1872 matches found
CVE-2026-5040
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication...
CVE-2026-5040 Weak Password Hashing Mechanism in TP-Link Deco M5
TP-Link Deco M5 v1 uses a weak password hashing mechanism to store user credentials. An attacker who obtains the password hash through system compromise or privileged access could perform brute-force or dictionary attacks. Successful exploitation may result in disclosure of authentication...
CVE-2026-41879
R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000...
CVE-2026-41879 Weak password hashing in R-SOFT DMS
R-SOFT DMS stores superadmin credentials using a non-salted nested MD5 hash. This allows an attacker who obtain password hash to decode superadmin credentials. Critically, this password cannot be changed except by modifying the configuration file. This issue was fixed in version v3.17-2000...
PYSEC-2026-1566 LlamaIndex vulnerable to data loss through hash collisions in its DocugamiReader class
A vulnerability in the DocugamiReader class of the run-llama/llamaindex repository, up to but excluding version 0.12.41, involves the use of MD5 hashing to generate IDs for document chunks. This approach leads to hash collisions when structurally distinct chunks contain identical text, resulting ...
postgresql: PostgreSQL: Credential recovery via covert timing channel in MD5 password comparison
A flaw was found in PostgreSQL. This vulnerability, a covert timing channel, exists in the comparison of MD5-hashed passwords during authentication. A remote attacker could exploit this to recover user credentials, gaining unauthorized access to the database. This issue specifically impacts...
CVE-2026-53692 Weak hashing algorithm in Redeight CMS
Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm and lacks salting, attackers who obtain the password hashes can trivially reverse them using rainbow tables, leading to the exposure of plaintext credentials...
CVE-2026-13534 CherryHQ cherry-studio CherryIN Preload API MemoryService.ts sha256 authorization
A vulnerability was detected in CherryHQ cherry-studio up to 1.9.7. This affects the function sha256 of the file src/main/services/memory/MemoryService.ts of the component CherryIN Preload API. Performing a manipulation of the argument state results in authorization bypass. The attack can be...
CVE-2026-10804
A flaw was found in Streamlit, within its Palette Handler component. This vulnerability stems from the use of a weak hashing algorithm. A local attacker could exploit this flaw, though it requires a high level of technical complexity. Successful exploitation may lead to a low impact on the...
GHSA-Q437-G7FV-2JVV Lemur user-update path stores plaintext passwords
Summary lemur.users.service.update writes a user's new password as plaintext to the users.password column. The User model wires bcrypt hashing to SQLAlchemy's beforeinsert event but registers no equivalent listener for beforeupdate, and service.update does not call user.hashpassword after assigni...
EUVD-2026-39534
SYMCRYPTO is the SiXG301's host side hardware engine accessed by PSA crypto library that accelerates symmetric cryptographic operations AES encryption/decryption and hashing. DPA Countermeasures on SYMCRYPTO can be weakened reduced entropy by forcing certain seed values if an attacker gains code...
PT-2026-52655
Name of the Vulnerable Software and Affected Versions Lemur affected versions not specified Description Passwords are stored in plaintext in the users.password column when a user's password is updated. This occurs because the User model only triggers password hashing during the before insert even...
CVE-2026-56272
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5 (32 iterations), yielding a higher risk of password hash cracking. The vulnerability allows attackers to crack hashes faster on modern GPUs, potentially compromising all user accounts in a database breach. Affected component is the b...
CVE-2026-56272 Flowise - Insufficient Password Salt Rounds in Bcrypt Hashing
Flowise before 3.0.13 uses bcrypt with default salt rounds of 5, providing only 32 iterations instead of the OWASP-recommended minimum of 10 rounds. Attackers can crack password hashes approximately 30 times faster with modern GPU hardware, potentially compromising all user accounts in a database...
GHSA-GHMH-JHMJ-WCMF nebula-mesh's stores enrollment tokens unhashed in SQLite
internal/store/sqlite.go:1177,1192,1221,1245 — the enrollmenttokens.token column holds the raw UUID token. ConsumeToken does WHERE token = ? against the raw string. Compare with operatorapikeys.keyhash, which is SHA-256 hex constructed in internal/api/middleware.go:51-53. Affected All released...
[SECURITY] Fedora 43 Update: perl-Crypt-PBKDF2-0.261630-1.fc43
PBKDF2 is a secure password hashing algorithm that uses the techniques of "key strengthening" to make the complexity of a brute-force attack arbitrarily hig h. PBKDF2 uses any other cryptographic hash or cipher by convention, usually HMAC-SHA2, but Crypt::PBKDF2 is fully pluggable, and allows for...
[SECURITY] Fedora 44 Update: perl-Crypt-PBKDF2-0.261630-1.fc44
PBKDF2 is a secure password hashing algorithm that uses the techniques of "key strengthening" to make the complexity of a brute-force attack arbitrarily hig h. PBKDF2 uses any other cryptographic hash or cipher by convention, usually HMAC-SHA2, but Crypt::PBKDF2 is fully pluggable, and allows for...
OPENSUSE-SU-2026:21127-1 Security update for python-paramiko
This update for python-paramiko fixes the following issue - CVE-2026-44405: data integrity compromise due to allowed SHA-1 algorithm use bsc1264225...
OPENSUSE-SU-2026:21137-1 Security update for perl-Crypt-PasswdMD5
This update for perl-Crypt-PasswdMD5 fixes the following issues: Changes in perl-Crypt-PasswdMD5: - updated to 1.430.0 1.43 see /usr/share/doc/packages/perl-Crypt-PasswdMD5/Changelog.ini V 1.43 Date=2026-05-23T08:14:00 Deploy.Action=Upgrade Deploy.Reason=Security Comments= EOT - Accept pull reque...
Security Bulletin: IBM Watson Discovery Cartridge affected by vulnerability in postgresql-42.6.1.jar
Summary IBM Watson Discovery Cartridge affected by vulnerability in postgresql-42.6.1.jar Vulnerability Details CVEID:CVE-2026-42198 DESCRIPTION: pgjdbc is an open source postgresql JDBC Driver. From version 42.2.0 to before version 42.7.11, pgjdbc is vulnerable to a client-side denial of service...