Skip to main content

CWE-916

Use of Password Hash With Insufficient Computational Effort

63 CVEs Avg CVSS 6.8 MITRE
8
CRITICAL
24
HIGH
30
MEDIUM
1
LOW
16
POC
0
KEV

Monthly

CVE-2026-5040 HIGH PATCH This Week

Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 vector (AV:L/AC:H/PR:H) reflects that it is a post-compromise credential-recovery weakness rather than a remote entry point.

TP-Link Authentication Bypass Deco M5 Deco M5 V1
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-55069 HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation Kestra
NVD GitHub VulDB
CVSS 3.1
8.7
EPSS
0.2%
CVE-2026-56272 npm MEDIUM PATCH This Month

Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. In a database breach scenario, an attacker who obtains the hash table can leverage GPU-accelerated tools to recover plaintext passwords at roughly 300,000 attempts per second versus ~10,000 at the recommended work factor; no public exploit identified at time of analysis.

Information Disclosure Flowise
NVD GitHub
CVSS 4.0
5.6
EPSS
0.1%
CVE-2026-9641 MEDIUM PATCH This Month

Crypt::PBKDF2 for Perl prior to version 0.261630 ships with critically weak password-hashing defaults - HMAC-SHA1 as the pseudorandom function and only 1,000 iterations - leaving derived keys and stored passwords highly vulnerable to offline brute-force attacks. Applications that do not explicitly override these defaults expose any compromised credential store to cracking at rates orders of magnitude faster than OWASP-recommended configurations (220,000-1,400,000 iterations depending on algorithm). No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV, but the structural nature of CWE-916 means all previously generated hashes using the weak defaults remain exploitable even after upgrading the library unless proactively rehashed.

Information Disclosure Crypt Suse
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-25861 HIGH PATCH This Week

Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.

Information Disclosure PHP Qloapps
NVD GitHub VulDB
CVSS 4.0
8.2
EPSS
0.0%
CVE-2026-44611 MEDIUM PATCH CISA This Month

Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing algorithm in use both caps maximum password length and provides insufficient computational cost, meaning recovered hashes can be cracked with modest effort. An adjacent-network attacker holding low-privilege access who obtains the stored hashes can recover plaintext credentials and authenticate with elevated privileges to this safety-critical maritime recording system. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, but the vulnerability affects all known versions of the G4E and is confirmed by CISA ICS advisory ICSA-26-148-01.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
CVSS 4.0
5.9
EPSS
0.0%
CVE-2025-46413 MEDIUM This Month

Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-3937 HIGH This Week

Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Niagara Niagara Enterprise Security Windows
NVD
CVSS 3.1
7.7
EPSS
0.1%
CVE-2025-24340 MEDIUM This Month

A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-2265 HIGH This Week

The password of a web user in "Sante PACS Server.exe" is zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table in the SQLite database HTTP.db. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD
CVSS 3.1
7.8
EPSS
0.0%
EPSS 0% CVSS 7.1
HIGH PATCH This Week

Credential disclosure in TP-Link Deco M5 v1 mesh routers stems from a weak (computationally cheap) password-hashing scheme used to store local user credentials, letting an attacker who has already obtained the stored hash recover the plaintext password via offline brute-force or dictionary attacks. Affected devices are the Deco M5 v1 hardware revision, and successful cracking yields access to device management functions scoped to the recovered account's privileges. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the CVSS 4.0 vector (AV:L/AC:H/PR:H) reflects that it is a post-compromise credential-recovery weakness rather than a remote entry point.

TP-Link Authentication Bypass Deco M5 Deco M5 V1
NVD
EPSS 0% CVSS 8.7
HIGH PATCH This Week

Offline administrator password recovery in Kestra OSS (versions prior to 1.3.24) stems from its BasicAuth component storing the admin credential as a fast SHA-512 hash. An attacker who already holds read access to the backing PostgreSQL database can extract that hash and crack it offline at high speed, then log in as administrator; in Kubernetes deployments this further exposes the cluster ServiceAccount token and all K8s Secrets, enabling vertical privilege escalation. No public exploit identified at time of analysis and not on CISA KEV; EPSS data was not provided.

