CWE-384: Session Fixation — known CVE vulnerabilities
CVEs classified under CWE-384 (Session Fixation), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-11317 — CVSS 10.0 (critical): Session Fixation vulnerabilities allow an attacker to fix a users session identifier before login providing an opportunity for session…
CVE-2024-38513 — CVSS 10.0 (critical): Fiber is an Express-inspired web framework written in Go A vulnerability present in versions prior to 2.52.5 is a session middleware issue…
CVE-2021-20151 — CVSS 10.0 (critical): Trendnet AC2600 TEW-827DRU version 2.08B01 contains a flaw in the session management for the device. The router's management software…
CVE-2025-67446 — CVSS 9.8 (critical): Improper Authentication (Authentication Bypass) exists in Neterbit NW-431F Router 20241014-IR03 and before. The router uses a…
CVE-2026-25101 — CVSS 9.8 (critical): Bludit allows user's session identifier to be set before authentication. The value of this session ID stays the same after authentication…
CVE-2026-24352 — CVSS 9.8 (critical): PluXml CMS allows a user's session identifier to be set before authentication. The value of this session ID stays the same after…
CVE-2026-23796 — CVSS 9.8 (critical): Quick.Cart allows a user's session identifier to be set before authentication. The value of this session ID stays the same after…
CVE-2025-59841 — CVSS 9.8 (critical): Flag Forge is a Capture The Flag (CTF) platform. In versions from 2.2.0 to before 2.3.1, the FlagForge web application improperly handles…
CVE-2025-53102 — CVSS 9.8 (critical): Discourse is an open-source community discussion platform. Prior to version 3.4.7 on the `stable` branch and version 3.5.0.beta.8 on the…
CVE-2025-52689 — CVSS 9.8 (critical): Successful exploitation of the vulnerability could allow an unauthenticated attacker to obtain a valid session ID with administrator…
CVE-2025-45949 — CVSS 9.8 (critical): A critical vulnerability was found in PHPGurukul User Registration & Login and User Management System V3.3 in the /loginsystem/change-passwo…
CVE-2025-28242 — CVSS 9.8 (critical): Improper session management in the /login_ok.htm endpoint of DAEnetIP4 METO v1.25 allows attackers to execute a session hijacking attack.
CVE-2025-28238 — CVSS 9.8 (critical): Improper session management in Elber REBLE310 Firmware v5.5.1.R , Equipment Model: REBLE310/RX10/4ASI allows attackers to execute a session…
CVE-2024-57052 — CVSS 9.8 (critical): An issue in youdiancms v.9.5.20 and before allows a remote attacker to escalate privileges via the sessionID parameter in the index.php…
CVE-2024-8643 — CVSS 9.8 (critical): Session Fixation vulnerability in Oceanic Software ValeApp allows Brute Force, Session Hijacking. This issue affects ValeApp: before v2.0.0.
CVE-2024-23679 — CVSS 9.8 (critical): Enonic XP versions less than 7.7.4 are vulnerable to a session fixation issue. An remote and unauthenticated attacker can use prior…
CVE-2023-48929 — CVSS 9.8 (critical): Franklin Fueling Systems System Sentinel AnyWare (SSA) version 1.6.24.492 is vulnerable to Session Fixation. The 'sid' parameter in the…
CVE-2023-42322 — CVSS 9.8 (critical): Insecure Permissions vulnerability in icmsdev iCMS v.7.0.16 allows a remote attacker to obtain sensitive information.
CVE-2023-41012 — CVSS 9.8 (critical): An issue in China Mobile Communications China Mobile Intelligent Home Gateway v.HG6543C4 allows a remote attacker to execute arbitrary code…
CVE-2023-31498 — CVSS 9.8 (critical): A privilege escalation issue was found in PHP Gurukul Hospital Management System In v.4.0 allows a remote attacker to execute arbitrary…
CVE-2023-28316 — CVSS 9.8 (critical): A security vulnerability has been discovered in the implementation of 2FA on the rocket.chat platform, where other active sessions are not…
CVE-2022-31689 — CVSS 9.8 (critical): VMware Workspace ONE Assist prior to 22.10 contains a Session fixation vulnerability. A malicious actor who obtains a valid session token…
CVE-2022-38054 — CVSS 9.8 (critical): In Apache Airflow versions 2.2.4 through 2.3.3, the `database` webserver session backend was susceptible to session fixation.
