Monthly
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all user credentials to trivial offline cracking upon any database compromise. All versions prior to 2.9.1 are affected (CPE: cpe:2.3:a:1panel-dev:maxkb). The CVSS 4.0 vector (AV:L/VC:H) confirms that while local or database-level access is a prerequisite, once hashes are obtained, full credential recovery is practically guaranteed using rainbow tables or GPU-accelerated tools such as hashcat - no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Weak password hashing in opensourcepos Open Source Point of Sale through version 3.4.2 exposes a legacy code path in the Employee Login component (app/Models/Employee.php) that retains an older, cryptographically weak hash function. The vendor has disputed the severity of this issue, clarifying that the weak hash function persists solely to support an upgrade migration path - default-seeded passwords use the legacy hash but are migrated to a stronger algorithm upon first login, meaning actively managed accounts on updated installations face reduced practical exposure. No public exploit code has been identified at time of analysis, and the vulnerability's real-world impact is currently in question pending independent verification.
Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. No public exploit code or active exploitation has been identified at time of analysis, though the low CVSS score (3.7) reflects the requirement for specific cache architecture conditions and lack of confidentiality impact.
Sandboxie-Plus versions 1.17.2 and earlier contain a cryptographic implementation flaw in SbieIniServer::HashPassword that reduces SHA-1 password hash entropy from 160 bits to 80 bits by incorrectly shifting the high nibble of each byte right by 8 instead of 4, combined with an unsalted hashing scheme. This makes leaked or backed-up EditPassword hashes significantly easier to brute-force, enabling attackers with local access and low privileges to recover plaintext passwords through offline attack. The vulnerability is fixed in version 1.17.3.
Weak hash function in the Vision Chat Paste Image Handler of Langchain-Chatchat up to 0.3.1.3 allows local network attackers with low privileges to cause information disclosure via hash collision attacks on image data processed through PIL.Image.tobytes. The vulnerability requires high attack complexity and local network presence, resulting in minimal direct impact (CVSS 1.2); however, publicly available exploit code exists and the vendor has not responded to disclosure.
Algorithmic complexity attack in jq JSON processor allows remote denial of service via hash collision exploitation. An attacker can craft a ~100KB JSON object with precomputed colliding keys that degrade hash table performance from O(1) to O(n²), causing severe CPU exhaustion in unauthenticated network contexts including CI/CD pipelines and web services. The vulnerability stems from a hardcoded MurmurHash3 seed (0x432A9843) that enables offline collision calculation. Fixed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. CVSS 7.5 (High severity, network-exploitable, no authentication required). No public exploit identified at time of analysis, but attack technique is well-documented and feasible.
Denial of service in Node.js 20.x, 22.x, 24.x, and 25.x via predictable hash collisions in V8's string hashing mechanism allows unauthenticated remote attackers to degrade process performance by crafting requests with specially-crafted JSON payloads that trigger collision cascades in the internal string table. CVSS 5.9 (moderate severity, high attack complexity). No public exploit code or active exploitation confirmed at time of analysis.
Insufficient input padding in soroban-poseidon's Poseidon V1 hash function enables attackers to forge hash collisions by appending zeros to shorter inputs, allowing distinct messages to produce identical hashes when the input count is less than the sponge rate. This vulnerability affects any Soroban smart contract relying on PoseidonSponge or poseidon_hash for cryptographic integrity, potentially compromising authentication, signature verification, or other security mechanisms that depend on hash uniqueness. No patch is currently available.
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates. [CVSS 6.2 MEDIUM]
Session cookie forgery in SODOLA SL902-SWTGW124AS firmware through version 200.1.20 stems from the use of cryptographically broken MD5 hashing for session token generation, allowing unauthenticated remote attackers to forge valid session cookies and gain unauthorized device access. The vulnerability requires no user interaction and affects all default configurations, with no patch currently available. MD5's known collision vulnerabilities combined with predictable token generation significantly lower the computational barrier for successful exploitation.
