CWE-384: CWE-384
Yearly Trend
Top Affected Vendors
All CWE-384 CVEs (72)
CVE-2024-11317 is a session fixation vulnerability in ABB ASPECT, NEXUS, and MATRIX series products that allows attackers to set a user's session ID b...
Dec 5, 2024This vulnerability in GoFiber's session middleware allows attackers to supply their own session_id, enabling session fixation attacks and unauthorized...
Jul 1, 2024This vulnerability allows session hijacking on Trendnet AC2600 routers by exploiting IP-based session management instead of proper token verification....
Dec 30, 2021Quick.Cart e-commerce software has a session fixation vulnerability where an attacker can set a victim's session ID before authentication, then hijack...
Feb 5, 2026Flag Forge CTF platform versions 2.2.0 through 2.3.0 have a session invalidation vulnerability where authenticated users can continue accessing protec...
Sep 25, 2025Discourse versions before 3.4.7 and 3.5.0.beta8 have a session fixation vulnerability in WebAuthn 2FA implementation. When users authenticate with phy...
Jul 29, 2025This vulnerability allows attackers to hijack active user sessions in Elber REBLE310 devices running firmware v5.5.1.R. Attackers can impersonate legi...
Apr 18, 2025CVE-2022-40916 is a session fixation vulnerability in Tiny File Manager v2.4.7 and below that allows attackers to hijack user sessions by fixing sessi...
Feb 6, 2025A session fixation vulnerability in YoudianCMS v9.5.20 and earlier allows remote attackers to escalate privileges by manipulating the sessionID parame...
Jan 27, 2025A session fixation vulnerability in Drupal's Two-factor Authentication (TFA) module allows attackers to hijack user sessions by fixing session IDs bef...
Jan 9, 2025A session fixation vulnerability in Oceanic Software ValeApp allows attackers to hijack user sessions and perform brute force attacks. This affects al...
Sep 27, 2024Enonic XP versions before 7.7.4 have a session fixation vulnerability where session attributes aren't properly invalidated. This allows remote unauthe...
Jan 19, 2024This session fixation vulnerability in Franklin Fueling Systems System Sentinel AnyWare allows attackers to hijack user sessions by manipulating the '...
Dec 8, 2023CVE-2023-42322 is an insecure permissions vulnerability in iCMS v7.0.16 that allows remote attackers to access sensitive information without authentic...
Sep 20, 2023A session fixation vulnerability in Rocket.Chat's 2FA implementation allows attackers to maintain access to compromised accounts even after 2FA is ena...
May 9, 2023CVE-2021-36394 is a critical remote code execution vulnerability in Moodle's Shibboleth authentication plugin. Attackers can execute arbitrary code on...
Mar 6, 2023IBM QRadar SIEM fails to automatically log users out after exceeding idle timeout in certain situations, allowing unauthorized session persistence. Th...
Apr 27, 2022CVE-2021-41553 is a session fixation vulnerability in ARCHIBUS Web Central that allows attackers to hijack user sessions by setting arbitrary JSESSION...
Oct 5, 2021This vulnerability allows session fixation attacks on NetModule networking devices, enabling attackers to hijack user sessions by setting a known PHPS...
Aug 23, 2021A session fixation vulnerability in 66biolinks v62.0.0 allows attackers to hijack authenticated user sessions by setting or predicting session IDs bef...
Jan 28, 2026A session hijacking vulnerability in PHPGurukul Hostel Management System 2.1 allows attackers to steal user sessions and impersonate legitimate users....
Apr 28, 2025This CVE describes a session fixation vulnerability in Vasion Print (formerly PrinterLogic) that allows attackers to hijack user sessions. Attackers c...
Mar 5, 2025CVE-2023-52268 is an authentication bypass vulnerability in FreeScout's End-User Portal module where attackers can send session tokens to the /auth en...
Nov 12, 2024This CVE describes a session fixation vulnerability in Apache Kylin that allows attackers to hijack user sessions by fixing session identifiers before...
Nov 4, 2024This authentication bypass vulnerability in Screen SFT DAB 1.9.3 allows attackers to reuse IP-bound session identifiers to perform unauthorized operat...
