Total
52 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-27754 | 1 Sodola-network | 2 Sl902-swtgw124as, Sl902-swtgw124as Firmware | 2026-03-03 | N/A | 6.5 MEDIUM |
|
SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5's collision vulnerabilities to forge valid session cookies and gain unauthorized access to the device.
|
|||||
| CVE-2025-14636 | 1 Tenda | 2 Ax9, Ax9 Firmware | 2026-02-24 | 2.6 LOW | 3.7 LOW |
|
A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks.
|
|||||
| CVE-2025-49197 | 1 Sick | 1 Media Server | 2026-01-26 | N/A | 6.5 MEDIUM |
|
The application uses a weak password hash function, allowing an attacker to crack the weak password hash to gain access to an FTP user account.
|
|||||
| CVE-2025-31130 | 2026-01-23 | N/A | 6.8 MEDIUM | ||
|
gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision detection, leaving it vulnerable to hash collision attacks. gitoxide uses the sha1_smol or sha1 crate, both of which implement standard SHA-1 without any mitigations for collision attacks. This means that two distinct Git objects with colliding SHA-1 hashes would break the Git object model and integrity checks when used with gitoxide. This vulnerability is fixed in ...
Show More |
|||||
| CVE-2025-11650 | 1 Furbo | 4 Furbo 360 Dog Camera, Furbo 360 Dog Camera Firmware, Furbo Mini and 1 more | 2025-10-28 | 1.0 LOW | 1.8 LOW |
|
A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. The impacted element is an unknown function of the file /etc/shadow of the component Password Handler. Executing manipulation can lead to use of weak hash. The physical device can be targeted for the attack. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been publicly disclosed and may be utilized. The firmware versions determined to be affected are Furbo 360 up to FB ...
Show More |
|||||
| CVE-2025-0508 | 2025-10-15 | N/A | 5.9 MEDIUM | ||
|
A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all versions. This can lead to workflows being inadvertently replaced due to the reuse of results from different configurations that produce the same MD5 hash. This issue can cause integrity problems within the pipeline, potentially leading to erroneous processing outcomes.
|
|||||
| CVE-2025-48931 | 1 Smarsh | 1 Telemessage | 2025-10-03 | N/A | 3.2 LOW |
|
The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including rainbow tables) with low computational effort.
|
|||||
| CVE-2024-47829 | 1 Pnpm | 1 Pnpm | 2025-09-19 | N/A | 6.5 MEDIUM |
|
pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression function, and if a collision occurs, it will result in the same storage path for two different libraries. Although the real names are under the package name /node_modoules/, there are no version numbers for the libraries they refer to. This issue has been patched in version 10.0.0.
|
|||||
| CVE-2025-59354 | 1 Linuxfoundation | 1 Dragonfly | 2025-09-18 | N/A | 5.3 MEDIUM |
|
Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of hash functions, including the MD5 hash, for downloaded files. This allows attackers to replace files with malicious ones that have a colliding hash. This vulnerability is fixed in 2.1.0.
|
|||||
| CVE-2025-9078 | 1 Mattermost | 1 Mattermost Server | 2025-09-16 | N/A | 4.3 MEDIUM |
|
Mattermost versions 10.8.x <= 10.8.3, 10.5.x <= 10.5.8, 9.11.x <= 9.11.17, 10.10.x <= 10.10.1, 10.9.x <= 10.9.3 fail to properly validate cache keys for link metadata which allows authenticated users to access unauthorized posts and poison link previews via hash collision attacks on FNV-1 hashing
|
|||||
| CVE-2025-55053 | 2025-09-11 | N/A | 6.5 MEDIUM | ||
|
CWE-328: Use of Weak Hash
|
|||||
| CVE-2025-3576 | 2025-09-02 | N/A | 5.9 MEDIUM | ||
|
A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes. This may lead to unauthorized message tampering.
|
|||||
| CVE-2025-9383 | 2025-08-25 | 1.0 LOW | 2.5 LOW | ||
|
A security vulnerability has been detected in FNKvision Y215 CCTV Camera 10.194.120.40. This issue affects the function crypt of the file /etc/passwd. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2025-41652 | 2025-08-22 | N/A | 9.8 CRITICAL | ||
|
The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker could exploit this weakness by performing brute-force attacks to guess valid credentials or by using MD5 collision techniques to forge authentication hashes, potentially compromising the device.
|
|||||
| CVE-2024-55885 | 1 Beego | 1 Beego | 2025-08-01 | N/A | 7.5 HIGH |
|
beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with SHA256.
|
|||||
| CVE-2024-10026 | 1 Google | 1 Gvisor | 2025-07-31 | N/A | 5.3 MEDIUM |
|
A weak hashing algorithm and small sizes of seeds/secrets in Google's gVisor allowed for a remote attacker to calculate a local IP address and a per-boot identifier that could aid in tracking of a device in certain circumstances.
|
|||||
| CVE-2025-8260 | 1 Vaelsys | 1 Vaelsys | 2025-07-31 | 2.1 LOW | 3.1 LOW |
|
A vulnerability has been found in Vaelsys 4.1.0 and classified as problematic. This vulnerability affects unknown code of the file /grid/vgrid_server.php of the component MD4 Hash Handler. The manipulation of the argument xajaxargs leads to use of weak hash. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure bu ...
