CWE-613: Insufficient Session Expiration — known CVE vulnerabilities
CVEs classified under CWE-613 (Insufficient Session Expiration), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2024-8888 — CVSS 10.0 (critical): An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the tokens used on the…
CVE-2026-46455 — CVSS 9.8 (critical): Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper KeycloakSecurityHelper…
CVE-2025-59786 — CVSS 9.8 (critical): 2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to remain active after…
CVE-2026-26342 — CVSS 9.8 (critical): Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token (X-User-Token) with…
CVE-2026-1435 — CVSS 9.8 (critical): Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of session invalidation…
CVE-2024-13996 — CVSS 9.8 (critical): Nagios XI versions prior to 2024R1.1.3 did not invalidate all other active sessions for a user when that user's password was changed. As a…
CVE-2025-54592 — CVSS 9.8 (critical): FreshRSS is a free, self-hostable RSS aggregator. Versions 1.26.3 and below do not properly terminate the session during logout. After a…
CVE-2024-29401 — CVSS 9.8 (critical): xzs-mysql 3.8 is vulnerable to Insufficient Session Expiration, which allows attackers to use the session of a deleted admin to do anything.
CVE-2024-25718 — CVSS 9.8 (critical): In the Samly package before 1.4.0 for Elixir, Samly.State.Store.get_assertion/3 can return an expired session, which interferes with access…
CVE-2022-22318 — CVSS 9.8 (critical): IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to…
CVE-2022-22317 — CVSS 9.8 (critical): IBM Curam Social Program Management 8.0.0 and 8.0.1 does not invalidate session after logout which could allow an authenticated user to…
CVE-2021-25992 — CVSS 9.8 (critical): In Ifme, versions 1.0.0 to v.7.33.2 don’t properly invalidate a user’s session even after the user initiated logout. It makes it…
CVE-2021-22820 — CVSS 9.8 (critical): A CWE-614 Insufficient Session Expiration vulnerability exists that could allow an attacker to maintain an unauthorized access over a…
CVE-2021-25981 — CVSS 9.8 (critical): In Talkyard, regular versions v0.2021.20 through v0.2021.33 and dev versions v0.2021.20 through v0.2021.34, are vulnerable to Insufficient…
CVE-2020-27416 — CVSS 9.8 (critical): Mahavitaran android application 7.50 and prior are affected by account takeover due to improper OTP validation, allows remote attackers to…
CVE-2021-25979 — CVSS 9.8 (critical): Apostrophe CMS versions prior to 3.3.1 did not invalidate existing login sessions when disabling a user account or changing the password…
CVE-2021-40849 — CVSS 9.8 (critical): In Mahara before 20.04.5, 20.10.3, 21.04.2, and 21.10.0, the account associated with a web services token is vulnerable to being exploited…
CVE-2021-38823 — CVSS 9.8 (critical): The IceHrm 30.0.0 OS website was found vulnerable to Session Management Issue. A signout from an admin account does not invalidate an admin…
CVE-2021-37333 — CVSS 9.8 (critical): Laravel Booking System Booking Core 2.0 is vulnerable to Session Management. A password change at sandbox.bookingcore.org/user/profile/chang…
CVE-2020-35358 — CVSS 9.8 (critical): DomainMOD domainmod-v4.15.0 is affected by an insufficient session expiration vulnerability. On changing a password, both sessions using…
CVE-2020-6649 — CVSS 9.8 (critical): An insufficient session expiration vulnerability in FortiNet's FortiIsolator version 2.0.1 and below may allow an attacker to reuse the…
CVE-2021-3311 — CVSS 9.8 (critical): An issue was discovered in October through build 471. It reactivates an old session ID (which had been invalid after a logout) once a new…
CVE-2020-29667 — CVSS 9.8 (critical): In Lan ATMService M3 ATM Monitoring System 6.1.0, a remote attacker able to use a default cookie value, such as PHPSESSID=LANIT-IMANAGER…
CVE-2020-27422 — CVSS 9.8 (critical): In Anuko Time Tracker v1.19.23.5311, the password reset link emailed to the user doesn't expire once used, allowing an attacker to use the…
CVE-2020-27739 — CVSS 9.8 (critical): A Weak Session Management vulnerability in Citadel WebCit through 926 allows unauthenticated remote attackers to hijack recently logged-in…
CVE-2020-8234 — CVSS 9.8 (critical): A vulnerability exists in The EdgeMax EdgeSwitch firmware <v1.9.1 where the EdgeSwitch legacy web interface SIDSSL cookie for admin can be…
CVE-2020-17474 — CVSS 9.8 (critical): A token-reuse vulnerability in ZKTeco FaceDepot 7B 1.0.213 and ZKBiosecurity Server 1.0.0_20190723 allows an attacker to create arbitrary…
CVE-2014-2595 — CVSS 9.8 (critical): Barracuda Web Application Firewall (WAF) 7.8.1.013 allows remote attackers to bypass authentication by leveraging a permanent…
CVE-2019-8149 — CVSS 9.8 (critical): Insecure authentication and session management vulnerability exists in Magento 2.2 prior to 2.2.10, Magento 2.3 prior to 2.3.3 or 2.3.2-p1…
CVE-2016-11014 — CVSS 9.8 (critical): NETGEAR JNR1010 devices before 1.0.0.32 have Incorrect Access Control because the ok value of the auth cookie is a special case.
CVE-2018-6634 — CVSS 9.8 (critical): A vulnerability in Parsec Windows 142-0 and Parsec 'Linux Ubuntu 16.04 LTS Desktop' Build 142-1 allows unauthorized users to maintain…
CVE-2015-5171 — CVSS 9.8 (critical): The password change functionality in Cloud Foundry Runtime cf-release before 216, UAA before 2.5.2, and Pivotal Cloud Foundry (PCF) Elastic…
CVE-2016-5069 — CVSS 9.8 (critical): Sierra Wireless GX 440 devices with ALEOS firmware 4.3.2 use guessable session tokens, which are in the URL.
CVE-2026-8670 — CVSS 9.6 (critical): Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session…
CVE-2025-24973 — CVSS 9.3 (critical): Concorde, formerly know as Nexkey, is a fork of the federated microblogging platform Misskey. Prior to version 12.25Q1.1, due to an…
CVE-2026-53776 — CVSS 9.1 (critical): Perry before 0.5.1166 contains a JWT validation vulnerability that allows remote attackers to bypass token expiration by exploiting the…