Dec 10, 2025This vulnerability allows attackers to bypass authentication and access the configuration web page of EIBPORT devices without proper credentials. It a...
Jun 4, 2025CVE-2024-24552 is a session fixation vulnerability in Bludit CMS that allows attackers to hijack user sessions by tricking victims into using attacker...
Jun 24, 2024Sielco PolyEco1000 devices have a session hijack vulnerability where attackers can brute-force session cookies and intercept unencrypted sessions. Thi...
Oct 26, 2023The Jenkins OpenShift Login Plugin vulnerability allows session fixation attacks where previous sessions aren't invalidated upon new login. This enabl...
Jul 12, 2023This vulnerability allows attackers to escalate privileges by exploiting JSESSION ID issues in Xiamen Si Xin Communication Technology Video management...
Jun 29, 2023The Jenkins CAS Plugin 1.6.2 and earlier fails to invalidate previous user sessions upon login, allowing session fixation attacks. This vulnerability ...
May 16, 2023This session fixation vulnerability in easyappointments allows attackers to hijack user sessions by fixing session IDs before authentication. It affec...
Apr 15, 2023This CVE describes a session fixation vulnerability in osTicket's authentication system. Attackers can fixate session IDs before user login, potential...
Apr 5, 2023This vulnerability allows attackers with network access to reuse authentication tokens indefinitely on affected NETGEAR switches, effectively bypassin...
Mar 10, 2021Screen SFT DAB 1.9.3 has a weak session management vulnerability where attackers can bypass authentication by reusing IP-bound session identifiers. Th...
Dec 10, 2025A session hijacking vulnerability in Imou Life app version 6.7.0 allows attackers to hijack user accounts through QR code functionality. The vulnerabi...
Dec 19, 2023CVE-2023-29019 is a session fixation vulnerability in @fastify/passport that allows attackers to hijack user sessions. Applications using @fastify/pas...
Apr 21, 2023This session fixation vulnerability in Synology Photo Station allows attackers to bypass access controls by manipulating session identifiers. Attacker...
Jul 6, 2022authentik versions prior to 2024.12.4 and 2025.2.3 have a session management vulnerability when configured with database session storage. Attackers wi...
Mar 28, 2025This session fixation vulnerability in Apache Airflow allows authenticated users to maintain access to the webserver even after their password has bee...
Aug 23, 2023This session fixation vulnerability in Fortinet FortiOS allows attackers to hijack user sessions via phishing SAML authentication links. Attackers can...
Nov 12, 2024This vulnerability in Digital Watchdog DW MEGApix IP cameras allows attackers to access the core log file and hijack sessions by crafting a malicious ...
Jul 19, 2022This vulnerability allows unauthenticated attackers to download arbitrary files from FANTEC MWiD25-DS network attached storage devices. Attackers can ...
Apr 6, 2022CVE-2021-31745 is a session fixation vulnerability in Pluck-CMS that allows attackers to maintain unauthorized access even after password resets. This...
Dec 10, 2021CVE-2026-2177 is a session fixation vulnerability in SourceCodester Prison Management System 1.0 that allows attackers to hijack user sessions by fixi...
Feb 8, 2026This vulnerability allows session fixation attacks where an attacker can set a victim's session token before login, then hijack their authenticated se...
May 29, 2024Mailcow email server has a session fixation vulnerability where attackers can set session cookies on victim browsers when HSTS is disabled. After vict...
Jan 28, 2025This CVE describes a session fixation vulnerability in Keycloak's SAML adapters where session IDs aren't regenerated during login, even when configure...
Sep 9, 2024CVE-2022-24781 is a session fixation vulnerability in the Geon board game that allows malicious users to spoof other users' UUIDs through browser cons...
Mar 24, 2022This vulnerability allows an authenticated local attacker to potentially access another user's session after logout in Guardian/CMC software. The issu...
Aug 9, 2023About CWE-384 (CWE-384)
Our database tracks 72 CVEs classified as CWE-384, with 24 rated critical and 26 rated high severity. The average CVSS score for CWE-384 vulnerabilities is 7.8.
External reference: View CWE-384 on MITRE CWE →
Monitor CWE-384 Vulnerabilities
Get alerted when new CWE-384 CVEs affect your infrastructure.
Start Monitoring Free