PYSEC-2026-50

An issue was discovered in 6.0 before 6.0.5 and 5.2 before 5.2.14.Response headers do not vary on cookies if a session is not modified, but SESSIONSAVEEVERYREQUEST is True. A remote attacker can steal a user's session after that user visits a cached public page.Earlier, unsupported Django series...

Race Condition

Overview effect is a node package that allows you to add effects on images. Affected versions of this package are vulnerable to Race Condition in the MixedScheduler class, where the AsyncLocalStorage context is not properly isolated between concurrent fiber executions. An attacker can access or...

GO-2026-4489 FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp

FrankenPHP leaks session data between requests in worker mode in github.com/dunglas/frankenphp...

CVE-2026-24894

FrankenPHP in worker mode prior to 1.11.2 does not reset the PHP $_SESSION between requests, allowing a subsequent request on the same worker to read the previous request’s session data before session_start() is called. This could expose potentially sensitive session information across users. The...

CVE-2026-24894 FrankenPHP leaks session data between requests in worker mode

FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $SESSION data of the previous request potential...

FrankenPHP 代码问题漏洞

FrankenPHP is an open-source PHP application server developed by phpnet. Versions of FrankenPHP prior to 1.11.2 had code vulnerabilities. These vulnerabilities stemmed from the fact that, when running in worker mode, the $SESSION superglobal variable was not properly reset between requests,...

CVE-2023-50082

Aoyun Technology pbootcms V3.1.2 is vulnerable to Incorrect Access Control, allows remote attackers to gain sensitive information via session leakage allows a user to avoid logging into the backend management platform...

CVE-2025-11127 Mstoreapp Mobile (App <= 2.08, Multivendor <= 9.0.1) - Unauthenticated Privilege Escalation

The Mstoreapp Mobile App WordPress plugin through 2.08 and Mstoreapp Mobile Multivendor through 9.0.1 do not properly verify users identify when using an AJAX action, allowing unauthenticated users to retrieve a valid session for arbitrary users by knowing their email address...

EUVD-2025-36502

A flaw was found in Keycloak. In Keycloak where a user can accidentally get access to another user's session if both use the same device and browser. This happens because Keycloak sometimes reuses session identifiers and doesn’t clean up properly during logout when browser cookies are missing. As...

EUVD-2023-54912

Malicious code in bioql PyPI...

EUVD-2024-0477

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-35681

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Django Channels 3.x before 3.0.3 allows remote attackers to obtain sensitive information from a different request scope. The legacy channels.http.AsgiHandler...

GLPI 跨站脚本漏洞

GLPI is an open source IT and asset management software from GLPI Open Source. The software provides a full-featured IT resource management interface that you can use to build databases to fully manage IT computers, monitors, servers, printers, network devices, phones, and even toner and ink...

ZITADEL Vulnerable to Session Information Leakage

Impact ZITADEL provides users the ability to list all user sessions of the current user agent browser by API and in the Console UI. Due to a missing check, user sessions without that information e.g. when created though the session service were incorrectly listed exposing potentially other user's...

SUSE CVE-2022-23498

Grafana is an open-source platform for monitoring and observability. When datasource query caching is enabled, Grafana caches all headers, including grafanasession. As a result, any user that queries a datasource where the caching is enabled can acquire another user's session. To mitigate the...

Cross-Site Scripting (XSS)

prestashop/prestashop is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to the customer thread feature allowing malicious file uploads through the front-office contact form. When an admin opens the attached file in back office, arbitrary JavaScript will be executed which can...

Central Dogma Authentication Bypass Vulnerability via Session Leakage

Vulnerability Overview A vulnerability has been identified in Central Dogma versions prior to 0.64.1, allowing for the leakage of user sessions and subsequent authentication bypass. The issue stems from a Cross-Site Scripting XSS attack vector that targets the RelayState of Security Assertion...

GHSA-34Q3-P352-C7Q8 Central Dogma Authentication Bypass Vulnerability via Session Leakage

Vulnerability Overview A vulnerability has been identified in Central Dogma versions prior to 0.64.1, allowing for the leakage of user sessions and subsequent authentication bypass. The issue stems from a Cross-Site Scripting XSS attack vector that targets the RelayState of Security Assertion...

GHSA-QFV2-3P2F-VG48 Duplicate Advisory: Central Dogma Authentication Bypass Vulnerability via Session Leakage

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-34q3-p352-c7q8. This link is maintained to preserve external references. Original Description Central Dogma versions prior to 0.64.0 is vulnerable to Cross-Site Scripting XSS, which could allow for the leakage o...

CVE-2024-1143

Central Dogma (LY Corporation) is affected by an XSS vulnerability in versions prior to 0.64.1 that can leak user sessions via RelayState processing of SAML messages, potentially enabling authentication bypass. The issue is documented across multiple sources (CVE-2024-1143, OSV, RH/Red Hat, JVN/J...