106 matches found
CVE-2026-25861
QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt function within classes/Tools.php, which concatenates a static cookie...
CVE-2026-25861
CVE-2026-25861 affects QloApps 1.7.0. The vulnerability is in the password hashing path: Tools::encrypt() in classes/Tools.php uses MD5 with a static cookie key, allowing offline brute-forcing of credentials. The risk is heightened by auto-generated 8-character guest-to-customer passwords in clas...
CVE-2026-25861 QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php
QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt function within classes/Tools.php, which concatenates a static cookie...
Note Mark has a JWT Secret Weakness that allows Full Account Takeover via Token Forgery
Summary No minimum length or entropy is enforced on the JWTSECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. HS256 secrets below 32 bytes are brute-forceable offline, allowing attackers to recover the signing...
EUVD-2026-28342
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...
CVE-2026-6805
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...
CVE-2026-6805 Vulnerability on Cryptobox external sharing feature
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...
CVE-2026-6805 Vulnerability on Cryptobox external sharing feature
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...
CVE-2026-6805
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...
CVE-2026-6805
CVE-2026-6805 affects Cryptobox’s external sharing feature. An attacker who knows a sharing link URL can retrieve information from the server, enabling an offline brute-force attack against the access code associated with that link. The provided documents do not specify affected versions, mitigat...
PT-2026-38622
Name of the Vulnerable Software and Affected Versions note-mark affected versions not specified Description The application does not enforce a minimum length or entropy for the JWT SECRET configuration value, accepting any base64-decodable secret regardless of size. In backend/config/utils.go, th...
PT-2026-38415
Vulnerability on the external sharing feature in Cryptobox allows an attacker knowing a sharing link URL to retrieve information from the server allowing an offline brute-force attack of the access code associated to this sharing link...
ERCOM Cryptobox 安全漏洞
ERCOM Cryptobox is a file encryption and secure storage tool developed by the French company ERCOM. There is a security vulnerability in ERCOM Cryptobox, which stems from the external sharing feature. This vulnerability allows attackers who know the URL of the shared link to retrieve information...
Astra Linux - уязвимость в freeipa
A vulnerability was discovered in FreeIPA when a Kerberos TGS-REQ is encrypted using the client’s session key. This key varies for each new session, which helps protect it from brute-force attacks. However, the ticket contained within the encrypted message is encrypted using the target principal...
EUVD-2026-19574
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
PYSEC-2026-170
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
PYSEC-2026-170
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
CVE-2026-1114
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
CVE-2026-1114 Improper Access Control via Weak JWT Token in parisneo/lollms
In parisneo/lollms version 2.1.0, the application's session management is vulnerable to improper access control due to the use of a weak secret key for signing JSON Web Tokens JWT. This vulnerability allows an attacker to perform an offline brute-force attack to recover the secret key. Once the...
CVE-2026-1114
CVE-2026-1114 affects parisneo/lollms 2.1.0. The issue is an improper access control flaw caused by signing JWTs with a weak secret key, enabling an offline brute‑force to recover the key. With the cracked secret, an attacker can forge administrative tokens, modify the JWT payload, and resigns to...