CVE-2026-56130

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

CVE-2026-56130

"Remember me" cookie age is not verified on the server. This potentially allows an attacker to intercept a valid cookie and reuse it indefinitely, even after the configured expiration time has passed. This issue affects all Apache Shiro versions from 1.2.4 through 2.x, and 3.0.0-alpha-1, only whe...

CVE-2026-44511

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

EUVD-2026-34086

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...

CVE-2026-6873

An issue was discovered in Django 6.0 before 6.0.6 and 5.2 before 5.2.15. django.http.HttpRequest.getsignedcookie in Django uses a non-injective salt derivation concatenating the cookie name and salt argument, which allows a remote attacker to use a cookie in a context different from the one wher...

PT-2026-45947

Name of the Vulnerable Software and Affected Versions Django versions prior to 6.0.6 Django versions prior to 5.2.15 Description An issue exists in the get signed cookie function within django.http.HttpRequest. The function employs a non-injective salt derivation by concatenating the cookie name...

Nextcloud Server 授权问题漏洞

NextCloud Server is an open-source NextCloud server program developed by NextCloud. Versions of NextCloud Server from 32.0.0 to 32.0.9 and from 33.0.0 to 33.0.3 contained vulnerabilities related to authorization. These vulnerabilities stemmed from the possibility that the session cookie, which...

CVE-2026-44511 Katalyst Koi: Session cookies can be replayed after user logout

Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the...

Insufficient Session Expiration

Overview sillytavern is a LLM Frontend for Power Users Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to invalidate existing sessions after a password change. An attacker can maintain unauthorized access to an account by reusing a previously...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to jupytercookiesecret never being automatically rotated or cleared. An attacker can keep or reuse authenticated session cookies after a password change by presenting a cookie signed with a secret tha...

Insufficient Session Expiration

Overview Affected versions of this package are vulnerable to Insufficient Session Expiration due to the failure to revoke existing authenticated sessions after a password reset or password change process. An attacker can maintain unauthorized access to an account by reusing a previously obtained...

Devolutions Server 安全漏洞

Devolutions Server is an application system developed by the Canadian company Devolutions. It provides a fully functional solution for shared accounts and password management. Versions of Devolutions Server prior to 2026.1.11 contained a security vulnerability. This vulnerability stemmed from...

CVE-2026-30224

OliveTin gives access to predefined shell commands from a web interface. Prior to version 3000.11.1, OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default ≈ 1 year...

GHSA-GQ2M-77HF-VWGH OliveTin Session Fixation: Logout Fails to Invalidate Server-Side Session

Summary OliveTin does not revoke server-side sessions when a user logs out. Although the browser cookie is cleared, the corresponding session remains valid in server storage until expiry default ≈ 1 year. An attacker with a previously stolen or captured session cookie can continue authenticating...

CVE-2021-41263

railsmultisite provides multi-db support for Rails applications. In affected versions this vulnerability impacts any Rails applications using railsmultisite alongside Rails' signed/encrypted cookies. Depending on how the application makes use of these cookies, it may be possible for an attacker t...

EUVD-2018-8077

Malware in sbrugna...

EUVD-2021-12817

Malware in sbrugna...

CVE-2025-54592

Vulnerability overview: FreshRSS

FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse

!/usr/bin/env python3 """ Exploit Title: FortiOS SSL-VPN 7.4.4 - Insufficient Session Expiration & Cookie Reuse Date: 2025-06-15 Exploit Author: Shahid Parvez Hakim BugB Technologies Vendor Homepage: https://www.fortinet.com Software Link: https://www.fortinet.com/products/secure-sd-wan/fortigate...

CVE-2024-50562

An Insufficient Session Expiration vulnerability CWE-613 in FortiOS SSL-VPN version 7.6.0, version 7.4.6 and below, version 7.2.10 and below, 7.0 all versions, 6.4 all versions may allow an attacker in possession of a cookie used to log in the SSL-VPN portal to log in again, although the session...