CVE-2026-12581
Received Received - Intake
Session Fixation in EasyFlow .NET

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: TWCERT/CC

Description
EasyFlow .NET developed by Digiwin has a Session Fixation vulnerability. If unauthenticated remote attackers replace a specific session ID for a user, they can gain the user's privilege once the user logs in.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-22
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-12581
EUVD
EUVD-2026-38223
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
digiwin easyflow_net *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-384 Authenticating a user, or otherwise establishing a new user session, without invalidating any existing session identifier gives an attacker the opportunity to steal authenticated sessions.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a Session Fixation issue in EasyFlow .NET developed by Digiwin. It allows unauthenticated remote attackers to replace a specific session ID for a user. When the user logs in, the attacker can then gain the user's privileges by using the fixed session ID.

Impact Analysis

The impact of this vulnerability is that an attacker can gain unauthorized access to a user's account by fixing the session ID before the user logs in. This can lead to privilege escalation, allowing the attacker to perform actions with the user's permissions, potentially compromising sensitive data or system integrity.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12581. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart