PT-2026-47085

Summary The shared form-view submit handler in NocoDB writes the form's redirect url to window.location.href after a same-host check that does not validate the URL scheme. A user with editor role or above on any base can plant a javascript: URL in the form's redirect url; when an authenticated...

Parse Server exposes auth data via /users/me endpoint

Impact An authenticated user calling GET /users/me receives unsanitized auth data, including sensitive credentials such as MFA TOTP secrets and recovery codes. The endpoint internally uses master-level authentication for the session query, and the master context leaks through to the user data,...

EUVD-2026-12558

Apache Airflow versions 3.1.0 through 3.1.7 session token token in cookies is set to path=/ regardless of the configured webserver baseurl or api baseurl. This allows any application co-hosted under the same domain to capture valid Airflow session tokens from HTTP request headers, allowing full...

CVE-2025-47147

CVE-2025-47147 describes Cleartext Storage of Sensitive Information (CWE-312) in the Command Centre Mobile Client for Android and iOS. The issue could allow an attacker with access to a logged-in operator’s mobile device to extract the session token and gain access for a limited duration. Affecte...

Rucio WebUI has a Stored Cross-site Scripting (XSS) Vulnerability in its Custom RSE Attribute

Summary A stored Cross-site Scripting XSS vulnerability was identified in the Custom RSE Attribute of the WebUI where attacker-controlled input is persisted by the backend and later rendered in the WebUI without proper output encoding. This allows arbitrary JavaScript execution in the context of...

CVE-2025-59873

CVE-2025-59873 describes an information exposure in HCL Software ZIE for Web (v16) where the application transmits sensitive session tokens and authentication identifiers in URL query parameters. The root cause is tokens/identifiers being exposed via URLs, enabling session hijacking when an attac...

CVE-2020-10624

ControlEdge PLC R130.2, R140, R150, and R151 and RTU R101, R110, R140, R150, and R151 exposes a session token on the network...

CVE-2024-34065

Strapi is an open-source content management system. By combining two vulnerabilities an Open Redirect and session token sent as URL query parameter in @strapi/plugin-users-permissions before version 4.24.2, is its possible of an unauthenticated attacker to bypass authentication mechanisms and...

CVE-2025-15115 Petlibro Smart Pet Feeder Platform through 1.7.31 Authentication Bypass via API endpoint

Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authentication bypass vulnerability that allows unauthenticated attackers to access any user account by exploiting OAuth token validation flaws in the social login system. Attackers can send requests to /member/auth/thirdLogin...

EUVD-2025-27069

Malicious code in bioql PyPI...

EUVD-2025-31616

Malicious code in bioql PyPI...

EUVD-2024-50534

Malicious code in bioql PyPI...

CVE-2025-35031

Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08...

CVE-2025-35031

Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08...

CVE-2025-35031 Medical Informatics Engineering Enterprise Health includes session token in debug output

Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08...

CVE-2025-35031 Medical Informatics Engineering Enterprise Health includes session token in debug output

Medical Informatics Engineering Enterprise Health includes the user's current session token in debug output. An attacker could convince a user to send this output to the attacker, thus allowing the attacker to impersonate that user. This issue is fixed as of 2025-04-08...

CVE-2025-34188

Vasion Print formerly PrinterLogic Virtual Appliance Host versions prior to 1.0.735 and Application prior to 20.0.1330 macOS/Linux client deployments contain a vulnerability in the local logging mechanism. Authentication session tokens, including PHPSESSID, XSRF-TOKEN, and laravelsession, are...

CVE-2025-58437

Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a user when a workspace...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration via insecure session handling in prebuilt workspaces. An attacker can gain unauthorized access to other users' workspaces by reusing unexpired session tokens exposed through...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration via insecure session handling in prebuilt workspaces. An attacker can gain unauthorized access to other users' workspaces by reusing unexpired session tokens exposed through...