MaxKB, an open-source enterprise AI assistant by 1Panel-dev, stores user passwords as unsalted MD5 hashes, exposing all user credentials to trivial offline cracking upon any database compromise. All versions prior to 2.9.1 are affected (CPE: cpe:2.3:a:1panel-dev:maxkb). The CVSS 4.0 vector (AV:L/VC:H) confirms that while local or database-level access is a prerequisite, once hashes are obtained, full credential recovery is practically guaranteed using rainbow tables or GPU-accelerated tools such as hashcat - no public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV.
Weak password hashing in opensourcepos Open Source Point of Sale through version 3.4.2 exposes a legacy code path in the Employee Login component (app/Models/Employee.php) that retains an older, cryptographically weak hash function. The vendor has disputed the severity of this issue, clarifying that the weak hash function persists solely to support an upgrade migration path - default-seeded passwords use the legacy hash but are migrated to a stronger algorithm upon first login, meaning actively managed accounts on updated installations face reduced practical exposure. No public exploit code has been identified at time of analysis, and the vulnerability's real-world impact is currently in question pending independent verification.
Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. No public exploit code or active exploitation has been identified at time of analysis, though the low CVSS score (3.7) reflects the requirement for specific cache architecture conditions and lack of confidentiality impact.
Sandboxie-Plus versions 1.17.2 and earlier contain a cryptographic implementation flaw in SbieIniServer::HashPassword that reduces SHA-1 password hash entropy from 160 bits to 80 bits by incorrectly shifting the high nibble of each byte right by 8 instead of 4, combined with an unsalted hashing scheme. This makes leaked or backed-up EditPassword hashes significantly easier to brute-force, enabling attackers with local access and low privileges to recover plaintext passwords through offline attack. The vulnerability is fixed in version 1.17.3.
Weak hash function in the Vision Chat Paste Image Handler of Langchain-Chatchat up to 0.3.1.3 allows local network attackers with low privileges to cause information disclosure via hash collision attacks on image data processed through PIL.Image.tobytes. The vulnerability requires high attack complexity and local network presence, resulting in minimal direct impact (CVSS 1.2); however, publicly available exploit code exists and the vendor has not responded to disclosure.
Algorithmic complexity attack in jq JSON processor allows remote denial of service via hash collision exploitation. An attacker can craft a ~100KB JSON object with precomputed colliding keys that degrade hash table performance from O(1) to O(n²), causing severe CPU exhaustion in unauthenticated network contexts including CI/CD pipelines and web services. The vulnerability stems from a hardcoded MurmurHash3 seed (0x432A9843) that enables offline collision calculation. Fixed in commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. CVSS 7.5 (High severity, network-exploitable, no authentication required). No public exploit identified at time of analysis, but attack technique is well-documented and feasible.
Denial of service in Node.js 20.x, 22.x, 24.x, and 25.x via predictable hash collisions in V8's string hashing mechanism allows unauthenticated remote attackers to degrade process performance by crafting requests with specially-crafted JSON payloads that trigger collision cascades in the internal string table. CVSS 5.9 (moderate severity, high attack complexity). No public exploit code or active exploitation confirmed at time of analysis.
Insufficient input padding in soroban-poseidon's Poseidon V1 hash function enables attackers to forge hash collisions by appending zeros to shorter inputs, allowing distinct messages to produce identical hashes when the input count is less than the sponge rate. This vulnerability affects any Soroban smart contract relying on PoseidonSponge or poseidon_hash for cryptographic integrity, potentially compromising authentication, signature verification, or other security mechanisms that depend on hash uniqueness. No patch is currently available.
An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates. [CVSS 6.2 MEDIUM]
Session cookie forgery in SODOLA SL902-SWTGW124AS firmware through version 200.1.20 stems from the use of cryptographically broken MD5 hashing for session token generation, allowing unauthenticated remote attackers to forge valid session cookies and gain unauthorized device access. The vulnerability requires no user interaction and affects all default configurations, with no patch currently available. MD5's known collision vulnerabilities combined with predictable token generation significantly lower the computational barrier for successful exploitation.