Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke existing authenticated sessions after a password reset or password change process. An attacker can maintain unauthorized access to an account by reusing a previously obtained...

CVE-2026-26060 Fleet: Password reset tokens remain valid after password change for 24 hours

Fleet is open source device management software. Prior to 4.81.0, a vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the...

Fleet: Password reset tokens remain valid after password change for 24 hours

Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...

GHSA-3458-R943-HMX4 Fleet: Password reset tokens remain valid after password change for 24 hours

Summary A vulnerability in Fleet’s password management logic could allow previously issued password reset tokens to remain valid after a user changes their password. As a result, a stale password reset token could be reused to reset the account password even after a defensive password change...

GHSA-3CCG-X393-96V8 Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change

Summary The application allows users to set weak passwords e.g., 1234, password without enforcing minimum strength requirements. Additionally, active sessions remain valid after a user changes their password. An attacker who compromises an account via brute-force or credential stuffing can mainta...

EUVD-2026-8751

Vijkunja has Weak Password Policy Combined with Persistent Sessions After Password Change...

CVE-2025-59335 CubeCart Session Not Invalidated After Password Change

CubeCart is an ecommerce software solution. Prior to version 6.5.11, there is an absence of automatic session expiration following a user's password change. This oversight poses a security risk, as if a user forgets to log out from a location where they accessed their account, an unauthorized use...

rhds/389: plaintext password disclosure flaw

389 Directory Server before 1.2.11.6 aka Red Hat Directory Server before 8.2.10-3, after the password for a LDAP user has been changed and before the server has been reset, allows remote attackers to read the plaintext password via the unhasheduserpassword attribute...