CVEs classified under CWE-328, ordered by CVSS severity, with EPSS exploit prediction and CISA KEV status.
CVEs (41)
CVE-2026-36182 — CVSS 9.8 (critical): GNCC GP5 v7.1.76 was discovered to utilize a weak hashing algorithm to protect the root password, possibly allowing attackers to obtain…
CVE-2020-37168 — CVSS 9.8 (critical): Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character…
CVE-2025-41652 — CVSS 9.8 (critical): The devices are vulnerable to an authentication bypass due to flaws in the authorization mechanism. An unauthenticated remote attacker…
CVE-2025-27595 — CVSS 9.8 (critical): The device uses a weak hashing alghorithm to create the password hash. Hence, a matching password can be easily calculated by an attacker…
CVE-2022-45141 — CVSS 9.8 (critical): Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is…
CVE-2023-0452 — CVSS 9.8 (critical): Econolite EOS versions prior to 3.2.23 use a weak hash algorithm for encrypting privileged user credentials. A configuration file that is…
CVE-2024-54143: openwrt/asu is an image on demand server for OpenWrt based distributions. The request hashing mechanism truncates SHA-256 hashes to only 12…
CVE-2026-32129: soroban-poseidon provides Poseidon and Poseidon2 cryptographic hash functions for Soroban smart contracts. Poseidon V1 (PoseidonSponge)…
CVE-2024-48924: ### Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service…
CVE-2026-40164 — CVSS 7.5 (high): jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly…
CVE-2025-47276 — CVSS 7.5 (high): Actualizer is a single shell script solution to allow developers and embedded engineers to create Debian operating systems (OS). Prior to…
CVE-2025-41256 — CVSS 7.4 (high): Cyberduck and Mountain Duck improper handle TLS certificate pinning for untrusted certificates (e.g., self-signed), since the certificate…
CVE-2026-45413: MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them…
CVE-2025-21604: LangChain4j-AIDeepin is a Retrieval enhancement generation (RAG) project. Prior to 3.5.0, LangChain4j-AIDeepin uses MD5 to hash files…
CVE-2024-56516: free-one-api allows users to access large language model reverse engineering libraries through the standard OpenAI API format. In versions…
CVE-2024-23589 — CVSS 6.8 (medium): Due to outdated Hash algorithm, HCL Glovius Cloud could allow attackers to guess the input data using brute-force or dictionary attacks…
CVE-2025-31130 — CVSS 6.8 (medium): gitoxide is an implementation of git written in Rust. Before 0.42.0, gitoxide uses SHA-1 hash implementations without any collision…
CVE-2026-27754 — CVSS 6.5 (medium): SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie…
CVE-2025-49197 — CVSS 6.5 (medium): The application uses a weak password hash function, allowing an attacker to crack the weak password hash to gain access to an FTP user…
CVE-2024-47829 — CVSS 6.5 (medium): pnpm is a package manager. Prior to version 10.0.0, the path shortening function uses the md5 function as a path shortening compression…
CVE-2025-41762 — CVSS 6.2 (medium): An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to…
CVE-2026-54266 — CVSS 6.1 (medium): Angular is a development platform for building mobile and desktop web applications using TypeScript/JavaScript and other languages. Prior…
CVE-2026-53692: Redeight CMS version 1.0 uses the MD5 algorithm without a salt to store user passwords. Because MD5 is a cryptographically broken algorithm…
CVE-2026-21717 — CVSS 5.9 (medium): A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially…
CVE-2025-3576 — CVSS 5.9 (medium): A vulnerability in the MIT Kerberos implementation allows GSSAPI-protected messages using RC4-HMAC-MD5 to be spoofed due to weaknesses in…
CVE-2025-0508 — CVSS 5.9 (medium): A vulnerability in the SageMaker Workflow component of aws/sagemaker-python-sdk allows for the possibility of MD5 hash collisions in all…
CVE-2025-54535 — CVSS 5.8 (medium): In JetBrains TeamCity before 2025.07 password reset and email verification tokens were using weak hashing algorithms
CVE-2026-10540 — CVSS 5.6 (medium): The Control-M/Enterprise Manager uses weak protections for stored hashes of account passwords, potentially allowing offline password…
CVE-2024-56414 — CVSS 5.5 (medium): Web installer integrity check used weak hash algorithm. The following products are affected: Acronis Cyber Protect 16 (Windows) before…
CVE-2026-34527 — CVSS 5.3 (medium): Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword…
CVE-2025-59354 — CVSS 5.3 (medium): Dragonfly is an open source P2P-based file distribution and image acceleration system. Prior to 2.1.0, the DragonFly2 uses a variety of…
CVE-2024-34914 — CVSS 5.3 (medium): php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its remember_key value. This allows attackers…
CVE-2024-8453 — CVSS 4.9 (medium): Certain switch models from PLANET Technology use an insecure hashing function to hash user passwords without being salted. Remote attackers…
CVE-2023-44319 — CVSS 4.9 (medium): A vulnerability has been identified in RUGGEDCOM RM1224 LTE(4G) EU (6GK6108-4AM00-2BA2) (All versions < V8.0), RUGGEDCOM RM1224 LTE(4G) NAM…
CVE-2026-13455 — CVSS 4.3 (medium): PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and…
CVE-2026-44582 — CVSS 3.7 (low): Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component…
CVE-2025-48931 — CVSS 3.2 (low): The TeleMessage service through 2025-05-05 relies on MD5 for password hashing, which opens up various attack possibilities (including…
CVE-2026-48488: phpMyFAQ is an open source FAQ web application. Prior to version 4.1.4, attachment passwords are hashed using SHA-1, a cryptographically…
CVE-2024-52521 — CVSS 2.6 (low): Nextcloud Server is a self hosted personal cloud system. MD5 hashes were used to check background jobs for their uniqueness. This increased…