By weakness (CWE)

CWE-613: related vulnerabilities

CVEs classified under CWE-613. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

2 published vulnerabilities

  • CVE-2026-44648HIGH 7.5

    SillyTavern, a locally installed interface for interacting with large language models and related AI services, contains a session management vulnerability in versions prior to 1.18.0. When users change their password or complete account recovery, the application updates the password hash in its database but fails to invalidate existing user sessions. Because SillyTavern uses stateless, client-side cookie storage for authentication data, the server has no mechanism to revoke tokens after they're issued. An attacker who gains access to a user's session cookie—either through theft, interception, or social engineering—can continue using that session even after the legitimate user changes their password, maintaining unauthorized access to the account and its associated permissions.

  • CVE-2026-48726MEDIUM 6.5

    Apache Airflow has a logout bypass vulnerability where JWT tokens remain valid after users log out through the web UI. When users click logout, the system fails to properly revoke their authentication tokens in deployments using FAB (Flask-AppBuilder) or Keycloak authentication. An attacker with a stolen or previously-issued JWT can continue making authenticated API calls as that logged-out user until the token naturally expires. This is a follow-up to an earlier fix that patched cookies but missed the JWT revocation paths in these two authentication modules.