127 matches found
CVE-2026-9097 CVE-2026-9097
Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken function in object/tokenoauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revok...
CVE-2026-9097
CVE-2026-9097 affects Casdoor
CVE-2026-40587 blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset
blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store...
CVE-2026-40587
CVE-2026-40587 affects blueprintUE. Before 4.2.0, changing a password or completing a password reset does not invalidate existing sessions; server-side session store maps userID to sessions, and password updates modify only the users table, leaving active sessions usable. Result: an attacker with...
CVE-2026-34570
CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...
listmonk's active sessions remain valid after password reset and password change
Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...
GHSA-H5J9-CVRW-V5QH listmonk's active sessions remain valid after password reset and password change
Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...
GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions
Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...
CVE-2026-30969 Coral Server has insufficient agent authentication in session communication channels
Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server did not enforce strong authentication between agents and the server within an active session. This could allow an attacker who...
CVE-2026-30969
CVE-2026-30969 affects Coral Server. Prior to 1.1.0, the service did not enforce strong authentication within an active session between agents and the server, allowing an attacker who obtained or predicted a session identifier to impersonate an agent or join a session. The issue is fixed in 1.1.0...
Rancher's Azure AD permission changes are not reflected on active sessions
A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or ar...
CVE-2026-26953
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...
CVE-2026-26953
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...
CVE-2026-26953
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...
CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...
CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...
CVE-2026-26953
Pi-hole Admin Interface (web UI for Pi-hole) versions 6.0+ expose a Stored HTML Injection in the active sessions table of the API settings page. The vulnerability arises because the rowCallback reads data.x_forwarded_for and directly concatenates it into HTML inserted via jQuery .html(), allowing...
CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...
PT-2026-20961
Name of the Vulnerable Software and Affected Versions Pi-hole versions 6.0 through 6.4.0 Description Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application, contains a Stored HTML Injection issue in the active sessions table on...
CVE-2026-24667 Open eClass's Active Sessions Not Invalidated After Password Change Allow Persistent Account Access
The Open eClass platform formerly known as GUnet eClass is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user...