GHSA-8JG2-726G-XH43 parisneo/lollms has an insufficient session expiration vulnerability

An insufficient session expiration vulnerability exists in the latest version of parisneo/lollms. The application fails to invalidate active sessions after a password reset, allowing an attacker to continue using an old session token. This issue arises due to the absence of logic to reject reques...

CVE-2026-26060

CVE-2026-26060 concerns Fleet, an open-source device-management platform. According to the provided sources, prior to version 4.81.0, the password-management logic allowed previously issued password-reset tokens to remain valid after a user changes their password, enabling a stale token to be use...

CVE-2026-28275

Initiative is a self-hosted project management platform. Versions of the application prior to 0.32.4 do not invalidate previously issued JWT access tokens after a user changes their password. As a result, older tokens remain valid until expiration and can still be used to access protected API...

PT-2026-20391

Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation after new logins. The application generates a new 'sessionId' each time a user authenticates, but does not invalidate previously issued session identifiers,...

PT-2025-36994

Name of the Vulnerable Software and Affected Versions: Infrahub versions prior to 1.3.9 Infrahub versions prior to 1.4.5 Description: Infrahub provides a central hub for managing data, templates, and playbooks. A flaw in the authentication logic allows deleted or expired API tokens to be consider...

Mattermost 授权问题漏洞

Mattermost is an open source collaboration platform from Mattermost, Inc. in the United States. Mattermost suffers from a security vulnerability that stems from the fact that all previous tokens are not invalidated when a new reset token is created...