Search

Find a vulnerability

Search criteria Use this form to refine search results.
Full-text search supports keyword queries with ranking and filtering.
You can combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by date instead of relevance.

    2 vulnerabilities by katalyst

    CVE-2026-44511 (GCVE-0-2026-44511)

    Vulnerability from nvd – Published: 2026-05-14 16:17 – Updated: 2026-05-14 18:34
    VLAI
    Title
    Katalyst Koi: Session cookies can be replayed after user logout
    Summary
    Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.
    Severity
    7.4 (High)
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    katalyst koi Affected: < 4.20.0
    Affected: >= 5.0.0 <= 5.6.0
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44511",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T18:33:52.395978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:34:47.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "koi",
          "vendor": "katalyst",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.20.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0 \u003c= 5.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T16:17:29.187Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv"
        }
      ],
      "source": {
        "advisory": "GHSA-4cx3-3c38-j9vv",
        "discovery": "UNKNOWN"
      },
      "title": "Katalyst Koi: Session cookies can be replayed after user logout"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44511",
    "datePublished": "2026-05-14T16:17:29.187Z",
    "dateReserved": "2026-05-06T18:28:20.887Z",
    "dateUpdated": "2026-05-14T18:34:47.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

    CVE-2026-44511 (GCVE-0-2026-44511)

    Vulnerability from cvelistv5 – Published: 2026-05-14 16:17 – Updated: 2026-05-14 18:34
    VLAI
    Title
    Katalyst Koi: Session cookies can be replayed after user logout
    Summary
    Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0.
    Severity
    7.4 (High)
    CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-613 - Insufficient Session Expiration
    Assigner
    References
    Impacted products
    Vendor Product Version
    katalyst koi Affected: < 4.20.0
    Affected: >= 5.0.0 <= 5.6.0
    		Create a notification for this product.
    Show details on NVD website
    To clipboard 

    {
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-44511",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-14T18:33:52.395978Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-14T18:34:47.908Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "koi",
          "vendor": "katalyst",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c 4.20.0"
            },
            {
              "status": "affected",
              "version": "\u003e= 5.0.0 \u003c= 5.6.0"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Katalyst Koi is a framework for building Rails admin functionality. Prior to 4.20.0 and 5.6.0, admin session cookies were not invalidated when an admin user logged out. An attacker with access to a valid admin session cookie could continue to access admin functionality after logout, until the cookie expired or session secrets were rotated. This vulnerability is fixed in 4.20.0 and 5.6.0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 7.4,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-613",
              "description": "CWE-613: Insufficient Session Expiration",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-14T16:17:29.187Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv"
        }
      ],
      "source": {
        "advisory": "GHSA-4cx3-3c38-j9vv",
        "discovery": "UNKNOWN"
      },
      "title": "Katalyst Koi: Session cookies can be replayed after user logout"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-44511",
    "datePublished": "2026-05-14T16:17:29.187Z",
    "dateReserved": "2026-05-06T18:28:20.887Z",
    "dateUpdated": "2026-05-14T18:34:47.908Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}