CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-38968

criticalCVSS 9.8covered by 2 sourcesfirst seen 2026-07-02
ntopng through 6.6 is vulnerable to Predictable Session Identifier which can lead to Session Hijacking. HTTP session identifiers in src/HTTPserver.cpp use weak time-seeded pseudo-randomness during session creation. As a result, fresh authenticated logins can receive deterministic or colliding session cookies under attacker-controlled timing.

CSIRTS triage

vendor: ntopproduct: ntopngOtheraffected: through 6.6
What
ntopng is vulnerable to predictable session identifiers leading to session hijacking.
Who is affected
Deployments of ntopng through version 6.6 are affected.
Urgency
Remediation is critical due to the high severity and potential for exploitation.
Action
Upgrade ntopng to a version beyond 6.6.

AI-assisted analysis generated from the source advisory — verify against the original.

⚡ Watch CVE-2026-38968

Get an email if CVE-2026-38968 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (2)

External references

NVD record for CVE-2026-38968

CVE.org record

Embed the live status

CVE-2026-38968 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-38968 status](https://www.csirts.com/badge/CVE-2026-38968)](https://www.csirts.com/cve/CVE-2026-38968)