VYPR

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

ClassDraftLikelihood: High

Description

The product uses a broken or risky cryptographic algorithm or protocol.

Hierarchy (View 1000)

Related attack patterns (CAPEC)

CAPEC-20 · CAPEC-459 · CAPEC-473 · CAPEC-475 · CAPEC-608 · CAPEC-614 · CAPEC-97

CVEs mapped to this weakness (257)

page 10 of 13
  • CVE-2026-27804Feb 25, 2026
    risk 0.00cvss epss 0.00

    Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.3 and 9.1.1-alpha.4, an unauthenticated attacker can forge a Google authentication token with `alg: "none"` to log in as any user linked to a Google…

  • CVE-2026-24785Jan 27, 2026
    risk 0.00cvss epss 0.00

    Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise…

  • CVE-2025-68702Jan 13, 2026
    risk 0.00cvss epss 0.00

    Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses padLeft(32, '0') when it should use padLeft(64, '0') because SHA-256 produces 32 bytes which equates to 64 hex characters. This vulnerability is fixed in 2.2.

  • CVE-2025-68701Jan 13, 2026
    risk 0.00cvss epss 0.00

    Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses deterministic AES IV derivation from a passphrase. This vulnerability is fixed in 2.2.

  • CVE-2025-68931Jan 13, 2026
    risk 0.00cvss epss 0.00

    Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, AES/CBC/PKCS5Padding lacks authentication, making it vulnerable to padding oracle attacks and ciphertext manipulation. This vulnerability is fixed in 2.2.

  • CVE-2025-68698Jan 13, 2026
    risk 0.00cvss epss 0.00

    Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, Jervis uses PKCS1Encoding which is vulnerable to Bleichenbacher padding oracle attacks. Modern systems should use OAEP (Optimal Asymmetric Encryption Padding). This vulnerability…

  • CVE-2025-54981Dec 12, 2025
    risk 0.00cvss epss 0.00

    Weak Encryption Algorithm in StreamPark, The use of an AES cipher in ECB mode and a weak random number generator for encrypting sensitive data, including JWT tokens, may have risked exposing sensitive authentication data This issue affects Apache StreamPark: from 2.0.0 before…

  • CVE-2024-55885Dec 12, 2024
    risk 0.00cvss epss 0.00

    beego is an open-source web framework for the Go programming language. Versions of beego prior to 2.3.4 use MD5 as a hashing algorithm. MD5 is no longer considered secure against well-funded opponents due to its vulnerability to collision attacks. Version 2.3.4 replaces MD5 with…

  • CVE-2024-51478Oct 31, 2024
    risk 0.00cvss epss 0.00

    YesWiki is a wiki system written in PHP. Prior to 4.4.5, the use of a weak cryptographic algorithm and a hard-coded salt to hash the password reset key allows it to be recovered and used to reset the password of any account. This issue is fixed in 4.4.5.

  • CVE-2024-33662Oct 2, 2024
    risk 0.00cvss epss 0.00

    Portainer before 2.20.2 improperly uses an encryption algorithm in the AesEncrypt function.

  • CVE-2024-41270Aug 6, 2024
    risk 0.00cvss epss 0.00

    An issue discovered in the RunHTTPServer function in Gorush v1.18.4 allows attackers to intercept and manipulate data due to use of deprecated TLS version.

  • CVE-2024-40465Jul 31, 2024
    risk 0.00cvss epss 0.00

    An issue in beego v.2.2.0 and before allows a remote attacker to escalate privileges via the getCacheFileName function in file.go file

  • CVE-2024-37568Jun 9, 2024
    risk 0.00cvss epss 0.00

    lepture Authlib before 1.3.1 has algorithm confusion with asymmetric public keys. Unless an algorithm is specified in a jwt.decode call, HMAC verification is allowed with any asymmetric public key. (This is similar to CVE-2022-29217 and CVE-2024-33663.)

  • CVE-2024-31989May 21, 2024
    risk 0.00cvss epss 0.01

    Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. It has been discovered that an unprivileged pod in a different namespace on the same cluster could connect to the Redis server on port 6379. Despite having installed the latest version of the VPC CNI…

  • CVE-2024-33663Apr 25, 2024
    risk 0.00cvss epss 0.00

    python-jose through 3.3.0 has algorithm confusion with OpenSSH ECDSA keys and other key formats. This is similar to CVE-2022-29217.

  • CVE-2024-24559Feb 5, 2024
    risk 0.00cvss epss 0.00

    Vyper is a Pythonic Smart Contract Language for the EVM. There is an error in the stack management when compiling the `IR` for `sha3_64`. Concretely, the `height` variable is miscalculated. The vulnerability can't be triggered without writing the `IR` by hand (that is, it cannot…

  • CVE-2023-51838Feb 2, 2024
    risk 0.00cvss epss 0.01

    Ylianst MeshCentral 1.1.16 suffers from Use of a Broken or Risky Cryptographic Algorithm.

  • CVE-2023-51839Jan 29, 2024
    risk 0.00cvss epss 0.00

    DeviceFarmer stf v3.6.6 suffers from Use of a Broken or Risky Cryptographic Algorithm.

  • CVE-2024-22192Jan 16, 2024
    risk 0.00cvss epss 0.00

    Ursa is a cryptographic library for use with blockchains. The revocation scheme that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model. Notably, a malicious verifier may be…

  • CVE-2024-21670Jan 16, 2024
    risk 0.00cvss epss 0.00

    Ursa is a cryptographic library for use with blockchains. The revocation schema that is part of the Ursa CL-Signatures implementations has a flaw that could impact the privacy guarantees defined by the AnonCreds verifiable credential model, allowing a malicious holder of a…