Lucene search
K

445 matches found

Positive Technologies
Positive Technologies
added 5 days ago6 views

PT-2026-56971

Name of the Vulnerable Software and Affected Versions DeepSeek MCP Server versions 1.4.2 through 1.6.x Description The process-global SessionStore accepts caller-supplied session id values without binding them to an authenticated principal or transport session. This allows an attacker to enumerat...

8.6CVSS6.1AI score0.00225EPSS
Exploits0References4
Tenable Nessus
Tenable Nessus
added 2026/07/04 12:0 a.m.9 views

Linux Distros Unpatched Vulnerability : CVE-2026-38968

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak...

9.8CVSS6AI score0.00379EPSS
Exploits0References2
NVD
NVD
added 2026/07/02 9:16 p.m.6 views

CVE-2026-38968

ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding...

9.8CVSS0.00379EPSS
Exploits0References2
CVE
CVE
added 2026/07/02 12:0 a.m.18 views

CVE-2026-38968

ntopng (through 6.6) is reported vulnerable to a Predictable Session Identifier flaw. The issue occurs in HTTPsession creation within src/HTTPserver.cpp, where time-seeded pseudo-randomness can yield deterministic or colliding cookies, enabling session hijacking under attacker-controlled timing. ...

9.8CVSS5.8AI score0.00379EPSS
Exploits0References2Affected Software1
Cvelist
Cvelist
added 2026/07/02 12:0 a.m.47 views

CVE-2026-38968

ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding...

0.00379EPSS
Exploits0References2
OSV
OSV
added 2026/07/02 12:0 a.m.4 views

CVE-2026-38968

ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding...

9.8CVSS6AI score0.00379EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/07/01 11:4 a.m.10 views

CVE-2026-56016

A flaw was found in perl-CGI-Session. This vulnerability allows a remote attacker to predict session identifiers due to the use of low-entropy sources in the generateid method. By predicting a session identifier, an attacker can impersonate a user's session, leading to a bypass of authentication...

7.4CVSS5.7AI score0.00322EPSS
Exploits0References5
EUVD
EUVD
added 2026/06/26 12:32 a.m.5 views

EUVD-2026-39566

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as oth...

7.3CVSS5.9AI score0.00246EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/25 11:27 p.m.42 views

CVE-2026-9221 Setracker2 Children's Smartwatch Ecosystem Use of a Broken or Risky Cryptographic Algorithm

The Setracker2 Android Companion App com.tgelec.setracker versions 3.1.5 and earlier uses MD5 to generate a request signature for authenticating communications between the mobile client and the backend REST API. Attackers could potentially reverse the signature to recover the session ID. With the...

8.7CVSS0.00161EPSS
Exploits0References1
NVD
NVD
added 2026/06/25 10:17 p.m.7 views

CVE-2026-54479

The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers. This vulnerability may allow unauthorized users to authenticate as oth...

7.3CVSS0.00246EPSS
Exploits0References3
CVE
CVE
added 2026/06/25 8:56 p.m.12 views

CVE-2026-54479

The CVE concerns a WebSocket backend where charging station identifiers are used to bind sessions but multiple endpoints can connect with the same session identifier, producing predictable session IDs. This can allow unauthorized users to authenticate as other users or enable a DoS by flooding th...

7.3CVSS5.9AI score0.00246EPSS
Exploits0References3
NVD
NVD
added 2026/06/23 9:17 p.m.16 views

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS0.00152EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/23 7:53 p.m.5 views

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS5.8AI score0.00152EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/23 7:53 p.m.31 views

CVE-2026-9073 Foreman-mcp-server: mcp server: insecure sensitive http header sanitization

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS0.00152EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/23 7:53 p.m.8 views

EUVD-2026-38603

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS5.8AI score0.00152EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/23 7:53 p.m.7 views

CVE-2026-9073

A flaw was found in foreman-mcp-server. This component utilizes two distinct logging mechanisms that can expose sensitive session and authentication data. One mechanism logs session identifiers, which are treated as authentication credentials, at an informational level. The other, when debug...

6.2CVSS5.7AI score0.00152EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.16 views

PT-2026-51592

Name of the Vulnerable Software and Affected Versions foreman-mcp-server affected versions not specified Description Two distinct logging mechanisms in the software can expose sensitive session and authentication data. One mechanism logs session identifiers, which function as authentication...

6.2CVSS5.8AI score0.00152EPSS
Exploits0References8
NVD
NVD
added 2026/06/17 7:18 p.m.16 views

CVE-2026-55198

Hermes WebUI before 0.51.443 contains an authorization bypass vulnerability in the session export endpoint that allows authenticated users to access sessions from other profiles. The handlesessionexport handler in api/routes.py fails to verify active-profile ownership before serializing session...

7.1CVSS0.00272EPSS
Exploits0References5
CVE
CVE
added 2026/06/17 5:59 p.m.34 views

CVE-2026-55197

Hermes WebUI before 0.51.443 has a broken access control weakness in the /api/session endpoint. Authenticated users can bypass profile boundaries and query session IDs from other profiles via GET /api/session?session_id=&messages=1 to retrieve unauthorized transcripts and metadata. This affects t...

7.1CVSS5.3AI score0.00272EPSS
Exploits0References5
NVD
NVD
added 2026/06/09 5:16 a.m.12 views

CVE-2026-41838

IDs for WebSocket sessions in the spring-websocket module are not cryptographically unpredictable, which may be possible to exploit in combination with inadequate authorization rules. Affected versions: Spring Framework 7.0.0 through 7.0.7; 6.2.0 through 6.2.18; 6.1.0 through 6.1.27; 5.3.0 throug...

7.5CVSS0.00171EPSS
Exploits0References1
Rows per page
Query Builder