EUVD-2026-40294

Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials...

EUVD-2026-39560

Certificate policy and RFC 8446 compliance concerns regarding the continued acceptance of SHA-1/MD5 in certificate processing...

PT-2026-52584

Name of the Vulnerable Software and Affected Versions The product name cannot be determined. affected versions not specified Description There are certificate policy and RFC 8446 compliance concerns due to the continued acceptance of SHA-1 and MD5 hashing algorithms during certificate processing...

postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison

A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts...

CVE-2026-11789

A flaw was found in 389 Directory Server. The SMD5 password storage plugin performs unsigned integer underflow when computing salt length from a crafted password hash shorter than 16 bytes, causing a buffer over-read that crashes the LDAP server during authentication...

JLSEC-2026-605

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed...

CVE-2026-5084

WebDyne::Session versions through 2.075 for Perl generates the session id insecurely. The session handler generates the session id from an MD5 hash seeded with a call to the built-in rand function. The rand function is passed a maximum value based on the process id, the epoch time and the referen...

CVE-2026-45413

MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute force hashcat. This vulnerability is fixed in 2.9.1...

CVE-2026-8881

Version 3.0.7 of the Securly Chrome Extension uses EVPBytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching...

EUVD-2026-34166

Version 3.0.7 of the Securly Chrome Extension uses EVPBytesToKey key derivation with MD5 and a single iteration for AES encryption. MD5 has been broken since 2004 and a single iteration provides no key stretching...

[SECURITY] Fedora 44 Update: perl-Crypt-PasswdMD5-1.4.3-1.fc44

This package provides MD5-based crypt functions...

CVE-2026-48829

In GNU SASL before 2.2.3, DIGEST-MD5 has a NULL pointer dereference affecting both clients and servers, via a known token with no accompanying = character. This occurs in lib/digest-md5/getsubopt.c...

OESA-2026-2422 perl-Authen-SASL security update

Authen::SASL::Perl is the pure Perl implementation of SASL mechanisms in the Authen::SASL framework, At the time of this writing it provides the client part implementation for the following SASL mechanisms. Security Fixes: Authen::SASL::Perl::DIGESTMD5 versions 2.04 through 2.1800 for Perl...

Astra Linux - уязвимость в libssh

A flaw was discovered in the abstract layer of the libssh library responsible for message digest MD operations, which is implemented by different supported crypto backends. The return values from these operations were not properly checked, which could lead to low-memory situations, NULL...

magento-lts 安全特征问题漏洞

Magento LTS is an open-source alternative to OpenMage, designed as a reliable substitute for the official Magento CE version. Versions of Magento LTS prior to 20.18.0 had security vulnerabilities. These vulnerabilities stemmed from the XML-RPC/SOAP API session IDs using time-based, outdated...

CVE-2026-6478

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed...

CVE-2026-6478

CVE-2026-6478 enables a covert timing channel during MD5 password comparison in PostgreSQL authentication, allowing credential recovery sufficient to authenticate. The issue does not affect scram-sha-256 passwords. It can affect databases with MD5-hashed passwords originating from upgrades from P...

CVE-2026-6478

Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all supported releases. However, current databases may have MD5-hashed...

Vulnerability in core server (CVE-2026-6478)

PostgreSQL discloses MD5-hashed passwords via covert timing channel Covert timing channel in comparison of MD5-hashed password in PostgreSQL authentication allows an attacker to recover user credentials sufficient to authenticate. This does not affect scram-sha-256 passwords, the default in all...

CVE-2026-5081

A flaw was found in Apache::Session::Generate::ModUniqueId, a Perl module designed to generate session identifiers. This module uses the Apache moduniqueid plugin's UNIQUEID environment variable directly as a session ID. The UNIQUEID is constructed from easily guessable information, such as the...