Show More |
|||||
| CVE-2025-54535 | 1 Jetbrains | 1 Teamcity | 2025-07-29 | N/A | 5.8 MEDIUM |
|
In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms
|
|||||
| CVE-2025-26486 | 2025-07-02 | N/A | 6.0 MEDIUM | ||
|
Broken or Risky Cryptographic Algorithm, Use of Password Hash
With Insufficient Computational Effort, Use of Weak Hash, Use of a
One-Way Hash with a Predictable Salt vulnerabilities in Beta80 "Life 1st Identity Manager"
enable an attacker with access to
password hashes
to bruteforce user passwords or find a collision to ultimately while attempting to gain access to a target application that uses "Life 1st Identity Manager" as a service for authentication.
This issue affects Life 1st: 1.5.2.142 ...
Show More |
|||||
| CVE-2025-41256 | 2025-06-26 | N/A | 7.4 HIGH | ||
|
Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate fingerprint is stored as SHA-1, although SHA-1 is considered weak.
This issue affects Cyberduck: through 9.1.6; Mountain Duck: through 4.17.5.
|
|||||
| CVE-2024-38341 | 1 Ibm | 1 Sterling Secure Proxy | 2025-06-09 | N/A | 5.9 MEDIUM |
|
IBM Sterling Secure Proxy 6.0.0.0 through 6.0.3.1, 6.1.0.0 through 6.1.0.0, and 6.2.0.0 through 6.2.0.1 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information.
|
|||||
| CVE-2024-23589 | 2025-05-30 | N/A | 6.8 MEDIUM | ||
|
Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks efficiently using modern hardware such as GPUs or ASICs
|
|||||
| CVE-2019-13539 | 1 Medtronic | 5 Valleylab Exchange Client, Valleylab Ft10 Energy Platform, Valleylab Ft10 Energy Platform Firmware and 2 more | 2025-05-22 | 7.2 HIGH | 7.0 HIGH |
|
Medtronic Valleylab Exchange Client version 3.4 and below, Valleylab FT10 Energy Platform (VLFT10GEN) software version 4.0.0 and below, and Valleylab FX8 Energy Platform (VLFX8GEN) software version 1.1.0 and below use the descrypt algorithm for OS password hashing. While interactive, network-based logons are disabled, and attackers can use the other vulnerabilities within this report to obtain local shell access and access these hashes.
|
|||||
| CVE-2025-47276 | 2025-05-13 | N/A | 7.5 HIGH | ||
|
Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to version 1.2.0, Actualizer uses OpenSSL's "-passwd" function, which uses SHA512 instead of a more suitable password hasher like Yescript/Argon2i. All Actualizer users building a full Debian Operating System are affected. Users should upgrade to version 1.2.0 of Actualizer. Existing OS deployment requires manual password changes against the alpha and root accou ...
Show More |
|||||
| CVE-2025-2920 | 2025-04-01 | 1.2 LOW | 2.0 LOW | ||
|
A vulnerability was found in Netis WF-2404 1.1.124EN. It has been rated as problematic. This issue affects some unknown processing of the file /еtc/passwd. The manipulation leads to use of weak hash. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
|
|||||
| CVE-2022-43922 | 2 Ibm, Redhat | 2 App Connect Enterprise Certified Container, Openshift | 2025-03-26 | N/A | 5.3 MEDIUM |
|
IBM App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1, and 6.2 could disclose sensitive information to an attacker due to a weak hash of an API Key in the configuration. IBM X-Force ID: 241583.
|
|||||
| CVE-2025-27595 | 2025-03-14 | N/A | 9.8 CRITICAL | ||
|
The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker. This impacts the security and the integrity of the device.
|
|||||
| CVE-2022-45141 | 1 Samba | 1 Samba | 2025-03-06 | N/A | 9.8 CRITICAL |
|
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).
|
|||||
| CVE-2024-52521 | 1 Nextcloud | 1 Nextcloud Server | 2025-01-23 | N/A | 2.6 LOW |
|
Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased the chances of a background job with arguments falsely being identified as already existing and not be queued for execution. By changing the Hash to SHA256 the probability was heavily decreased. It is recommended that the Nextcloud Server is upgraded to 28.0.10, 29.0.7 or 30.0.0.
|
|||||
| CVE-2023-44319 | 1 Siemens | 142 6ag1206-2bb00-7ac2, 6ag1206-2bb00-7ac2 Firmware, 6ag1206-2bs00-7ac2 and 139 more | 2025-01-14 | N/A | 4.9 MEDIUM |
|
A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.0), RUGGEDCOM RM1224 LTE(4G) NAM (6GK6108-4AM00-2DA2) (All versions < V8.0), SCALANCE M804PB (6GK5804-0AP00-2AA2) (All versions < V8.0), SCALANCE M812-1 ADSL-Router (6GK5812-1AA00-2AA2) (All versions < V8.0), SCALANCE M812-1 ADSL-Router (6GK5812-1BA00-2AA2) (All versions < V8.0), SCALANCE M816-1 ADSL-Router (6GK5816-1AA00-2AA2) (All versions < V8.0), SCALANCE M816-1 ADSL-Router (6GK5816-1BA ...
Show More |
|||||
| CVE-2025-21604 | 2025-01-06 | N/A | N/A | ||
|
LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files, which may cause file upload conflicts. This issue is fixed in 3.5.0.
|
|||||
| CVE-2024-56414 | 2025-01-02 | N/A | 5.5 MEDIUM | ||
|
Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before build 39169.
|
|||||
| CVE-2024-56516 | 2024-12-30 | N/A | N/A | ||
|
free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions up to and including 1.0.1, MD5 is used to hash passwords before sending them to the backend. MD5 is a cryptographically broken hashing algorithm and is no longer considered secure for password storage or transmission. It is vulnerable to collision attacks and can be easily cracked using modern hardware, exposing user credentials to potential compromise. As of ...
Show More |
|||||
| CVE-2024-54143 | 2024-12-06 | N/A | N/A | ||
|
openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12 characters. This significantly reduces entropy, making it feasible for an attacker to generate collisions. By exploiting this, a previously built malicious image can be served in place of a legitimate one, allowing the attacker to "poison" the artifact cache and deliver compromised images to unsuspecting users. This can be combined with other attacks, such a ...
Show More |
|||||
| CVE-2024-48847 | 2024-12-05 | N/A | 8.2 HIGH | ||
|
MD5 Checksum Bypass vulnerabilities where found exploiting a weakness in the way an application dependency calculates or validates MD5 checksum hashes.
Affected products:
ABB ASPECT - Enterprise v3.08.01;
NEXUS Series v3.08.01;
MATRIX Series v3.08.01
|
|||||
| CVE-2024-34914 | 2024-11-21 | N/A | 5.3 MEDIUM | ||
|
php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its remember_key value. This allows attackers to bruteforce to bruteforce the remember_key value to gain access to accounts that have checked "remember me" when logging in.
|
|||||
| CVE-2023-5962 | 1 Moxa | 20 Iologik E1210, Iologik E1210 Firmware, Iologik E1211 and 17 more | 2024-11-21 | N/A | 6.5 MEDIUM |
|
A weak cryptographic algorithm vulnerability has been identified in ioLogik E1200 Series firmware versions v3.3 and prior. This vulnerability can help an attacker compromise the confidentiality of sensitive data. This vulnerability may lead an attacker to get unexpected authorization.
|
|||||
| CVE-2023-46233 | 1 Crypto-js Project | 1 Crypto-js | 2024-11-21 | N/A | 9.1 CRITICAL |
|
crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iteration count as a countermeas ...
Show More |
|||||
| CVE-2023-46133 | 1 Entronad | 1 Cryptoes | 2024-11-21 | N/A | 9.1 CRITICAL |
|
CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic hash algorithm considered insecure since at least 2005, and defaults to one single iteration, a 'strength' or 'difficulty' value specified at 1,000 when specified in 1993. PBKDF2 relies on iterat ...
Show More |
|||||
| CVE-2023-43635 | 1 Linuxfoundation | 1 Edge Virtualization Engine | 2024-11-21 | N/A | 8.8 HIGH |
|
Vault Key Sealed With SHA1 PCRs
The measured boot solution implemented in EVE OS leans on a PCR locking mechanism.
Different parts of the system update different PCR values in the TPM, resulting in a unique
value for each PCR entry.
These PCRs are then used in order to seal/unseal a key from the TPM which is used to
encrypt/decrypt the “vault” directory.
This “vault” directory is the most sensitive point in the system and as such, its content should
be protected.
This mechanism is not ...
Show More |
|||||