Skip to main content

CWE-328

Use of Weak Hash

67 CVEs Avg CVSS 5.7 MITRE
7
CRITICAL
13
HIGH
29
MEDIUM
18
LOW
16
POC
0
KEV

Monthly

CVE-2026-15605 LOW PATCH Monitor

Artifact Integrity Validation in wandb 0.25.2.dev1 uses MD5 (a cryptographically broken hash algorithm) within ArtifactManifestEntry.download in wandb/sdk/lib/hashutil.py, enabling a sufficiently resourced attacker with write access to artifact storage or a man-in-the-middle network position to substitute a malicious artifact file that shares the same MD5 digest as a legitimate one, bypassing download integrity checks. The CVSS 4.0 base score of 2.3 reflects high attack complexity and the requirement for authenticated access (PR:L), placing real-world exploitability firmly in the theoretical-to-low range. No public exploit exists and the vulnerability has no CISA KEV listing; an upstream fix via SHA-256 supplementation is available as an unmerged GitHub PR (#12031).

Information Disclosure Wandb
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-41879 HIGH This Week

Credential disclosure in R-SOFT DMS lets an attacker who obtains the stored superadmin password hash recover the plaintext password, because credentials are protected with a non-salted, nested MD5 hash that is trivially reversible via brute-force and precomputed rainbow tables. The superadmin account is high-value and cannot be rotated through the UI - the password can only be changed by editing the configuration file - so recovered credentials remain valid indefinitely. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure
NVD VulDB
CVSS 4.0
8.2
EPSS
0.3%
CVE-2026-14742 LOW POC PATCH Monitor

Weak hashing in LangGraph's Task Result Cache exposes low-privilege authenticated users to hash collision attacks that can leak cached task results across isolation boundaries. All LangGraph versions through 1.2.4 are affected via the `_freeze` function in `libs/langgraph/langgraph/_internal/_cache.py`. A public proof-of-concept is disclosed at GitHub issue #8009, though the CVSS 4.0 score of 2.3 and AC:H rating reflect genuinely high exploitation difficulty; this is not listed in CISA KEV and no active exploitation has been reported.

Information Disclosure Langgraph
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-14738 LOW POC PATCH Monitor

Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.

Information Disclosure Exo
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.2%
CVE-2026-14630 LOW POC PATCH Monitor

Weak session hash generation in ForceInjection AI-fundermentals 2.0 and 3.0 exposes conversation history belonging to other users in shared deployments. The `get_conversation_history` function in the Memory Recall Handler generates `sessionowner` tokens using a cryptographically weak hash algorithm (CWE-328), allowing a low-privileged authenticated attacker to predict or brute-force another user's session identifier and retrieve their prior conversation records. A publicly available exploit exists per GitHub issue #17 and the CVSS 4.0 E:P modifier, though the high attack complexity (AC:H) and low overall score of 2.3 indicate exploitation is difficult and impact is limited to partial confidentiality loss - no integrity or availability impact is present.

Information Disclosure Ai Fundermentals
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-10540 MEDIUM PATCH This Month

Weak password hash storage in BMC Control-M/Enterprise Manager exposes account credentials to offline recovery attacks if an attacker gains access to the credential database. Affected are unsupported versions 9.0.20.x and potentially earlier legacy releases, meaning no vendor patch will be issued for these branches - upgrade to a supported release is the only vendor-endorsed remediation. The CVSS 4.0 vector (AV:L/PR:H/AT:P) confirms exploitation requires local, high-privilege access and specific attack conditions, significantly constraining real-world risk; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Control M Enterprise Manager
NVD VulDB
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-13455 MEDIUM PATCH This Month

PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. No active exploitation or public proof-of-concept has been identified; a vendor-confirmed fix is available in version 3.1.2.

PostgreSQL Information Disclosure Postgresql Anonymizer Red Hat
NVD
CVSS 3.1
4.3
EPSS
0.1%
CVE-2026-13510 LOW POC PATCH Monitor

Deployment authentication token weakness in SimStudioAI Sim up to 0.6.92 leaks a truncated SHA-256 derivative of the encrypted deployment password inside base64-encoded auth cookies, enabling offline hash cracking and potential token forgery against password-protected deployments. The vulnerable Password Protection Handler embeds only the first 8 hex characters (32 bits) of an unsalted SHA-256 hash of the encrypted password directly in the unprotected token payload - a CWE-328 use of weak hash - allowing an attacker who obtains the cookie to brute-force the narrow hash space and fingerprint or bypass deployment authentication. No patch has been merged; fix PR #4760 is pending acceptance, and a public proof-of-concept is available at https://github.com/simstudioai/sim/issues/4759.

Information Disclosure Sim
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.2%
CVE-2026-13482 LOW Monitor

Weak hash usage in SkyPilot's User ID Handler (versions up to 0.12.0) allows remote attackers with high-complexity access to manipulate user identity integrity by exploiting the `username.encode` function in `sky/users/server.py`. The vulnerability (CWE-328) results in a low-integrity impact on the vulnerable system, with no confidentiality or availability impact per the CVSS 4.0 vector, though the VulDB-assigned 'Information Disclosure' tag suggests the weak hash may additionally expose derivable username data. A public exploit exists (CVSS 4.0 E:P modifier confirmed), but no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.

Information Disclosure Skypilot
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.2%
CVE-2026-54266 npm HIGH PATCH GHSA This Week

Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.

Google XSS Information Disclosure
NVD GitHub VulDB HeroDevs
CVSS 4.0
8.8
EPSS
0.1%
EPSS 0% CVSS 2.3
LOW PATCH Monitor

Artifact Integrity Validation in wandb 0.25.2.dev1 uses MD5 (a cryptographically broken hash algorithm) within ArtifactManifestEntry.download in wandb/sdk/lib/hashutil.py, enabling a sufficiently resourced attacker with write access to artifact storage or a man-in-the-middle network position to substitute a malicious artifact file that shares the same MD5 digest as a legitimate one, bypassing download integrity checks. The CVSS 4.0 base score of 2.3 reflects high attack complexity and the requirement for authenticated access (PR:L), placing real-world exploitability firmly in the theoretical-to-low range. No public exploit exists and the vulnerability has no CISA KEV listing; an upstream fix via SHA-256 supplementation is available as an unmerged GitHub PR (#12031).

Information Disclosure Wandb
NVD VulDB GitHub
EPSS 0% CVSS 8.2
HIGH This Week

Credential disclosure in R-SOFT DMS lets an attacker who obtains the stored superadmin password hash recover the plaintext password, because credentials are protected with a non-salted, nested MD5 hash that is trivially reversible via brute-force and precomputed rainbow tables. The superadmin account is high-value and cannot be rotated through the UI - the password can only be changed by editing the configuration file - so recovered credentials remain valid indefinitely. There is no public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Information Disclosure
NVD VulDB
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Weak hashing in LangGraph's Task Result Cache exposes low-privilege authenticated users to hash collision attacks that can leak cached task results across isolation boundaries. All LangGraph versions through 1.2.4 are affected via the `_freeze` function in `libs/langgraph/langgraph/_internal/_cache.py`. A public proof-of-concept is disclosed at GitHub issue #8009, though the CVSS 4.0 score of 2.3 and AC:H rating reflect genuinely high exploitation difficulty; this is not listed in CISA KEV and no active exploitation has been reported.

Information Disclosure Langgraph
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.

Information Disclosure Exo
NVD VulDB GitHub
EPSS 0% CVSS 1.3
LOW POC PATCH Monitor

Weak session hash generation in ForceInjection AI-fundermentals 2.0 and 3.0 exposes conversation history belonging to other users in shared deployments. The `get_conversation_history` function in the Memory Recall Handler generates `sessionowner` tokens using a cryptographically weak hash algorithm (CWE-328), allowing a low-privileged authenticated attacker to predict or brute-force another user's session identifier and retrieve their prior conversation records. A publicly available exploit exists per GitHub issue #17 and the CVSS 4.0 E:P modifier, though the high attack complexity (AC:H) and low overall score of 2.3 indicate exploitation is difficult and impact is limited to partial confidentiality loss - no integrity or availability impact is present.

Information Disclosure Ai Fundermentals
NVD VulDB GitHub
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Weak password hash storage in BMC Control-M/Enterprise Manager exposes account credentials to offline recovery attacks if an attacker gains access to the credential database. Affected are unsupported versions 9.0.20.x and potentially earlier legacy releases, meaning no vendor patch will be issued for these branches - upgrade to a supported release is the only vendor-endorsed remediation. The CVSS 4.0 vector (AV:L/PR:H/AT:P) confirms exploitation requires local, high-privilege access and specific attack conditions, significantly constraining real-world risk; no public exploit code and no CISA KEV listing have been identified at time of analysis.

Information Disclosure Control M Enterprise Manager
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

PostgreSQL Anonymizer's anon.hash() function exposes its internal salt to masked database users through an offline brute-force attack, undermining the core pseudonymization guarantee of the extension. Masked roles - the primary consumer of this extension - can call anon.hash() with arbitrary seed inputs and accumulate (seed, hash_output) pairs to deduce the salt offline, after which all pseudonymized values in the database become reversible. No active exploitation or public proof-of-concept has been identified; a vendor-confirmed fix is available in version 3.1.2.

PostgreSQL Information Disclosure Postgresql Anonymizer +1
NVD
EPSS 0% CVSS 2.9
LOW POC PATCH Monitor

Deployment authentication token weakness in SimStudioAI Sim up to 0.6.92 leaks a truncated SHA-256 derivative of the encrypted deployment password inside base64-encoded auth cookies, enabling offline hash cracking and potential token forgery against password-protected deployments. The vulnerable Password Protection Handler embeds only the first 8 hex characters (32 bits) of an unsalted SHA-256 hash of the encrypted password directly in the unprotected token payload - a CWE-328 use of weak hash - allowing an attacker who obtains the cookie to brute-force the narrow hash space and fingerprint or bypass deployment authentication. No patch has been merged; fix PR #4760 is pending acceptance, and a public proof-of-concept is available at https://github.com/simstudioai/sim/issues/4759.

Information Disclosure Sim
NVD VulDB GitHub
EPSS 0% CVSS 2.9
LOW Monitor

Weak hash usage in SkyPilot's User ID Handler (versions up to 0.12.0) allows remote attackers with high-complexity access to manipulate user identity integrity by exploiting the `username.encode` function in `sky/users/server.py`. The vulnerability (CWE-328) results in a low-integrity impact on the vulnerable system, with no confidentiality or availability impact per the CVSS 4.0 vector, though the VulDB-assigned 'Information Disclosure' tag suggests the weak hash may additionally expose derivable username data. A public exploit exists (CVSS 4.0 E:P modifier confirmed), but no confirmed active exploitation or CISA KEV listing has been identified at time of analysis.

Information Disclosure Skypilot
NVD VulDB GitHub
EPSS 0% CVSS 8.8
HIGH PATCH This Week

Cache key collision in Angular's @angular/common HttpTransferCache allows remote attackers to poison Server-Side Rendering (SSR) cache entries and replace responses for sensitive endpoints with attacker-controlled content. The weak 32-bit DJB2-like polynomial rolling hash used for TransferState cache keys is trivially brute-forceable, enabling state poisoning, DOM-based XSS, and information leakage when a victim follows a crafted link. No public exploit identified at time of analysis, but the vulnerability was discovered and reported by Google DeepMind's CodeMender and is patched in Angular 22.0.1, 21.2.17, and 20.3.25.

Google XSS Information Disclosure
NVD GitHub VulDB HeroDevs

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy