CVE-2026-9507
published 2026-06-16CVE-2026-9507: A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the…
PriorityP334medium5.1CVSS 4.0
AVNACLATNPRNUIAVCLVILVANSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.40%
32.2th percentile
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.
The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| enhancesoft | osticket | — | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A session fixation vulnerability has been identified in osTicket v1.18.2.
ghsa_unreviewed·2026-06-16
CVE-2026-9507 [MEDIUM] CWE-38 A session fixation vulnerability has been identified in osTicket v1.18.2.
A session fixation vulnerability has been identified in osTicket v1.18.2. This security flaw allows an attacker to hijack a victim’s account by keeping the initial session identifier (OSTSESSID) active after a successful login.
The issue lies in the fact that the application does not invalidate the pre-authentication cookie or generate a new identifier for the authenticated context. As a result, if an attacker manages to set a known session identifier in the victim’s browser, they will be able to maintain unauthorised access to the account once the victim has authenticated.
VulDB
Enhancesoft osTicket 1.18.2 Session Identifier session expiration (EUVD-2026-37079)
vuldb·2026-06-16·CVSS 5.1
CVE-2026-9507 [MEDIUM] Enhancesoft osTicket 1.18.2 Session Identifier session expiration (EUVD-2026-37079)
A vulnerability was found in Enhancesoft osTicket 1.18.2 and classified as problematic. The impacted element is an unknown function of the component Session Identifier Handler. Such manipulation leads to session expiration.
This vulnerability is uniquely identified as CVE-2026-9507. The attack can be launched remotely. No exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-16
Published