EUVD-2026-24574

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

CVE-2026-41133

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

CVE-2026-41133 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

CVE-2026-41133

The CVE concerns pyLoad (Python download manager). Affected: versions up to 0.5.0b3.dev97. Root cause: the session cache stores user role/permissions at login and continues to authorize requests using these cached values even after an admin changes the user’s role/permissions in the database. Thi...

pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

Summary pyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old revoked privileges until logout/session...

Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)

Summary Under certain configurations, sessions may be considered valid before two-factor authentication 2FA is fully completed. This can allow access to authenticated routes without verifying the second factor. --- Description When two-factor authentication is enabled, the authentication flow...

Rancher's Azure AD permission changes are not reflected on active sessions

A bug has been identified in which permission changes in Azure AD are not reflected to users while they are logged in the Rancher UI. This would cause the users to retain their previous permissions in Rancher, even if they change groups on Azure AD, for example, to a lower privileged group, or ar...

CVE-2026-27205

Flask is a web server gateway interface WSGI web application framework. In versions 3.1.2 and below, when the session object is accessed, Flask should set the Vary: Cookie header., resulting in a Use of Cache Containing Sensitive Information vulnerability. The logic instructs caches not to cache...

CVE-2025-64762 authkit-nextjs may let session cookies be cached in CDNs

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enable...

CVE-2025-64762

Summary: The vulnerability CVE-2025-64762 affects the authkit-nextjs package (versions ≤ 2.11.0). Authenticated responses in these versions do not apply anti-caching headers, allowing session tokens to be cached by CDNs and potentially exposed to other users. The issue is resolved in 2.11.1, whic...

GHSA-P8PF-44FF-93GF authkit-nextjs may let session cookies be cached in CDNs

In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications...

EUVD-2024-0647

Malicious code in bioql PyPI...

CVE-2017-17734

CMS Made Simple CMSMS before 2.2.5 does not properly cache login information in sessions...

F5 Nginx 安全漏洞

F5 Nginx is a lightweight web server/reverse proxy server and email IMAP/POP3 proxy server from F5 USA, distributed under the BSD-like protocol. A security vulnerability exists in F5 Nginx that stems from the use of TLS session tickets or SSL session caching, which could allow an attacker to...

GHSA-CFF8-X7JV-4FM8 Session is cached for OpenID and OAuth2 if `redirect` is not used

Summary Unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. For example: - Project is configured with OpenID or OAuth2 - Project is configured with cache enabled - User tries to login via S...

CVE-2024-45596 Directus's session is cached for OpenID and OAuth2 if `redirect` is not used

Directus is a real-time API and App dashboard for managing SQL database content. An unauthenticated user can access credentials of last authenticated user via OpenID or OAuth2 where the authentication URL did not include redirect query string. This happens because on that endpoint for both OpenId...

Shopware's session is persistent in Cache for 404 pages

Impact The Symfony Session Handler, pop's the Session Cookie and assign it to the Response. Since Shopware 6.5.8.0 the 404 pages, are cached, to improve the performance of 404 pages. So the cached Response, contains a Session Cookie when the Browser accessing the 404 page, has no cookies yet. The...

CVE-2024-0853

curl inadvertently kept the SSL session ID for connections in its cache even when the verify status OCSP stapling test failed. A subsequent transfer to the same hostname could then succeed if the session ID cache was still fresh, which then skipped the verify status check...

CURL-CVE-2021-22901 TLS session caching disaster

libcurl can be tricked into using already freed memory when a new TLS session is negotiated or a client certificate is requested on an existing connection. For example, this can happen when a TLS server requests a client certificate on a connection that was established without one. A malicious...

curl: CVE-2021-22901: TLS session caching disaster

Summary: lib/vtls/openssl.c osslconnectstep1 sets up the osslnewsessioncb sessionid callback with SSLCTXsesssetnewcb, and adds association from dataidx and connectdataidx to current conn and data respectively: SSLCTXsetsessioncachemodebackend-ctx, SSLSESSCACHECLIENT | SSLSESSCACHENOINTERNAL;...