CVE-2021-38869 — CVSS 9.8 (critical): IBM QRadar SIEM 7.3, 7.4, and 7.5 in some situations may not automatically log users out after they exceede their idle timeout. IBM X-Force…
CVE-2021-41553 — CVSS 9.8 (critical): In ARCHIBUS Web Central 21.3.3.815 (a version from 2014), the Web Application in /archibus/login.axvw assign a session token that could be…
CVE-2021-39290 — CVSS 9.8 (critical): Certain NetModule devices allow Limited Session Fixation via PHPSESSID. These models with firmware before 4.3.0.113, 4.4.0.111, and…
CVE-2020-8434 — CVSS 9.8 (critical): Jenzabar JICS (aka Internet Campus Solution) before 9.0.1 Patch 3, 9.1 before 9.1.2 Patch 2, and 9.2 before 9.2.2 Patch 8 has session…
CVE-2020-11729 — CVSS 9.8 (critical): An issue was discovered in DAViCal Andrew's Web Libraries (AWL) through 0.60. Long-term session cookies, uses to provide long-term session…
CVE-2020-5543 — CVSS 9.8 (critical): TCP function included in the firmware of Mitsubishi Electric MELQIC IU1 series IU1-1M20-D firmware version 1.0.7 and earlier does not…
CVE-2019-10158 — CVSS 9.8 (critical): A flaw was found in Infinispan through version 9.4.14.Final. An improper implementation of the session fixation protection in the Spring…
CVE-2019-18418 — CVSS 9.8 (critical): clonos.php in ClonOS WEB control panel 19.09 allows remote attackers to gain full access via change password requests because there is no…
CVE-2019-5523 — CVSS 9.8 (critical): VMware vCloud Director for Service Providers 9.5.x prior to 9.5.0.3 update resolves a Remote Session Hijack vulnerability in the Tenant and…
CVE-2018-18926 — CVSS 9.8 (critical): Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling…
CVE-2018-18925 — CVSS 9.8 (critical): Gogs 0.11.66 allows remote code execution because it does not properly validate session IDs, as demonstrated by a ".." session-file forgery…
CVE-2016-6545 — CVSS 9.8 (critical): Session cookies are not used for maintaining valid sessions in iTrack Easy. The user's password is passed as a POST parameter over HTTPS…
CVE-2018-12071 — CVSS 9.8 (critical): A Session Fixation issue exists in CodeIgniter before 3.1.9 because session.use_strict_mode in the Session Library was mishandled.
CVE-2018-11714 — CVSS 9.8 (critical): An issue was discovered on TP-Link TL-WR840N v5 00000005 0.9.1 3.16 v0001.0 Build 170608 Rel.58696n and TL-WR841N v13 00000013 0.9.1 4.16…
CVE-2018-6959 — CVSS 9.8 (critical): VMware vRealize Automation (vRA) prior to 7.4.0 contains a vulnerability in the handling of session IDs. Exploitation of this issue may…
CVE-2017-15304 — CVSS 9.8 (critical): /bin/login.php in the Web Panel on the Airtame HDMI dongle with firmware before 3.0 allows an attacker to set his own session id via a…
CVE-2016-10405 — CVSS 9.8 (critical): Session fixation vulnerability in D-Link DIR-600L routers (rev. Ax) with firmware before FW1.17.B01 allows remote attackers to hijack web…
CVE-2017-12873 — CVSS 9.8 (critical): SimpleSAMLphp 1.7.0 through 1.14.10 might allow attackers to obtain sensitive information, gain unauthorized access, or have unspecified…
CVE-2017-12868 — CVSS 9.8 (critical): The secureCompare method in lib/SimpleSAML/Utils/Crypto.php in SimpleSAMLphp 1.14.13 and earlier, when used with PHP before 5.6, allows…
CVE-2017-12965 — CVSS 9.8 (critical): Session fixation vulnerability in Apache2Triad 1.5.4 allows remote attackers to hijack web sessions via the PHPSESSID parameter.