EUVD-2026-9940

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent...

WakaTime: Session Duplication due to Broken Access Control

Due to improper validation of user before generating an API-KEY and improper measures taken at the time of password reset, it is possible to generate a parallel session at the attacker's end. Proof of concept video is attached to confirm the vulnerability and to demonstrate the Impact of this...

WakaTime: Session Duplication due to Improper Validation

Initially at the time of sign-up the user is able to enter any email-id and account is created without any verification. Later a pop-up arises for verification, but all functions are available without verification. Attacker can use victims email and create an account, he can work on wakatime as t...