Lucene search
K

317 matches found

NVD
NVD
added 3 days ago6 views

CVE-2026-43918

FOSSBilling is a free, open-source billing and client management system. Prior to version 0.8.0, when a client or staff/admin account is suspended or marked inactive, existing authenticated sessions are not invalidated. The session identity loaders in src/di.php loggedinclient and loggedinadmin...

8.7CVSS0.00235EPSS
Exploits0References2
NVD
NVD
added 2026/06/29 6:16 p.m.8 views

CVE-2026-57945

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PU...

5.3CVSS0.0019EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/29 5:18 p.m.34 views

CVE-2026-57945 PhotoPrism - Unauthorized User Profile Modification via PUT /api/v1/users/{uid} Endpoint

PhotoPrism before 260601-a7d098548 contains a broken access control vulnerability that allows authenticated non-admin users to modify other users' profile information by sending requests to arbitrary user endpoints. Attackers can exploit the missing session-to-user identifier validation in the PU...

5.3CVSS0.0019EPSS
Exploits0References3
SUSE CVE
SUSE CVE
added 2026/06/26 2:8 a.m.7 views

SUSE CVE-2026-53262

In the Linux kernel, the following vulnerability has been resolved: l2tp: pppol2tp: hold reference to session in pppol2tpioctl pppol2tpioctl read sock-sk-skuserdata directly without any locks or reference counting. If a controllable sleep was induced during copyfromuser e.g. via a userfaultfd pag...

7.8CVSS5.8AI score0.00125EPSS
Exploits0References3
NVD
NVD
added 2026/06/25 7:16 p.m.13 views

CVE-2026-56774

Kanboard through 1.2.52, fixed in commit 928c68a, UserViewController::removeSession fails to validate the session id parameter before passing it to RememberMeSessionModel::remove, allowing authenticated users to delete other users' Remember Me sessions. Attackers can enumerate sequential session...

5.4CVSS0.00266EPSS
Exploits0References4
Nuclei
Nuclei
added 2026/06/23 5:8 a.m.125 views

Apache Superset - Authentication Bypass

Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRETKEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not affect Superset...

9.8CVSS7.4AI score0.97405EPSS
Exploits20References5
OSV
OSV
added 2026/06/22 11:19 p.m.6 views

GHSA-CQ9C-6W48-QMFG @actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...

8.3CVSS5.9AI score0.00441EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/22 11:19 p.m.10 views

@actual-app/sync-server: Disabled OpenID users keep access through existing session tokens

Summary In OpenID multi-user mode, disabling a user only blocks future OpenID login for that identity. Existing Actual session tokens for the disabled user remain valid, so the user can continue calling authenticated server endpoints after an administrator has disabled the account. Details The...

8.3CVSS5.9AI score0.00441EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/22 12:0 a.m.18 views

PT-2026-51451

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.6.0 Description In OpenID multi-user mode, disabling a user only prevents future OpenID logins for that identity. Existing session tokens remain valid because the shared session validation path does not check if the...

8.3CVSS6AI score0.00441EPSS
Exploits0References6
NVD
NVD
added 2026/06/13 6:16 p.m.17 views

CVE-2026-12183

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...

9.8CVSS0.00548EPSS
Exploits0References4
CNNVD
CNNVD
added 2026/06/05 12:0 a.m.11 views

Termix 安全漏洞

Termix is a server management platform developed by Karmaa’s individual developers. Versions of Termix prior to 2.3.2 contained security vulnerabilities. These vulnerabilities stemmed from improper validation of the sessionId parameter by the file manager’s functionality. The identifier controlle...

9CVSS5.4AI score0.00387EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/05/13 8:23 p.m.10 views

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

4.3CVSS5.9AI score0.00162EPSS
Exploits0References1
NVD
NVD
added 2026/05/12 6:17 p.m.18 views

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

4.3CVSS0.00162EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/12 5:28 p.m.37 views

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

0.00162EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/12 5:28 p.m.8 views

CVE-2026-5146

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

5.9AI score0.00162EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/12 12:0 a.m.14 views

PT-2026-40335

Improper access control in the notification management endpoints in Devolutions Server allows an unauthenticated attacker to modify or delete arbitrary user notification records via missing session validation. This issue affects the following versions : Devolutions Server 2026.1.6.0 through...

5.9AI score0.00162EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/11 2:2 p.m.12 views

Open WebUI has a CORS misconfiguration and session validation issue

GitHub Security Lab GHSL Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175 The GitHub Security Lab team has identified potential security vulnerabilities in open-webui. We are committed to working with you to help resolve these issues. In this report you will find everything you need...

6.6AI score
Exploits0References2Affected Software1
OSV
OSV
added 2026/05/11 2:2 p.m.30 views

GHSA-6XCP-7MPR-M7WM Open WebUI has a CORS misconfiguration and session validation issue

GitHub Security Lab GHSL Vulnerability Report, open-webui: GHSL-2024-174, GHSL-2024-175 The GitHub Security Lab team has identified potential security vulnerabilities in open-webui. We are committed to working with you to help resolve these issues. In this report you will find everything you need...

8.3CVSS6.6AI score
Exploits0References2
EUVD
EUVD
added 2026/04/29 7:24 p.m.4 views

EUVD-2018-21838

Tenda W3002R/A302/W309R wireless routers version V5.07.64en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted...

9.8CVSS5.3AI score0.00651EPSS
Exploits1References2
Packet Storm News
Packet Storm News
added 2026/04/27 12:0 a.m.13 views

Selenium Grid 4.11.0 Selenoid Backend Detection and Safe Session Validation Inspector

The provided Python script is a non-exploit reconnaissance and validation tool designed to identify Selenium Grid or Selenoid deployments exposed via HTTP APIs...

5.2AI score
Exploits0
Rows per page
Query Builder