Lucene search
+L

579 matches found

cvelist
cvelist
added yesterday17 views

CVE-2026-61452 Grav before 2.0.4 Improper Session Invalidation JWT Access Tokens

The Grav API plugin getgrav/grav-plugin-api before 2.0.4 contains an improper session invalidation vulnerability where JWT access tokens are issued without a jti JWT ID claim and therefore cannot be revoked server-side. Unlike refresh tokens, access tokens remain valid for their full lifetime...

6.9CVSS
Exploits0References2
ptsecurity
ptsecurity
added 2 days ago5 views

PT-2026-60096

Name of the Vulnerable Software and Affected Versions nebula-mesh affected versions not specified Description Operator session tokens are stored in plaintext within the token column of the operator sessions table. These tokens are 32-byte random hex values sent via cookies and remain valid for 24...

7.1CVSS6.1AI score
Exploits0References6
euvd
euvd
added 2026/06/30 8:11 p.m.7 views

EUVD-2025-210374

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system...

8.1CVSS5.8AI score0.00189EPSS
Exploits0References1
cve
cve
added 2026/06/30 8:11 p.m.18 views

CVE-2025-36359

CVE-2025-36359 affects IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2. The root cause is that session IDs are not invalidated after expiration, enabling an authenticated user to impersonate another user on the system. The IBM security bulletin confirms a CVSS v3.1 base score of 8.1 (HIGH) ...

8.1CVSS5.8AI score0.00189EPSS
Exploits0References1Affected Software2
cvelist
cvelist
added 2026/06/30 8:11 p.m.35 views

CVE-2025-36359 IBM DevOps Loop is susceptible to an Insufficient Session Expiration vulnerability.

IBM DevOps Automation 1.0.1 and IBM DevOps Loop 1.0.2 does not invalidate session IDs after expiration which could allow an authenticated user to impersonate another user on the system...

8.1CVSS0.00189EPSS
Exploits0References1
euvd
euvd
added 2026/06/26 12:32 a.m.6 views

EUVD-2025-210341

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS5.9AI score0.00266EPSS
Exploits1References3
nvd
nvd
added 2026/06/25 10:16 p.m.9 views

CVE-2025-71335

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS0.00266EPSS
Exploits1References2
attackerkb
attackerkb
added 2026/06/25 9:41 p.m.9 views

CVE-2025-71335

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS5.9AI score0.00266EPSS
Exploits1References3
cve
cve
added 2026/06/25 9:41 p.m.18 views

CVE-2025-71335

Flowise prior to version 3.0.10 is affected. Versions 3.0.7 and earlier do not invalidate existing sessions or session tokens after a user changes their password, allowing an attacker with an active session (e.g., via a stolen token or an already-logged-in device) to remain authenticated post-pas...

8.6CVSS5.9AI score0.00266EPSS
Exploits1References2Affected Software1
cvelist
cvelist
added 2026/06/25 9:41 p.m.21 views

CVE-2025-71335 Flowise - Session Invalidation Failure After Password Change

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS0.00266EPSS
Exploits1References2
osv
osv
added 2026/06/25 9:41 p.m.2 views

CVE-2025-71335 Flowise - Session Invalidation Failure After Password Change

Flowise before 3.0.10 affected versions 3.0.7 and earlier fails to invalidate existing sessions and session tokens after a user changes their password. An attacker who already holds an active session, for example via a stolen session token or a device left logged in, remains authenticated as the...

8.6CVSS6AI score0.00266EPSS
Exploits1References4
ptsecurity
ptsecurity
added 2026/06/25 12:0 a.m.27 views

PT-2026-52614

Name of the Vulnerable Software and Affected Versions Flowise versions 3.0.0 through 3.0.7 Description Flowise fails to invalidate existing sessions and session tokens after a user changes their password. This allows an attacker who possesses an active session, such as through a stolen session...

8.6CVSS5.8AI score0.00266EPSS
Exploits1References4
nvd
nvd
added 2026/06/20 4:17 p.m.13 views

CVE-2026-56276

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

6CVSS0.00251EPSS
Exploits0References2
osv
osv
added 2026/06/20 3:24 p.m.3 views

CVE-2026-56276 Flowise - Mass Assignment in PUT /api/v1/user Allows Password Hash Override

Flowise before 3.1.2 contains a mass assignment vulnerability in the PUT /api/v1/user endpoint that allows authenticated users to directly modify the credential field without validation. Attackers can bypass password change verification and session invalidation by supplying a crafted password has...

6CVSS6AI score0.00251EPSS
Exploits0References4
euvd
euvd
added 2026/06/08 2:51 p.m.13 views

EUVD-2026-35081

Bludit is a content management system. Versions prior to 3.22.0 have a Broken Access Control flaw where active sessions remain valid even after the corresponding user account has been physically deleted from the database. This "Ghost Session" allows revoked users to maintain full unauthorized...

8.8CVSS5.4AI score0.00294EPSS
Exploits0References3
redhatcve
redhatcve
added 2026/06/05 7:27 p.m.10 views

CVE-2026-40587

blueprintUE is a tool to help Unreal Engine developers. Prior to 4.2.0, when a user changes their password via the profile edit page, or when a password reset is completed via the reset link, neither operation invalidates existing authenticated sessions for that user. A server-side session store...

6.5CVSS5.5AI score0.00242EPSS
Exploits0References1
vulnrichment
vulnrichment
added 2026/05/29 5:46 p.m.15 views

CVE-2026-44648 SillyTavern: Existing sessions are not invalidated after password change, allowing session reuse and account takeover

SillyTavern is a locally installed user interface that allows users to interact with text generation large language models, image generation engines, and text-to-speech voice models. Prior to 1.18.0, SillyTavern relies on cookie-session for authentication, storing all session data user handle,...

7.5CVSS5.8AI score0.00394EPSS
Exploits1References1
astralinux
astralinux
added 2026/05/20 5:53 a.m.7 views

Astra Linux – Vulnerability in Jetty9

For Eclipse Jetty versions = 9.4.40, = 10.0.2, and = 11.0.2, if an exception is thrown from the SessionListenersessionDestroyed method, then the session ID is not invalidated in the session ID manager. In deployments with clustered sessions and multiple contexts, this can result in a session not...

3.6CVSS6.3AI score0.00963EPSS
Exploits1References2
vulnrichment
vulnrichment
added 2026/05/14 6:38 p.m.9 views

CVE-2026-22706 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication...

2.1CVSS5.8AI score0.00272EPSS
Exploits0References1
osv
osv
added 2026/05/14 6:38 p.m.2 views

CVE-2026-22706 Strapi: Password Reset Does Not Revoke Existing Refresh Sessions

Strapi is an open source headless content management system. In Strapi versions prior to 5.33.3, changing or resetting a user's password did not invalidate the user's existing refresh-token sessions by default. The refresh-token invalidation step in the users-permissions and admin authentication...

2.1CVSS6AI score0.00272EPSS
Exploits0References3
Rows per page
Query Builder