Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:I/V:X/RE:X/U:X
Any authenticated account exploits it remotely with low complexity (PR:L, AC:L, AV:N); impact is confidentiality-only disclosure of cracked hashes, so C:H, I:N, A:N.
Primary rating from Vendor (DIVD).
CVSS VectorVendor: DIVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:I/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
Improper access control in Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8 allows any created account to read all cracked hashes of a Hashtopolis server instance.
AnalysisAI
Broken object-level authorization in the Hashtopolis server web-interface chunk activity component lets any authenticated low-privilege account read all cracked hashes across the entire server, regardless of access-group membership. Affecting all versions prior to 0.14.8, the flaw exposes recovered plaintext credentials - the core sensitive output of the platform - to users who should only see their own group's data. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a valid authenticated account on the target Hashtopolis server (PR:L) - the description states 'any created account' can read all cracked hashes, so the only prerequisite is possession of any account, not administrative rights. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) scoring 7.1 is internally consistent with the description: network-reachable web interface, low attack complexity, low privileges required (any created account), no user interaction, and a pure confidentiality impact (VC:H) with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who has been granted (or has self-registered for) any account on a shared Hashtopolis instance browses to the chunk activity component and requests chunk/hash data belonging to access groups they are not a member of. Because the component does not verify group ownership, the interface returns cracked plaintext hashes from every group on the server, letting the attacker harvest credentials recovered by other teams' jobs. … |
| Remediation | Upgrade to the vendor-released patch: Hashtopolis server v0.14.8 (https://github.com/hashtopolis/server/releases/tag/v0.14.8), which the release notes state fixes access issues where users could read chunk and hash info from access groups they were not members of. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all Hashtopolis server instances to identify their current version and production deployment status. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio
Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth
Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access
NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl
NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple
Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri
JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel
A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen
An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to
Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a
In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet
Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45155
GHSA-mr39-qwfq-3rmh