CVE-2026-23958

DataEase (open-source data visualization tool) prior to version 2.10.19 uses the MD5 hash of the user password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin password by abusing unmonitored API endpoints that verify JWT tokens. The vuln...

EUVD-2026-4206

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints...

CVE-2026-23958 DataEase Vulnerable to Brute-Force Attack on Admin JWT Secret Derived from Password that Enables Full Account Takeover

Dataease is an open source data visualization analysis tool. Prior to version 2.10.19, DataEase uses the MD5 hash of the user’s password as the JWT signing secret. This deterministic secret derivation allows an attacker to brute-force the admin’s password by exploiting unmonitored API endpoints...

DataEase security vulnerabilities

DataEase is an open-source data visualization and analysis tool developed by DataEase. It helps users quickly analyze data and gain insights into business trends, thereby enabling improvements and optimizations in operations. Versions of DataEase prior to 2.10.19 contained a security vulnerabilit...

MiracleLinux 8 : 389-ds:1.4 (AXSA:2021-2352:01)

The remote MiracleLinux 8 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2021-2352:01 advisory. 389-ds-base: CRYPT password hash with asterisk allows any bind attempt to succeed CVE-2021-3652 Tenable has extracted the preceding description block directl...

MiracleLinux 9 : 389-ds-base-2.4.5-9.el9_4 (AXSA:2024-8654:07)

The remote MiracleLinux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2024-8654:07 advisory. 389-ds-base: Malformed userPassword hash may cause Denial of Service CVE-2024-5953 389-ds-base: unauthenticated user can trigger a DoS by sending a...

SUSE-SU-2026:0151-1 Security update for libsoup

This update for libsoup fixes the following issues: - CVE-2025-14523: Reject duplicated Host in headers and followed upsteram update bsc1254876. - CVE-2026-0719: Fixed overflow for password md4sum bsc1256399...

SUSE-SU-2026:20245-1 Security update for libsoup

This update for libsoup fixes the following issues: - CVE-2026-0716: Fixed out-of-bounds read for websocket bsc1256418. - CVE-2026-0719: Fixed overflow for password md4sum bsc1256399...

MiracleLinux 3 : postgresql-8.1.23-1.2.0.1.AXS3 (AXSA:2011-340:02)

The remote MiracleLinux 3 host has packages installed that are affected by a vulnerability as referenced in the AXSA:2011-340:02 advisory. PostgreSQL is an advanced Object-Relational database management system DBMS that supports almost all SQL constructs including transactions, subselects and...

CVE-2025-68703 Jervis has a Salt for PBKDF2 derived from password

Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sumpassphrase. Two encryption operations with the same password will have the same derived key. This vulnerability is fixed in 2.2...

CVE-2018-18754

ZyXEL VMG3312-B10B 1.00AAPP.7 devices have a backdoor root account with the tTn3+Z@!Sr0O+ password hash in the etc/default.cfg file...

CVE-2021-27491

Ypsomed mylife Cloud, mylife Mobile Application:Ypsomed mylife Cloud,All versions prior to 1.7.2,Ypsomed mylife App,All versions prior to 1.7.5,The Ypsomed mylife Cloud discloses password hashes during the registration process...

CVE-2021-22741

Use of Password Hash with Insufficient Computational Effort vulnerability exists in ClearSCADA all versions, EcoStruxure Geo SCADA Expert 2019 all versions, and EcoStruxure Geo SCADA Expert 2020 V83.7742.1 and prior, which could cause the revealing of account credentials when server database file...

CVE-2016-10844

The chcpass script in cPanel before 11.54.0.4 reveals a password hash SEC-77...

CVE-2022-37783

All Craft CMS versions between 3.0.0 and 3.7.32 disclose password hashes of users who authenticate using their E-Mail address or username in Anti-CSRF-Tokens. Craft CMS uses a cookie called CRAFTCSRFTOKEN and a HTML hidden field called CRAFTCSRFTOKEN to avoid Cross Site Request Forgery attacks. T...

CVE-2019-20457

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD...

CVE-2020-23355

PRODUCT NOT SUPPORTED WHEN ASSIGNED Codiad 2.8.4 /componetns/user/class.user.php:Authenticate is vulnerable in magic hash authentication bypass. If encrypted or hash value for the passwords form certain formats of magic hash, e.g, 0e123, another hash value 0e234 something can successfully...

CVE-2022-26115

A use of password hash with insufficient computational effort vulnerability CWE-916 in FortiSandbox before 4.2.0 may allow an attacker with access to the password database to efficiently mount bulk guessing attacks to recover the passwords...

CVE-2023-49280

XWiki Change Request is an XWiki application allowing to request changes on a wiki without publishing directly the changes. Change request allows to edit any page by default, and the changes are then exported in an XML file that anyone can download. So it's possible for an attacker to obtain...

CVE-2019-16116

EnterpriseDT CompleteFTP Server prior to version 12.1.3 is vulnerable to information exposure in the Bootstrap.log file. This allows an attacker to obtain the administrator password hash...