized access if the session is left idle.
|
|||||
| CVE-2025-48929 | 1 Smarsh | 1 Telemessage | 2025-10-22 | N/A | 4.0 MEDIUM |
|
The TeleMessage service through 2025-05-05 implements authentication through a long-lived credential (e.g., not a token with a short expiration time) that can be reused at a later date if discovered by an adversary.
|
|||||
| CVE-2025-3930 | 2025-10-22 | N/A | N/A | ||
|
Strapi uses JSON Web Tokens (JWT) for authentication. After logout or account deactivation, the JWT is not invalidated, which allows an attacker who has stolen or intercepted the token to freely reuse it until its expiration date (which is set to 30 days by default, but can be changed).
The existence of /admin/renew-token endpoint allows anyone to renew near-expiration tokens indefinitely, further increasing the impact of this attack.
This issue has been fixed in version 5.24.1.
|
|||||
| CVE-2025-62174 | 1 Joinmastodon | 1 Mastodon | 2025-10-20 | N/A | 3.5 LOW |
|
Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been pat ...
Show More |
|||||
| CVE-2025-58437 | 1 Coder | 1 Coder | 2025-10-17 | N/A | 8.1 HIGH |
|
Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace is started. It is automatically exposed via coder_workspace_owner.session_token. Prebuilt workspaces are initially owned by a built-in prebuilds system user. When a prebuilt workspace is claimed, a new ...
Show More |
|||||
| CVE-2024-33507 | 1 Fortinet | 1 Fortiisolator | 2025-10-15 | N/A | 7.4 HIGH |
|
An insufficient session expiration vulnerability [CWE-613] and an incorrect authorization vulnerability [CWE-863] in FortiIsolator 2.4.0 through 2.4.4, 2.3 all versions, 2.2.0, 2.1 all versions, 2.0 all versions authentication mechanism may allow remote unauthenticated attacker to deauthenticate logged in admins via crafted cookie and remote authenticated read-only attacker to gain write privilege via crafted cookie.
|
|||||
| CVE-2025-25252 | 1 Fortinet | 1 Fortios | 2025-10-15 | N/A | 4.8 MEDIUM |
|
An Insufficient Session Expiration vulnerability [CWE-613] in FortiOS SSL VPN 7.6.0 through 7.6.2, 7.4.0 through 7.4.6, 7.2.0 through 7.2.10, 7.0.0 through 7.0.16, 6.4 all versions may allow a remote attacker (e.g. a former admin whose account was removed and whose session was terminated) in possession of the SAML record of a user session to access or re-open that session via re-use of SAML record.
|
|||||
| CVE-2024-52311 | 1 Amazon | 1 Data.all | 2025-10-14 | N/A | 6.3 MEDIUM |
|
Authentication tokens issued via Cognito in data.all are not invalidated on log out, allowing for previously authenticated user to continue execution of authorized API Requests until token is expired.
|
|||||
| CVE-2025-61775 | 2025-10-14 | N/A | N/A | ||
|
Vickey is a Misskey-based microblogging platform. A vulnerability exists in Vickey prior to version 2025.10.0 where unexpired email confirmation links can be reused multiple times to send repeated confirmation emails to a verified email address. Under certain conditions, a verified email address could receive repeated confirmation messages if the verification link was accessed multiple times. This issue may result in unintended email traffic but does not expose user data. The issue was addressed ...
Show More |
|||||
| CVE-2024-45187 | 1 Mage | 1 Mage-ai | 2025-10-10 | N/A | 7.1 HIGH |
|
Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server
|
|||||
| CVE-2025-31952 | 1 Hcltech | 1 Dryice Iautomate | 2025-10-10 | N/A | 7.1 HIGH |
|
HCL iAutomate is affected by an insufficient session expiration. This allows tokens to remain valid indefinitely unless manually revoked, increasing the risk of unauthorized access.
|
|||||
| CVE-2025-59841 | 1 Flagforge | 1 Flagforge | 2025-10-08 | N/A | 9.8 CRITICAL |
|
Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles session invalidation. Authenticated users can continue to access protected endpoints, such as /api/profile, even after logging out. CSRF tokens are also still valid post-logout, which can allow unauthorized actions. This issue has been patched in version 2.3.1.
|
|||||
| CVE-2025-10223 | 1 Axxonsoft | 1 Axxon One | 2025-10-08 | N/A | 5.4 MEDIUM |
|
Insufficient Session Expiration (CWE-613) in the Web Admin Panel in AxxonSoft Axxon One (C-Werk) prior to 2.0.3 on Windows allows a local or remote authenticated attacker to retain access with removed privileges via continued use of an unexpired session token until natural expiration.
|
|||||
| CVE-2023-49881 | 1 Ibm | 1 Transformation Extender Advanced | 2025-10-03 | N/A | 6.3 MEDIUM |
|
IBM Transformation Extender Advanced 10.0.1
does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system.
|
|||||