CWE-328
Use of Weak Hash
BaseDraft
Description
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-461 · CAPEC-68
CVEs mapped to this weakness (29)
page 2 of 2| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2024-34914 | Med | 0.27 | 5.3 | 0.00 | May 14, 2024 | php-censor v2.1.4 and fixed in v.2.1.5 was discovered to utilize a weak hashing algorithm for its remember_key value. This allows attackers to bruteforce to bruteforce the remember_key value to gain access to accounts that have checked "remember me" when logging in. | |
| CVE-2026-44582 | Low | 0.24 | 3.7 | 0.00 | May 13, 2026 | Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments that rely on shared caches with insufficient response partitioning. In affected conditions, collisions in the _rsc cache-busting value can allow an attacker to poison cache entries so users receive the wrong response variant for a given URL. This vulnerability is fixed in 15.5.16 and 16.2.5. | |
| CVE-2026-7103 | Low | 0.24 | 3.7 | 0.00 | Apr 27, 2026 | A vulnerability was determined in code-projects Chat System 1.0. Affected is an unknown function of the file update_user.php of the component MD5 Hash Handler. This manipulation of the argument Password causes use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. | |
| CVE-2025-14636 | Low | 0.24 | 3.7 | 0.00 | Dec 13, 2025 | A security flaw has been discovered in Tenda AX9 22.03.01.46. This affects the function image_check of the component httpd. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. | |
| CVE-2025-8260 | Low | 0.20 | 3.1 | 0.00 | Jul 28, 2025 | A security flaw has been discovered in Vaelsys VaelsysV4 up to 5.1.0/5.4.0. This affects an unknown part of the file /grid/vgrid_server.php of the component Web interface. Performing a manipulation of the argument xajaxargs results in use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. It is indicated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. Upgrading to version 5.1.1 and 5.4.1 is able to mitigate this issue. Upgrading the affected component is recommended. | |
| CVE-2026-7845 | Low | 0.17 | 2.6 | 0.00 | May 5, 2026 | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | |
| CVE-2025-9383 | Low | 0.16 | 2.5 | 0.00 | Aug 24, 2025 | A security vulnerability has been detected in FNKvision Y215 CCTV Camera 10.194.120.40. This issue affects the function crypt of the file /etc/passwd. The manipulation leads to use of weak hash. The attack can only be performed from a local environment. The complexity of an attack is rather high. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-2920 | Low | 0.13 | 2.0 | 0.00 | Mar 28, 2025 | A vulnerability was found in Netis WF-2404 1.1.124EN. It has been rated as problematic. This issue affects some unknown processing of the file /еtc/passwd. The manipulation leads to use of weak hash. It is possible to launch the attack on the physical device. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | |
| CVE-2025-11650 | Low | 0.12 | 1.8 | 0.00 | Oct 12, 2025 | A vulnerability was determined in Tomofun Furbo 360 and Furbo Mini. The impacted element is an unknown function of the file /etc/shadow of the component Password Handler. Executing manipulation can lead to use of weak hash. The physical device can be targeted for the attack. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been publicly disclosed and may be utilized. The firmware versions determined to be affected are Furbo 360 up to FB0035_FW_036 and Furbo Mini up to MC0020_FW_074. The vendor was contacted early about this disclosure but did not respond in any way. |