CVE-2026-41133 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

pyLoad is a free and open-source download manager written in Python. Versions up to and including 0.5.0b3.dev97 cache role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database...

GHSA-66HX-CHF7-3332 pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

Summary pyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old revoked privileges until logout/session...

Insufficient Session Expiration

Overview @hotwired/turbo is a The speed of a single-page web application without having to write any JavaScript Affected versions of this package are vulnerable to Insufficient Session Expiration due to a race condition. An attacker can cause stale session cookies to be restored by delaying HTTP...

EUVD-2026-3351

Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays e.g. delaying requests based on sequence or...

CVE-2025-65883

A vulnerability has been identified in Genexis Platinum P4410 router Firmware P4410-V2–1.41 that allows a local network attacker to achieve Remote Code Execution RCE with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs...

CVE-2025-65883

A vulnerability has been identified in Genexis Platinum P4410 router Firmware P4410-V2–1.41 that allows a local network attacker to achieve Remote Code Execution RCE with root privileges. The issue occurs due to improper session invalidation after administrator logout. When an administrator logs...

CVE-2025-65883

CVE-2025-65883 affects Genexis Platinum P4410 router (Firmware P4410-V2–1.41). The issue is improper session invalidation after administrator logout, leaving the session token valid and reusable by a local-network attacker. By exploiting the stale token, an attacker can send crafted requests to t...

U.S. Dept Of Defense: Account Takeover via Unverified Email Change and Improper Session Handling

A vulnerability was discovered in the email change functionality of the system. When the email was changed to an unregistered email address, the system accepted the change without proper verification. If the victim later registered using the same email, the attacker's existing session was not...