Skip to main content

CWE-759

Use of a One-Way Hash without a Salt

9 CVEs Avg CVSS 6.0 MITRE
0
CRITICAL
2
HIGH
7
MEDIUM
0
LOW
0
POC
0
KEV

Monthly

CVE-2026-45027 MEDIUM PATCH This Month

Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-36253 MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to decrypt highly sensitive information (CVSS 5.9).

IBM Concert
NVD
CVSS 3.1
5.9
EPSS
0.0%
CVE-2025-10205 HIGH This Month

Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.3.5. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Abb
NVD
CVSS 4.0
8.7
EPSS
0.0%
CVE-2025-53884 Go MEDIUM PATCH This Month

NeuVector stores user passwords and API keys using a simple, unsalted hash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-27408 npm MEDIUM PATCH This Month

Manifest offers users a one-file micro back end. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
CVSS 3.1
4.8
EPSS
0.1%
CVE-2023-33838 MEDIUM This Month

IBM Security Verify Governance 10.0.2 Identity Manager uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

IBM Information Disclosure Security Verify Governance
NVD
CVSS 3.1
4.4
EPSS
0.0%
CVE-2023-1430 MEDIUM PATCH This Month

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Fluentcrm
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
1.6%
CVE-2021-21253 MEDIUM PATCH This Month

OnlineVotingSystem is an open source project hosted on GitHub. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Onlinevotingsystem
NVD GitHub
CVSS 3.1
5.3
EPSS
0.7%
CVE-2020-16244 HIGH This Week

GE Digital APM Classic, Versions 4.4 and prior. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Asset Performance Management Classic
NVD
CVSS 3.1
7.2
EPSS
0.7%
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Unsalted SHA-256 password hashing in WeGIA exposes all stored credentials to rainbow table attacks in versions prior to 3.7.3. Both the login flow (html/login.php) and the password-change flow (controle/FuncionarioControle.php) use PHP's hash() with SHA-256 and no per-user salt, meaning identical passwords always produce identical digests and a single precomputed table can compromise the entire credential database at once. No public exploit has been identified at time of analysis and no KEV listing exists, but exploitability is high once hash data is obtained - the attack requires only standard rainbow table tooling and no cryptographic skill.

PHP Information Disclosure
NVD GitHub
EPSS 0% CVSS 5.9
MEDIUM This Month

Concert versions up to 2.1.0 contains a vulnerability that allows attackers to decrypt highly sensitive information (CVSS 5.9).

IBM Concert
NVD
EPSS 0% CVSS 8.7
HIGH This Month

Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.3.5. Rated high severity (CVSS 8.7), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Abb
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

NeuVector stores user passwords and API keys using a simple, unsalted hash. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Suse
NVD GitHub
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Manifest offers users a one-file micro back end. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure
NVD GitHub
EPSS 0% CVSS 4.4
MEDIUM This Month

IBM Security Verify Governance 10.0.2 Identity Manager uses a one-way cryptographic hash against an input that should not be reversible, such as a password, but the product does not also use a salt. Rated medium severity (CVSS 4.4), this vulnerability is remotely exploitable. No vendor patch available.

IBM Information Disclosure Security Verify Governance
NVD
EPSS 2% CVSS 6.5
MEDIUM PATCH This Month

The FluentCRM - Marketing Automation For WordPress plugin for WordPress is vulnerable to unauthorized modification of data in versions up to, and including, 2.8.01 due to the use of an MD5 hash. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

WordPress Authentication Bypass Fluentcrm
NVD GitHub VulDB
EPSS 1% CVSS 5.3
MEDIUM PATCH This Month

OnlineVotingSystem is an open source project hosted on GitHub. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Onlinevotingsystem
NVD GitHub
EPSS 1% CVSS 7.2
HIGH This Week

GE Digital APM Classic, Versions 4.4 and prior. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Asset Performance Management Classic
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy