cbcvebase.
CVE-2025-64100
published 2025-10-29

CVE-2025-64100: CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an…

PriorityP433medium6.1CVSS 3.1
AVNACHPRNUIRSCCHINAN
EPSS
0.27%
18.4th percentile
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need to either set a cookie on the victim's browser or steal the victim's currently valid session. Session identifiers are now regenerated after each login. This vulnerability has been fixed in CKAN 2.10.9 and 2.11.4

Affected

4 ranges
VendorProductVersion rangeFixed in
ckanckan< 2.10.92.10.9
ckanckan
ckanckan>= 2.10.0 < 2.10.92.10.9
ckanckan>= 2.11.0 < 2.11.42.11.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.