This page collects WhisperX intelligence signals tagged #session hijacking. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security vulnerability has been discovered in a game server's API, exposing the complete historical dataset of player votes, scores, and session identifiers to anyone on the internet. The `/api/export/votes.csv` endpoint lacks any form of authentication, allowing uncredentialed access to download the entire ...
A recent security gap analysis has uncovered two low-severity but critical configuration flaws in a VNC (Virtual Network Computing) setup. The first is an insecure command example present in official troubleshooting documentation, which would reintroduce a known vulnerability if followed. The second is a default templa...
A newly disclosed vulnerability in a foundational Node.js library opens a path for attackers to manipulate cookie data and potentially hijack user sessions. The flaw, tracked as CVE-2024-47764 and rated medium severity, resides in the widely used `cookie` library, specifically version 0.1.3. This library is a core comp...
A critical security flaw in a discovery pairing mechanism allowed an attacker on the same local network to hijack pending requests and redirect sensitive shared secrets to a malicious endpoint. The vulnerability, classified as a P1-level issue, resided in the `createPairRequest()` function, which deduplicated pending r...
A critical security vulnerability has been identified in a Flask application, exposing it to potential session hijacking and user impersonation attacks. The application's secret key, used for cryptographically signing session cookies, is hardcoded directly into the source code file `app.py` on line 20. This fundamental...
A parsing discrepancy in Hono, a web application framework supporting multiple JavaScript runtimes, allows cookie prefix protections to be bypassed through non-breaking space character injection. Versions prior to 4.12.12 contain a flaw where cookie names treated as distinct by browsers are normalized to the same key b...
A stored Cross-Site Scripting (XSS) vulnerability has been identified in Apache Superset's chart visualization component. The flaw allows an authenticated user with chart edit permissions to inject malicious code into column labels, which the application fails to sanitize before rendering. When other users interact wit...
A critical security flaw has been identified in the WebSocket gateway module responsible for session reconnection handling. The vulnerability exists in `internal/gateway/conn.go`, which manages the AEP init handshake for WebSocket connections. During session reconnection, when a client provides an existing `session_id`...
A high-severity vulnerability has been identified in WebDyne::Session versions up to and including 2.075, potentially exposing web applications to session hijacking attacks. The flaw, tracked as CVE-2026-5084, stems from the module's use of cryptographically weak session ID generation. Specifically, the software relies...