CVE-2026-8670 PUBLISHED

Insecure session handling on metrics web server

Assigner: NCSC.ch
Reserved: 15.05.2026 Published: 22.05.2026 Updated: 22.05.2026

Insufficient session expiration vulnerability in syslink software AG Avantra on Linux, Windows allows Reusing Session IDs (aka Session Replay).

This issue affects Avantra: before 25.3.1.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CVSS Score: 9.6

Product Status

Vendor syslink software AG
Product Avantra
Versions Default: unaffected
  • affected from 0 to 25.3.1 (excl.)

Credits

  • Vicxer Inc. finder

References

Problem Types

  • CWE-613 Insufficient session expiration CWE

Impacts

  • CAPEC-60 Reusing Session IDs (aka Session Replay)