VYPR

CWE-326

Inadequate Encryption Strength

ClassDraft

Description

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

Hierarchy (View 1000)

Parents

Children

Related attack patterns (CAPEC)

CAPEC-112 · CAPEC-192 · CAPEC-20

CVEs mapped to this weakness (194)

page 2 of 10
  • CVE-2014-0224HigJun 5, 2014
    risk 0.59cvss 7.4epss 0.95

    OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCipherSpec messages, which allows man-in-the-middle attackers to trigger use of a zero-length master key in certain OpenSSL-to-OpenSSL communications, and…

  • CVE-2026-44523CriMay 14, 2026
    risk 0.58cvss 10.0epss 0.00

    Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secret regardless of size, including secrets as short as 1 byte. This vulnerability…

  • CVE-2026-41860HigJun 4, 2026
    risk 0.57cvss 8.8epss 0.00

    CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-code OpenSSL::SSL::VERIFY_NONE, enabling an attacker to intercept traffic between…

  • CVE-2026-5363HigApr 16, 2026
    risk 0.57cvss 8.8epss 0.00

    Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RSA-1024 before sending it to the router during login.  An adjacent attacker…

  • CVE-2017-1701HigApr 23, 2018
    risk 0.57cvss 8.8epss 0.01

    IBM Team Concert (RTC) 5.0, 5.0.1, 5.0.2, 6.0, 6.0.1, 6.0.2, 6.0.3, 6.0.4, and 6.0.5 stores credentials for users using a weak encryption algorithm, which could allow an authenticated user to obtain highly sensitive information. IBM X-Force ID: 134393.

  • CVE-2017-17436HigDec 7, 2017
    risk 0.57cvss 8.8epss 0.00

    An issue was discovered in the software on Vaultek Gun Safe VT20i products. There is no encryption of the session between the Android application and the safe. The website and marketing materials advertise that this communication channel is encrypted with "Highest Level…

  • CVE-2016-2379HigMar 29, 2017
    risk 0.57cvss 8.8epss 0.00

    The Mxit protocol uses weak encryption when encrypting user passwords, which might allow attackers to (1) decrypt hashed passwords by leveraging knowledge of client registration codes or (2) gain login access by eavesdropping on login messages and re-using the hashed passwords.

  • CVE-2024-21881HigAug 12, 2024
    risk 0.56cvss epss 0.00

    Inadequate Encryption Strength vulnerability allow an authenticated attacker to execute arbitrary OS Commands via encrypted package upload.This issue affects Envoy: 4.x and 5.x

  • CVE-2001-1546HigDec 31, 2001
    risk 0.54cvss 7.8epss 0.00

    Pathways Homecare 6.5 uses weak encryption for user names and passwords, which allows local users to gain privileges by recovering the passwords from the pwhc.ini file.

  • CVE-2024-50550HigOct 29, 2024
    risk 0.53cvss 8.1epss 0.01

    Incorrect Privilege Assignment vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Privilege Escalation.This issue affects LiteSpeed Cache: from n/a through <= 6.5.1.

  • CVE-2017-3971HigApr 4, 2018
    risk 0.53cvss 8.2epss 0.00

    Cryptanalysis vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows attackers to view confidential information via insecure use of RC4 encryption cyphers.

  • CVE-2017-14262HigSep 11, 2017
    risk 0.53cvss 8.1epss 0.04

    On Samsung NVR devices, remote attackers can read the MD5 password hash of the 'admin' account via certain szUserName JSON data to cgi-bin/main-cgi, and login to the device with that hash in the szUserPasswd parameter.

  • CVE-2016-10103HigJan 23, 2017
    risk 0.53cvss 8.1epss 0.00

    Information Disclosure can occur in encryptionProfiles.jsd in Hitek Software's Automize because of the Read attribute being set for Users. This allows an attacker to recover encrypted passwords for GPG Encryption profiles. Verified in all 10.x versions up to and including 10.25,…

  • CVE-2016-10102HigJan 23, 2017
    risk 0.53cvss 8.1epss 0.00

    hitek.jar in Hitek Software's Automize uses weak encryption when encrypting SSH/SFTP and Encryption profile passwords. This allows an attacker to retrieve the encrypted passwords from sshProfiles.jsd and encryptionProfiles.jsd and decrypt them to recover cleartext passwords. All…

  • CVE-2016-10101HigJan 23, 2017
    risk 0.53cvss 8.1epss 0.01

    Information Disclosure can occur in Hitek Software's Automize 10.x and 11.x passManager.jsd. Users have the Read attribute, which allows an attacker to recover the encrypted password to access the Password Manager.

  • CVE-2026-45787CriMay 28, 2026
    risk 0.52cvss 9.1epss 0.00

    electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confidentiality and integrity failures for synced bookmark/profile data. Attackers can…

  • CVE-2026-44351CriMay 13, 2026
    risk 0.52cvss 9.1epss 0.00

    fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to forge arbitrary JWTs that are accepted as authentic. When the application's key…

  • CVE-2016-9121CriMar 28, 2017
    risk 0.52cvss 9.1epss 0.01

    go-jose before 1.0.4 suffers from an invalid curve attack for the ECDH-ES algorithm. When deriving a shared key using ECDH-ES for an encrypted message, go-jose neglected to check that the received public key on a message is on the same curve as the static private key of the…

  • CVE-2004-2172HigDec 31, 2004
    risk 0.52cvss 7.5epss 0.07

    EarlyImpact ProductCart uses a weak encryption scheme to encrypt passwords, which allows remote attackers to obtain the password via a chosen plaintext attack.

  • CVE-2002-1910HigDec 31, 2002
    risk 0.52cvss 7.5epss 0.03

    Click2Learn Ingenium Learning Management System 5.1 and 6.1 uses weak encryption for passwords (reversible algorithm), which allows attackers to obtain passwords.