Lucene search
K

564 matches found

CVE
CVE
added 2 days ago12 views

CVE-2025-36359

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system...

8.1CVSS5.8AI score0.00201EPSS
Exploits0References1
EUVD
EUVD
added 2 days ago4 views

EUVD-2025-210374

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system...

8.1CVSS5.8AI score0.00201EPSS
Exploits0References1
Cvelist
Cvelist
added 2 days ago30 views

CVE-2025-36359 IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system...

8.1CVSS0.00201EPSS
Exploits0References1
EUVD
EUVD
added 6 days ago4 views

EUVD-2025-210341

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS5.9AI score0.00258EPSS
Exploits1References3
NVD
NVD
added last week5 views

CVE-2025-71335

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS0.00258EPSS
Exploits1References2
Cvelist
Cvelist
added last week19 views

CVE-2025-71335 Flowise - Session Invalidation Failure After Password Change

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS0.00258EPSS
Exploits1References2
CVE
CVE
added last week11 views

CVE-2025-71335

Flowise prior to version 3.0.10 is affected. Versions 3.0.7 and earlier do not invalidate existing sessions or session tokens after a user changes their password, allowing an attacker with an active session (e.g., via a stolen token or an already-logged-in device) to remain authenticated post-pas...

8.6CVSS5.9AI score0.00258EPSS
Exploits1References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.9 views

PT-2026-52614

Name of the Vulnerable Software and Affected Versions Flowise versions 3.0.0 through 3.0.7 Description Flowise fails to invalidate existing sessions and session tokens after a user changes their password. This allows an attacker who possesses an active session, such as through a stolen session...

8.6CVSS5.8AI score0.00258EPSS
Exploits1References4
NVD
NVD
added 2026/06/20 4:17 p.m.12 views

CVE-2026-56276

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

6CVSS0.00251EPSS
Exploits0References2
AstraLinux
AstraLinux
added 2026/06/19 11:10 a.m.6 views

Astra Linux – Vulnerability in Jetty9

For Eclipse Jetty versions = 9.4.40, = 10.0.2, and = 11.0.2, if an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. In deployments with clustered sessions and multiple contexts, this can result in a session not...

3.6CVSS6.3AI score0.00963EPSS
Exploits1References2
EUVD
EUVD
added 2026/06/08 2:51 p.m.11 views

EUVD-2026-35081

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized...

8.8CVSS5.4AI score0.00294EPSS
Exploits0References3
RedhatCVE
RedhatCVE
added 2026/06/05 7:27 p.m.9 views

CVE-2026-40587

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store...

6.5CVSS5.5AI score0.00242EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/29 5:46 p.m.13 views

CVE-2026-44648 SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data user handle,...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References1
Vulnrichment
Vulnrichment
added 2026/05/14 6:38 p.m.9 views

CVE-2026-22706 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication...

2.1CVSS5.8AI score0.00272EPSS
Exploits0References1
RedhatCVE
RedhatCVE
added 2026/05/13 8:23 p.m.7 views

CVE-2026-44873

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...

5.4CVSS5.7AI score0.00141EPSS
Exploits0References1
OSV
OSV
added 2026/05/12 10:23 p.m.6 views

GHSA-WMM3-H9QJ-P5V6 SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

Summary Changing a user’s password does not invalidate existing sessions, allowing an attacker with a stolen cookie to retain access even after the victim resets their password. Details SillyTavern relies on cookie-session for authentication, storing all session data user handle, permissions in a...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References4
Patchstack
Patchstack
added 2026/05/12 10:23 p.m.20 views

NPM: SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

NPM: SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover vulnerability discovered by ? in WordPress Npm sillytavern versions = 1.17.0...

5.8AI score0.00394EPSS
Exploits1References3Affected Software1
CVE
CVE
added 2026/05/12 7:19 p.m.16 views

CVE-2026-44873

The CVE-2026-44873 entry describes a session-management vulnerability in the AOS-8 Operating System. Affected software: AOS-8. Vulnerable condition: existing authenticated sessions are not invalidated when credentials are revoked or accounts are administratively disabled, allowing continued netwo...

5.4CVSS5.7AI score0.00141EPSS
Exploits0References1Affected Software1
Vulnrichment
Vulnrichment
added 2026/05/12 7:19 p.m.10 views

CVE-2026-44873 Insufficient Session Invalidation on User Account Deactivation in AOS-8 Operating System

A session management vulnerability in AOS-8 allows previously authenticated users to retain network access after their accounts are administratively disabled. Existing sessions are not invalidated when credentials are revoked, enabling continued access until session expiration. An attacker with...

5.4CVSS5.7AI score0.00141EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.10 views

PT-2026-40544

Name of the Vulnerable Software and Affected Versions SillyTavern versions prior to 1.18.0 Description SillyTavern uses cookie-session for authentication, where session data such as user handles and permissions are stored in a signed cookie. The endpoints "POST /api/users/change-password" and "PO...

7.5CVSS5.7AI score0.00394EPSS
Exploits1References5
Rows per page
Query Builder