CWE-326: Inadequate Encryption Strength — known CVE vulnerabilities
CVEs classified under CWE-326 (Inadequate Encryption Strength), ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (50)
CVE-2026-44523 — CVSS 10.0 (critical): Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET…
CVE-2020-6966 — CVSS 10.0 (critical): In ApexPro Telemetry Server Versions 4.2 and prior, CARESCAPE Telemetry Server v4.2 & prior, Clinical Information Center (CIC) Versions 4.X…
CVE-2014-9199 — CVSS 10.0 (critical): The Clorius Controls Java web client before 01.00.0009g allows remote attackers to discover credentials by sniffing the network for…
CVE-2018-25272 — CVSS 9.8 (critical): ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary…
CVE-2022-24116 — CVSS 9.8 (critical): Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0.
CVE-2022-3273 — CVSS 9.8 (critical): Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.
CVE-2022-36555 — CVSS 9.8 (critical): Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force…
CVE-2022-30285 — CVSS 9.8 (critical): In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow…
CVE-2020-10275 — CVSS 9.8 (critical): The access tokens for the REST API are directly derived from the publicly available default credentials for the web interface. Given a…
CVE-2011-4121 — CVSS 9.8 (critical): The OpenSSL extension of Ruby (Git trunk) versions after 2011-09-01 up to 2011-11-03 always generated an exponent value of '1' to be used…
CVE-2019-15806 — CVSS 9.8 (critical): CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative…
CVE-2019-15805 — CVSS 9.8 (critical): CommScope ARRIS TR4400 devices with firmware through A1.00.004-180301 are vulnerable to an authentication bypass to the administrative…
CVE-2018-20810 — CVSS 9.8 (critical): Session data between cluster nodes during cluster synchronization is not properly encrypted in Pulse Secure Pulse Connect Secure (PCS)…
CVE-2019-10907 — CVSS 9.8 (critical): Airsonic 10.2.1 uses Spring's default remember-me mechanism based on MD5, with a fixed key of airsonic in GlobalSecurityConfig.java. An…
CVE-2018-0448 — CVSS 9.8 (critical): A vulnerability in the identity management service of Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated…
CVE-2018-15124 — CVSS 9.8 (critical): Weak hashing algorithm in Zipato Zipabox Smart Home Controller BOARD REV - 1 with System Version -118 allows unauthenticated attacker…
CVE-2018-7242 — CVSS 9.8 (critical): Vulnerable hash algorithms exists in Schneider Electric's Modicon Premium, Modicon Quantum, Modicon M340, and BMXNOR0200 controllers in all…
CVE-2015-0575 — CVSS 9.8 (critical): In all Qualcomm products with Android releases from CAF using the Linux kernel, insecure ciphersuites were included in the default…
CVE-2014-9975 — CVSS 9.8 (critical): In all Qualcomm products with Android releases from CAF using the Linux kernel, a rollback vulnerability potentially exists in Full Disk…
CVE-2017-7905 — CVSS 9.8 (critical): A Weak Cryptography for Passwords issue was discovered in General Electric (GE) Multilin SR 750 Feeder Protection Relay, firmware versions…
CVE-2017-7903 — CVSS 9.8 (critical): A Weak Password Requirements issue was discovered in Rockwell Automation Allen-Bradley MicroLogix 1100 programmable-logic controllers…
CVE-2017-7888 — CVSS 9.8 (critical): Dolibarr ERP/CRM 4.0.4 stores passwords with the MD5 algorithm, which makes brute-force attacks easier.
CVE-2017-8076 — CVSS 9.8 (critical): On the TP-Link TL-SG108E 1.0, admin network communications are RC4 encoded, even though RC4 is deprecated. This affects the 1.1.2 Build…
CVE-2016-5804 — CVSS 9.8 (critical): Moxa MGate MB3180 before 1.8, MGate MB3280 before 2.7, MGate MB3480 before 2.6, MGate MB3170 before 2.5, and MGate MB3270 before 2.7 use…
CVE-2025-2516: The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who…
CVE-2013-0764 — CVSS 9.3 (critical): The nsSOCKSSocketInfo::ConnectToProxy function in Mozilla Firefox before 18.0, Firefox ESR 17.x before 17.0.2, Thunderbird before 17.0.2…
CVE-2026-45787 — CVSS 9.1 (critical): electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a…
CVE-2025-45765 — CVSS 9.1 (critical): ruby-jwt v3.0.0.beta1 was discovered to contain weak encryption. NOTE: the Supplier's perspective is "keysize is not something that is…
CVE-2025-7398 — CVSS 9.1 (critical): Brocade ASCG before 3.3.0 allows for the use of medium strength cryptography algorithms on internal ports ports 9000 and 8036.
CVE-2023-27987 — CVSS 9.1 (critical): In Apache Linkis <=1.3.1, due to the default token generated by Linkis Gateway deployment being too simple, it is easy for attackers to…
CVE-2017-16726 — CVSS 9.1 (critical): Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been…
CVE-2017-14090 — CVSS 9.1 (critical): A vulnerability in Trend Micro ScanMail for Exchange 12.0 exists in which some communications to the update servers are not encrypted.
CVE-2017-7229 — CVSS 9.1 (critical): PGP/MIME encrypted messages injected into a Vaultive O365 (before 4.5.21) frontend via IMAP or SMTP have their Content-Type changed from…
CVE-2016-9121 — CVSS 9.1 (critical): go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an…
CVE-2026-41860 — CVSS 8.8 (high): CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_as…
CVE-2024-45394 — CVSS 8.8 (high): Authenticator is a browser extension that generates two-step verification codes. In versions 7.0.0 and below, encryption keys for user data…
CVE-2022-21139 — CVSS 8.8 (high): Inadequate encryption strength for some Intel(R) PROSet/Wireless WiFi products may allow an unauthenticated user to potentially enable…
CVE-2022-26307 — CVSS 8.8 (high): LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are…
CVE-2020-35221 — CVSS 8.8 (high): The hashing algorithm implemented for NSDP password authentication on NETGEAR JGS516PE/GS116Ev2 v2.6.0.43 devices was found to be insecure…
CVE-2020-5763 — CVSS 8.8 (high): Grandstream HT800 series firmware version 1.0.17.5 and below contain a backdoor in the SSH service. An authenticated remote attacker can…
CVE-2017-1701 — CVSS 8.8 (high): IBM Team Concert (RTC) 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, and 6.0.5 stores credentials for users using a weak encryption…