1014 matches found
EUVD-2026-14547
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway SSL VPN, ICA Proxy, CVPN, RDP Proxy or AAA virtual server leading to User Session Mixup...
CVE-2026-4368
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway SSL VPN, ICA Proxy, CVPN, RDP Proxy or AAA virtual server leading to User Session Mixup...
CVE-2026-4368 Race Condition leading to User Session Mixup
Race Condition in NetScaler ADC and NetScaler Gateway when appliance is configured as Gateway SSL VPN, ICA Proxy, CVPN, RDP Proxy or AAA virtual server leading to User Session Mixup...
CVE-2025-41258 LibreChat RAG API Authentication Bypass
LibreChat version 0.8.1-rc2 uses the same JWT secret for the user session mechanism and RAG API which compromises the service-level authentication of the RAG API...
Cross-site Scripting (XSS)
Overview Affected versions of this package are vulnerable to Cross-site Scripting XSS via the upload of .prologue.html file when a crafted URL is accessed. An attacker can execute arbitrary JavaScript in the context of another user's session by uploading a malicious .prologue.html file and tricki...
GHSA-WVHQ-WP8G-C7VQ Flowise has Authorization Bypass via Spoofed x-request-from Header
Summary Flowise trusts any HTTP client that sets the header x-request-from: internal, allowing an authenticated tenant session to bypass all /api/v1/ authorization checks. With only a browser cookie, a low-privilege tenant can invoke internal administration endpoints API key management, credentia...
CVE-2026-26227
VideoLAN VLC for Android prior to version 3.7.0 contains an authentication bypass in the Remote Access Server feature due to missing or insufficient rate limiting on one-time password OTP verification. The Remote Access Server uses a 4-digit OTP and does not enforce effective throttling or lockou...
CVE-2019-25356
Bematech formerly Logic Controls, now Elgin MP-4200 TH printer contains a cross-site scripting vulnerability in the admin configuration page. Attackers can inject malicious scripts via crafted POST requests with malformed 'admin' and 'person' parameters, allowing execution of arbitrary JavaScript...
Cross-site Scripting (XSS)
Overview moodle/moodle is a learning platform. Affected versions of this package are vulnerable to Cross-site Scripting XSS via improper sanitization of AI prompt responses. An attacker can execute arbitrary scripts in the context of another user's session by injecting malicious HTML or JavaScrip...
CVE-2022-50975
An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled...
SUSE CVE-2025-71150
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2SESSIONVALID, It indicates that no valid session was found, but it is missing to decrement the reference...
CVE-2025-71150
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2SESSIONVALID, It indicates that no valid session was found, but it is missing to decrement the reference...
CVE-2025-71150
In the Linux kernel, the following vulnerability has been resolved: ksmbd: Fix refcount leak when invalid session is found on session lookup When a session is found but its state is not SMB2SESSIONVALID, It indicates that no valid session was found, but it is missing to decrement the reference...
CVE-2023-49262
The authentication mechanism can be bypassed by overflowing the value of the Cookie "authentication" field, provided there is an active user session...
CVE-2023-45912
WIPOTEC GmbH ComScale v4.3.29.21344 and v4.4.12.723 fails to validate user sessions, allowing unauthenticated attackers to read files from the underlying operating system and obtain directory listings...
CVE-2021-33982
An insufficient session expiration vulnerability exists in the "Fish | Hunt FL" iOS app version 3.8.0 and earlier, which allows a remote attacker to reuse, spoof, or steal other user and admin sessions...
CVE-2021-22523
XML External Entity vulnerability in Micro Focus Verastream Host Integrator, affecting version 7.8 Update 1 and earlier versions. The vulnerability could allow the control of web browser and hijacking user sessions...
CVE-2021-22979
On BIG-IP version 16.0.x before 16.0.1, 15.1.x before 15.1.1, 14.1.x before 14.1.2.8, 13.1.x before 13.1.3.5, and all 12.1.x versions, a reflected Cross-Site Scripting XSS vulnerability exists in an undisclosed page of the BIG-IP Configuration utility when Fraud Protection Service is provisioned...
CVE-2021-22920
A vulnerability has been discovered in Citrix ADC formerly known as NetScaler ADC and Citrix Gateway formerly known as NetScaler Gateway, and Citrix SD-WAN WANOP Edition models 4000-WO, 4100-WO, 5000-WO, and 5100-WO. These vulnerabilities, if exploited, could lead to a phishing attack through a...
CVE-2020-24594
Mitel MiCloud Management Portal before 6.1 SP5 could allow an unauthenticated attacker to execute arbitrary scripts due to insufficient input validation, aka XSS. A successful exploit could allow an attacker to gain access to a user session...