CVE-2026-33041 AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password...

CVE-2026-33041 AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

WWBN AVideo is an open source video platform. In versions 25.0 and below, /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password...

WWBN AVideo 信息泄露漏洞

WWBN AVideo is a video platform building system written in PHP, developed by the WWBN team. Versions of WWBN AVideo 25.0 and earlier contained a vulnerability related to information leakage. This vulnerability stemmed from the password hashing algorithm exposed in the /objects/encryptPass.json.ph...

Information Exposure

Overview wwbn/avideo is an Audio and Video Platform or simply "A Video Platform". Affected versions of this package are vulnerable to Information Exposure via the encryptPass.json.php process. An attacker can obtain hashed equivalents of arbitrary passwords by submitting them to the exposed...

AVideo has an Unauthenticated Password Hash Oracle via encryptPass.json.php

Summary /objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes. Details File:...

CVE-2026-26219

newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to...

CVE-2026-26219

CVE-2026-26219 affects newbee-mall stores that hash passwords using unsalted MD5 without per-user salts or computational cost controls. Root cause: MD5 hashing without salt enables offline credential cracking if password hashes are exposed. Impact: high confidentiality and integrity risk; plainte...

CVE-2026-26219 newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking

newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to...

CVE-2019-20457

An issue was discovered on Brother MFC-J491DW C1806180757 devices. The printer's web-interface password hash can be retrieved without authentication, because the response header of any failed login attempt returns an incomplete authorization cookie. The value of the authorization cookie is the MD...

CVE-2025-62618

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or...

CVE-2025-62618 ELOG file upload stored XSS

ELOG allows an authenticated user to upload arbitrary HTML files. The HTML content is executed in the context of other users when they open the file. Because ELOG includes usernames and password hashes in certain HTTP requests, an attacker can obtain the target's credentials and replay them or...

The Silent Threat in Active Directory: How AS-REP Roasting Steals Passwords Without a Trace and Trellix NDR’s Rapid Detection

The Silent Threat in Active Directory: How AS-REP Roasting Steals Passwords Without a Trace and Trellix NDR’s Rapid Detection By Maulik Maheta · October 15, 2025 Executive summary Adversaries use AS-REP Roasting to extract and crack password hashes from Active Directory AD accounts with Kerberos...

EUVD-2025-27849

Malicious code in bioql PyPI...

CVE-2025-35114 Agiloft local privilege escalation via default credentials

Agiloft Release 28 contains several accounts with default credentials that could allow local privilege escalation. The password hash is known for at least one of the accounts and the credentials could be cracked offline. Users should upgrade to Agiloft Release 30...

CVE-2023-29446

An improper input validation vulnerability has been discovered that could allow an adversary to inject a UNC path via a malicious project file. This allows an adversary to capture NLTMv2 hashes and potentially crack them offline...

CVE-2022-38788

An issue was discovered in Nokia FastMile 5G Receiver 5G14-B 1.2104.00.0281. Bluetooth on the Nokia ODU uses outdated pairing mechanisms, allowing an attacker to passively intercept a paring handshake and after offline cracking retrieve the PIN and LTK long-term key...

CVE-2020-11916

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased...

CVE-2025-22390

An issue was discovered in Optimizely EPiServer.CMS.Core before 12.32.0. A medium-severity vulnerability exists in the CMS due to insufficient enforcement of password complexity requirements. The application permits users to set passwords with a minimum length of 6 characters, lacking adequate...

NTP Timeroast

Windows authenticates NTP requests by calculating the message digest using the NT hash followed by the first 48 bytes of the NTP message all fields preceding the key ID. An attacker can abuse this to recover hashes that can be cracked offline for machine and trust accounts. The attacker must know...

CVE-2020-11916

An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased...