CVE-2026-9097 CVE-2026-9097

Casdoor versions 2.362.0 and earlier do not verify that a JWT used for token exchange is still active. The GetTokenExchangeToken function in object/tokenoauth.go validates the JWT signature and parses its claims, but never queries the Token table to verify whether the subject token has been revok...

CVE-2026-9097

CVE-2026-9097 affects Casdoor

CVE-2026-40587 blueprintUE: Active Sessions Are Not Invalidated After Password Change or Reset

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store...

CVE-2026-40587

CVE-2026-40587 affects blueprintUE. Before 4.2.0, changing a password or completing a password reset does not invalidate existing sessions; server-side session store maps userID to sessions, and password updates modify only the users table, leaving active sessions usable. Result: an attacker with...

CVE-2026-34570

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.0.0, the application fails to immediately revoke active user sessions when an account is deleted. Due to a logic flaw in the backend...

listmonk's active sessions remain valid after password reset and password change

Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...

GHSA-H5J9-CVRW-V5QH listmonk's active sessions remain valid after password reset and password change

Summary A session management vulnerability allows previously issued authenticated sessions to remain valid after sensitive account security changes, specifically password reset and password change. As a result, an attacker who has already obtained a valid session cookie can retain access to the...

GHSA-2PR2-HCV6-7GWV OpenClaw's device removal and token revocation do not terminate active WebSocket sessions

Summary Removing a device or revoking its token updated stored credentials but did not disconnect already-authenticated WebSocket sessions. Impact A revoked device could continue using its existing live session until reconnect, extending access beyond credential removal. Affected Component...

CVE-2026-30969 Coral Server has insufficient agent authentication in session communication channels

Coral Server is open collaboration infrastructure that enables communication, coordination, trust and payments for The Internet of Agents. Prior to 1.1.0, Coral Server did not enforce strong authentication between agents and the server within an active session. This could allow an attacker who...

CVE-2026-30969

CVE-2026-30969 affects Coral Server prior to version 1.1.0, where active-session authentication between agents and the server was not enforced. An attacker who could obtain or predict a session identifier could impersonate an agent or join an existing session. The issue is resolved in version 1.1...

Rancher's Azure AD permission changes are not reflected on active sessions

A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or ar...

CVE-2026-26953

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

CVE-2026-26953

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

CVE-2026-26953

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

CVE-2026-26953

Pi-hole Admin Interface (web UI for Pi-hole) versions 6.0+ expose a Stored HTML Injection in the active sessions table of the API settings page. The vulnerability arises because the rowCallback reads data.x_forwarded_for and directly concatenates it into HTML inserted via jQuery .html(), allowing...

CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

CVE-2026-26953 Pi-hole Web Interface has Stored HTML Injection via X-Forwarded-For Header in Active Sessions Table

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions 6.0 and above have a Stored HTML Injection vulnerability in the active sessions table located on the API settings page, allowing an attacker with valid credentia...

PT-2026-20961

Name of the Vulnerable Software and Affected Versions Pi-hole versions 6.0 through 6.4.0 Description Pi-hole Admin Interface, a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application, contains a Stored HTML Injection issue in the active sessions table on...

CVE-2026-24667

CVE-2026-24667 concerns the Open eClass platform (formerly GUnet eClass). Before version 4.2, the system failed to invalidate active user sessions after a password change, allowing existing session tokens to remain usable and potentially granting unauthorized continued access to user accounts. Th...