216.73.216.133

CVE-2026-43827

· Published 25/05/2026 21:16 · Modified 26/05/2026 19:05

Labels: CVE-2026-43827 2026-05-25CVE-2026-43827CWE-384[email protected]

Essential information

Published
25/05/2026 21:16
Modified
26/05/2026 19:05
Author
Creator
CVSS
5.9 MEDIUM (v3) 5.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0 to 2.1.0, and 3.0.0-alpha-1. Users are recommended to upgrade to version 2.1.1, or 3.0.0-alpha-2 or later, which fixes the issue. In the affected versions, when a session already exists, it is not invalidated upon successful login, nor is a new session being generated with a new ID.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
apache / shiro cpe:2.3:a:apache:shiro:1.0-2.1.0:*:*:*:*:*:*:*
apache / shiro cpe:2.3:a:apache:shiro:3.0.0-alpha-1:*:*:*:*:*:*:*
apache / shiro cpe:2.3:a:apache:shiro:<2.1.1:*:*:*:*:*:*:*
apache / shiro cpe:2.3:a:apache:shiro:3.0.0-alpha-2:*:*:*:*:*:*:*

References