VYPR

CWE-613

Insufficient Session Expiration

BaseIncomplete

Description

According to WASC, "Insufficient Session Expiration is when a web site permits an attacker to reuse old session credentials or session IDs for authorization."

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (239)

page 8 of 12
  • CVE-2026-24894Feb 12, 2026
    risk 0.00cvss epss 0.00

    FrankenPHP is a modern application server for PHP. Prior to 1.11.2, when running FrankenPHP in worker mode, the $_SESSION superglobal is not correctly reset between requests. This allows a subsequent request processed by the same worker to access the $_SESSION data of the…

  • CVE-2026-24472Jan 27, 2026
    risk 0.00cvss epss 0.00

    Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard…

  • CVE-2025-66803Jan 20, 2026
    risk 0.00cvss epss 0.00

    Race condition in the turbo-frame element handler in Hotwired Turbo before 8.0.x causes logout operations to fail when delayed frame responses reapply session cookies after logout. This can be exploited by remote attackers via selective network delays (e.g. delaying requests…

  • CVE-2025-68954Jan 6, 2026
    risk 0.00cvss epss 0.00

    Pterodactyl is a free, open-source game server management panel. Versions 1.11.11 and below do not revoke active SFTP connections when a user is removed from a server instance or has their permissions changes with respect to file access over SFTP. This allows a user that was…

  • CVE-2025-65430Dec 15, 2025
    risk 0.00cvss epss 0.00

    An issue was discovered in allauth-django before 65.13.0. IdP: marking a user as is_active=False after having handed tokens for that user while the account was still active had no effect. Fixed the access/refresh tokens are now rejected.

  • CVE-2025-64708Nov 19, 2025
    risk 0.00cvss epss 0.00

    authentik is an open-source Identity Provider. Prior to versions 2025.8.5 and 2025.10.2, in previous authentik versions, invitations were considered valid regardless if they are expired or not, thus relying on background tasks to clean up expired ones. In a normal scenario this…

  • CVE-2025-43819Sep 24, 2025
    risk 0.00cvss epss 0.00

    A Insufficient Session Expiration vulnerability in the Liferay Portal 7.4.3.121 through 7.3.3.131, and Liferay DXP 2024.Q4.0 through 2024.Q4.3, 2024.Q3.1 through 2024.Q3.13, 2024.Q2.0 through 2024.Q2.13, and 2024.Q1.1 through 2024.Q1.12 is allow an remote non-authenticated…

  • CVE-2025-57766Sep 8, 2025
    risk 0.00cvss epss 0.00

    Fides is an open-source privacy engineering platform. Prior to version 2.69.1, admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack…

  • CVE-2025-58437Sep 6, 2025
    risk 0.00cvss epss 0.00

    Coder allows organizations to provision remote development environments via Terraform. In versions 2.22.0 through 2.24.3, 2.25.0 and 2.25.1, Coder can be compromised through insecure session handling in prebuilt workspaces. Coder automatically generates a session token for a…

  • CVE-2025-58352Sep 4, 2025
    risk 0.00cvss epss 0.00

    Weblate is a web based localization tool. Versions lower than 5.13.1 contain a vulnerability that causes long session expiry during the second factor verification. The long session expiry could be used to circumvent rate limiting of the second factor. This issue is fixed in…

  • CVE-2025-53826Jul 15, 2025
    risk 0.00cvss epss 0.01

    File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename, and edit files. In version 2.39.0, File Browser’s authentication system issues long-lived JWT tokens that remain valid even after the user logs…

  • CVE-2025-32441May 7, 2025
    risk 0.00cvss epss 0.00

    Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares…

  • CVE-2025-46815May 6, 2025
    risk 0.00cvss epss 0.00

    The identity infrastructure software ZITADEL offers developers the ability to manage user sessions using the Session API. This API enables the use of IdPs for authentication, known as idp intents. Following a successful idp intent, the client receives an id and token on a…

  • CVE-2024-45033Jan 8, 2025
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration vulnerability in Apache Airflow Fab Provider. This issue affects Apache Airflow Fab Provider: before 1.5.2. When user password has been changed with admin CLI, the sessions for that user have not been cleared, leading to insufficient session…

  • CVE-2024-52553Nov 13, 2024
    risk 0.00cvss epss 0.01

    Jenkins OpenId Connect Authentication Plugin 4.418.vccc7061f5b_6d and earlier does not invalidate the previous session on login.

  • CVE-2024-48926Oct 22, 2024
    risk 0.00cvss epss 0.00

    Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message…

  • CVE-2024-45187Aug 23, 2024
    risk 0.00cvss epss 0.00

    Guest users in the Mage AI framework that remain logged in after their accounts are deleted, are mistakenly given high privileges and specifically given access to remotely execute arbitrary code through the Mage AI terminal server

  • CVE-2024-42447Aug 5, 2024
    risk 0.00cvss epss 0.01

    Insufficient Session Expiration vulnerability in Apache Airflow Providers FAB. This issue affects Apache Airflow Providers FAB: 1.2.1 (when used with Apache Airflow 2.9.3) and FAB 1.2.0 for all Airflow versions. The FAB provider prevented the user from logging out.   * FAB…

  • CVE-2024-4680Jun 8, 2024
    risk 0.00cvss epss 0.00

    A vulnerability in zenml-io/zenml version 0.56.3 allows attackers to reuse old session credentials or session IDs due to insufficient session expiration. Specifically, the session does not expire after a password change, enabling an attacker to maintain access to a compromised…

  • CVE-2024-34709May 13, 2024
    risk 0.00cvss epss 0.00

    Directus is a real-time API and App dashboard for managing SQL database content. Prior to 10.11.0, session tokens function like the other JWT tokens where they are not actually invalidated when logging out. The `directus_session` gets destroyed and the cookie gets deleted but if…