PostgreSQL Kubernetes Privilege Escalation +1
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM PATCH This Month

Flowise versions up to and including 3.0.12 hash passwords using bcrypt with a default cost factor of 5 rounds - yielding only 32 iterations versus the OWASP-recommended minimum of 1,024 at 10 rounds - making stored password hashes approximately 30 times faster to crack with modern GPU hardware. All deployments where the PASSWORD_SALT_HASH_ROUNDS environment variable has not been manually overridden to 10 or higher are affected, which represents the majority of real-world installs since defaults predominate. In a database breach scenario, an attacker who obtains the hash table can leverage GPU-accelerated tools to recover plaintext passwords at roughly 300,000 attempts per second versus ~10,000 at the recommended work factor; no public exploit identified at time of analysis.

Information Disclosure Flowise
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Crypt::PBKDF2 for Perl prior to version 0.261630 ships with critically weak password-hashing defaults - HMAC-SHA1 as the pseudorandom function and only 1,000 iterations - leaving derived keys and stored passwords highly vulnerable to offline brute-force attacks. Applications that do not explicitly override these defaults expose any compromised credential store to cracking at rates orders of magnitude faster than OWASP-recommended configurations (220,000-1,400,000 iterations depending on algorithm). No public exploit is identified at time of analysis and the CVE is not listed in CISA KEV, but the structural nature of CWE-916 means all previously generated hashes using the weak defaults remain exploitable even after upgrading the library unless proactively rehashed.

Information Disclosure Crypt Suse
NVD VulDB
EPSS 0% CVSS 8.2
HIGH PATCH This Week

Weak password hashing in QloApps through 1.7.0 enables credential compromise because Tools::encrypt() in classes/Tools.php hashes passwords with unsalted MD5 concatenated with a static cookie key, allowing offline brute-force recovery of customer and employee credentials. The risk is amplified by an 8-character auto-generated password used during guest-to-customer conversion in classes/Customer.php, making cracked hashes practically trivial. No public exploit identified at time of analysis, but the upstream fix in commit 64e9722 replaces MD5 with the PasswordHashing class for credential storage.

Information Disclosure PHP Qloapps
NVD GitHub VulDB
EPSS 0% CVSS 5.9
MEDIUM PATCH This Month

Weak password storage in the Danelec MacGregor VDR G4E exposes credentials to offline brute-force attack: the hashing algorithm in use both caps maximum password length and provides insufficient computational cost, meaning recovered hashes can be cracked with modest effort. An adjacent-network attacker holding low-privilege access who obtains the stored hashes can recover plaintext credentials and authenticate with elevated privileges to this safety-critical maritime recording system. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, but the vulnerability affects all known versions of the G4E and is confirmed by CISA ICS advisory ICSA-26-148-01.

Information Disclosure Macgregor Voyage Data Recorder Vdr G4E
NVD GitHub VulDB
EPSS 0% CVSS 5.3
MEDIUM This Month

Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. Rated medium severity (CVSS 5.3), this vulnerability is no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 7.7
HIGH This Week

Use of Password Hash With Insufficient Computational Effort vulnerability in Tridium Niagara Framework on Windows, Linux, QNX, Tridium Niagara Enterprise Security on Windows, Linux, QNX allows. Rated high severity (CVSS 7.7), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Microsoft Information Disclosure Niagara +2
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

A vulnerability in the users configuration file of ctrlX OS may allow a remote authenticated (low-privileged) attacker to recover the plaintext passwords of other users. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure
NVD
EPSS 0% CVSS 7.8
HIGH This Week

The password of a web user in "Sante PACS Server.exe" is zero-padded to 0x2000 bytes, SHA1-hashed, base64-encoded, and stored in the USER table in the SQLite database HTTP.db. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Information Disclosure
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy