Sulu CMS CVE-2026-45701
MEDIUM
Use of a Broken or Risky Cryptographic Algorithm (CWE-327)
GHSA-7fv8-6pp7-6h85
Share
Lifecycle Timeline
2
Source Code Evidence Fetched
May 18, 2026 - 18:02 vuln.today
Analysis Generated
May 18, 2026 - 18:02 vuln.today
DescriptionNVD
Impact
The password reset tokenand API key generation uses a weak cryptographical hash algorithm.
Patches
Fixed in 2.6.23 and 3.0.6 version.
Workarounds
Patch the related User.php and ResettingController.php file in the SecurityBundle.
AnalysisAI
Weak cryptographic algorithm usage in Sulu CMS exposes password reset tokens and API keys to prediction or brute-force attacks, potentially enabling unauthorized account takeover or API access. The flaw resides in the SecurityBundle's User.php and ResettingController.php, affecting all Sulu 2.x releases up to 2.6.22 and all 3.x releases from the first alpha through 3.0.5. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).