EUVD-2026-35091
Use of Weak Hash (CWE-328)
2026-06-08
GitHub_M
2.7
CVSS 4.0 · GitHub Advisory
Severity by source
GitHub Advisory
PRIMARY
2.7
LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X
Lifecycle Timeline
5
Source Code Evidence Fetched
Jun 08, 2026 - 18:16 vuln.today
Analysis Generated
Jun 08, 2026 - 18:16 vuln.today
Patch available
Jun 08, 2026 - 17:01 EUVD
CVSS changed
Jun 08, 2026 - 16:22 NVD
2.7 (LOW)
CVE Published
Jun 08, 2026 - 15:15 nvd
UNKNOWN (no severity yet)
DescriptionGitHub Advisory
phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically broken algorithm. SHA-1 has been vulnerable to collision attacks since 2017 (SHAttered). Version 4.1.4 fixes the issue.
AnalysisAI
Weak cryptographic hashing of attachment passwords in phpMyFAQ prior to 4.1.4 exposes protected attachment credentials to offline cracking or collision-based forgery. The application stored SHA-1 hashes of per-attachment passwords in the database column password_hash, computed via sha1((string) $key) in AbstractAttachment::setKey(). …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Access
Gain database read access (SQL injection or exposed port)
Delivery
Query faqattachment table for password_hash values
Exploit
Apply SHA-1 rainbow tables or collision tools to recover plaintext keys
Execution
Use recovered keys to decrypt protected attachment files
Impact
Exfiltrate sensitive attachment content
Access
Gain database read access (SQL injection or exposed port)
Delivery
Query faqattachment table for password_hash values
Exploit
Apply SHA-1 rainbow tables or collision tools to recover plaintext keys
Execution
Use recovered keys to decrypt protected attachment files
Impact
Exfiltrate sensitive attachment content
Vulnerability AssessmentAI
| Exploitation | Exploitation of the weak hash requires an attacker to first obtain stored SHA-1 password hashes from the `faqattachment` database table - this is a prerequisite not directly provided by this vulnerability itself. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 4.0 scores this at 2.7 (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N), which accurately reflects the constrained real-world impact: confidentiality impact is limited (VC:L) and no integrity or availability consequences are assessed. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who gains read access to the phpMyFAQ database - through SQL injection in another part of the application, a misconfigured database port, or a leaked backup - extracts the `password_hash` column values from the attachment table. Using SHA-1 collision or preimage techniques, or simply a rainbow table attack against the 160-bit digests, the attacker recovers the plaintext attachment passwords and decrypts otherwise access-controlled file attachments. … |
| Remediation | Upgrade phpMyFAQ to version 4.1.4, which removes SHA-1 password hash storage entirely via commit 1aa9be6f8a2fa5c527c983826205229fc3129718. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today
Destination URL
POC code from unknown sources may be malicious, contain backdoors, or be fake.
Always review and test exploit code in a safe, isolated environment (VM/sandbox).
Verify the source reputation and cross-reference with known databases (Exploit-DB, GitHub Security).