CWE-384
Session Fixation
Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
We have discovered 9,609 live websites that are affected by CWE-384.
CVEs
- Count - 12
CWE References
Website Distribution by Country
Number of websites using CWE-384 United States | 2,982 websites |
 China | 1,247 websites |
 Germany | 1,023 websites |
 Poland | 364 websites |
 France | 345 websites |
 Italy | 249 websites |
 Brazil | 229 websites |
 Spain | 207 websites |
 Netherlands | 189 websites |
 Russia | 179 websites |
Website Distribution by TLD
Number of websites using CWE-384| .com | 3,417 websites |
| .de | 611 websites |
| .org | 500 websites |
| .net | 370 websites |
| .pl | 283 websites |
| .cn | 264 websites |
| .it | 202 websites |
| .fr | 182 websites |
| .edu | 173 websites |
| .nl | 167 websites |
Newest CVEs
List of the most recent CVEs that are part of CWE-384| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Apr, 2026 | CVE-2026-31940 | Session Fixation in Chamilo LMS | 9 |
| Mar, 2026 | CVE-2026-25101 | Session Fixation in Bludit | 1,257 |
| Feb, 2026 | CVE-2026-23796 | Session Fixation in Quick.Cart | 347 |
| Feb, 2026 | CVE-2026-23624 | GLPI is vulnerable to session stealing on externally authenticated user change | 45 |
| Oct, 2025 | CVE-2025-64100 | CKAN Vulnerable to Session Cookie Fixation | 360 |
| Aug, 2025 | CVE-2025-55668 | Apache Tomcat: session fixation via rewrite valve | 5,320 |
| Jul, 2025 | CVE-2025-53102 | Discourse's WebAuthn challenge isn't cleared from user session after authentication | 1,322 |
| Feb, 2025 | CVE-2025-1412 | Session Persistence After User-to-Bot Conversion | 10 |
| Oct, 2024 | CVE-2024-48929 | Umbraco CMS Has Incomplete Server Termination During Explicit Sign-Out | 2 |
| Jun, 2024 | CVE-2024-24552 | Bludit is Vulnerable to Session Fixation | 695 |
The most widespread CVEs
List of the most common CVEs that are part of CWE-384| Discovered | CVE | Description | Websites |
|---|---|---|---|
| Aug, 2025 | CVE-2025-55668 | Apache Tomcat: session fixation via rewrite valve | 5,320 |
| Jul, 2025 | CVE-2025-53102 | Discourse's WebAuthn challenge isn't cleared from user session after authentication | 1,322 |
| Mar, 2026 | CVE-2026-25101 | Session Fixation in Bludit | 1,257 |
| Mar, 2017 | CVE-2016-9125 | Revive Adserver before 3.2.3 suffers from session fixation, by allowing arbitrary session identifier... | 729 |
| Jun, 2024 | CVE-2024-24552 | Bludit is Vulnerable to Session Fixation | 695 |
| Oct, 2025 | CVE-2025-64100 | CKAN Vulnerable to Session Cookie Fixation | 360 |
| Feb, 2026 | CVE-2026-23796 | Session Fixation in Quick.Cart | 347 |
| Feb, 2024 | CVE-2023-47798 | Account lockout in Liferay Portal 7.2.0 through 7.3.0, and older unsupported versions, and Liferay D... | 208 |
| Feb, 2026 | CVE-2026-23624 | GLPI is vulnerable to session stealing on externally authenticated user change | 45 |
| Feb, 2025 | CVE-2025-1412 | Session Persistence After User-to-Bot Conversion | 10 |
Websites affected by CWE-384
Top websites that are affected by CWE-384. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| ******.de | Germany | *,*** | |
| *******.de | Germany | *,*** | |
| *************.de | Germany | *,*** | |
| ***********.ro |  Romania | **,*** | |
| ****.******.ca |  Canada | **,*** | |
| **************.com | Canada | **,*** | |
| **.***.*****.*****.***.com | United States | **,*** | |
| *****************.jetzt | Germany | **,*** | |
| ******.******.ca | Canada | **,*** | |
| ******.com | United States | **,*** |