VYPR

CWE-916

Use of Password Hash With Insufficient Computational Effort

BaseIncomplete

Description

The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.

Hierarchy (View 1000)

Parents

Related attack patterns (CAPEC)

CAPEC-55

CVEs mapped to this weakness (44)

page 2 of 3
  • CVE-2026-25861MedJun 2, 2026
    risk 0.31cvss 5.9epss 0.00

    QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which…

  • CVE-2026-45027MedMay 27, 2026
    risk 0.31cvss 5.9epss 0.00

    WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes the submitted password using PHP's hash() function with the SHA-256 algorithm and no salt before comparing it to the stored value. The password change flow…

  • CVE-2025-46413MedNov 7, 2025
    risk 0.28cvss 4.3epss 0.00

    Use of password hash with insufficient computational effort issue exists in BUFFALO Wi-Fi router 'WSR-1800AX4 series'. When WPS is enabled, PIN code and/or Wi-Fi password may be obtained by an attacker.

  • CVE-2025-53884MedSep 17, 2025
    risk 0.27cvss 5.3epss 0.00

    NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack (offline attack where hashes of known passwords are precomputed).

  • CVE-2026-56272medMar 5, 2026
    risk 0.26cvss epss 0.00

    ### Description The default bcrypt salt rounds is set to 5, which is below the recommended minimum for security. ### Affected Code ``` export function getHash(value: string) { const salt = bcrypt.genSaltSync(parseInt(process.env.PASSWORD_SALT_HASH_ROUNDS || '5')) return…

  • CVE-2025-27552MedMar 26, 2025
    risk 0.26cvss 4.0epss 0.00

    DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files Crypt/Eksblowfish/Bcrypt.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.

  • CVE-2025-27551MedMar 26, 2025
    risk 0.26cvss 4.0epss 0.00

    DBIx::Class::EncodedColumn use the rand() function, which is not cryptographically secure to salt password hashes. This vulnerability is associated with program files lib/DBIx/Class/EncodedColumn/Digest.pm. This issue affects DBIx::Class::EncodedColumn until 0.00032.

  • CVE-2025-7789LowJul 18, 2025
    risk 0.17cvss 3.7epss 0.00

    A vulnerability was found in Xuxueli xxl-job up to 3.1.1 and classified as problematic. Affected by this issue is the function makeToken of the file src/main/java/com/xxl/job/admin/controller/IndexController.java of the component Token Generation. The manipulation leads to…

  • CVE-2024-31464Apr 10, 2024
    risk 0.00cvss epss 0.00

    XWiki Platform is a generic wiki platform. Starting in version 5.0-rc-1 and prior to versions 14.10.19, 15.5.4, and 15.9-rc-1, it is possible to access the hash of a password by using the diff feature of the history whenever the object storing the password is deleted. Using that…

  • CVE-2024-29886Mar 27, 2024
    risk 0.00cvss epss 0.00

    Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.

  • CVE-2024-25607Feb 20, 2024
    risk 0.00cvss epss 0.00

    The default password hashing algorithm (PBKDF2-HMAC-SHA1) in Liferay Portal 7.2.0 through 7.4.3.15, and older unsupported versions, and Liferay DXP 7.4 before update 16, 7.3 before update 4, 7.2 before fix pack 17, and older unsupported versions defaults to a low work factor,…

  • CVE-2023-46233Oct 25, 2023
    risk 0.00cvss epss 0.01

    crypto-js is a JavaScript library of crypto standards. Prior to version 4.2.0, crypto-js PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults to SHA1, a cryptographic…

  • CVE-2023-46133Oct 25, 2023
    risk 0.00cvss epss 0.00

    CryptoES is a cryptography algorithms library compatible with ES6 and TypeScript. Prior to version 2.1.0, CryptoES PBKDF2 is 1,000 times weaker than originally specified in 1993, and at least 1,300,000 times weaker than current industry standard. This is because it both defaults…

  • CVE-2023-41646Sep 7, 2023
    risk 0.00cvss epss 0.00

    Buttercup v2.20.3 allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/

  • CVE-2023-27580Mar 13, 2023
    risk 0.00cvss epss 0.01

    CodeIgniter Shield provides authentication and authorization for the CodeIgniter 4 PHP framework. An improper implementation was found in the password storage process. All hashed passwords stored in Shield v1.0.0-beta.3 or earlier are easier to crack than expected due to the…

  • CVE-2022-36071Sep 2, 2022
    risk 0.00cvss epss 0.00

    SFTPGo is configurable SFTP server with optional HTTP/S, FTP/S and WebDAV support. SFTPGo WebAdmin and WebClient support login using TOTP (Time-based One Time Passwords) as a secondary authentication factor. Because TOTPs are often configured on mobile devices that can be lost,…

  • CVE-2022-31177Aug 1, 2022
    risk 0.00cvss epss 0.01

    Flask-AppBuilder is an application development framework built on top of Flask python framework. In versions prior to 4.1.3 an authenticated Admin user could query other users by their salted and hashed passwords strings. These filters could be made by using partial hashed…

  • CVE-2022-1235Apr 5, 2022
    risk 0.00cvss epss 0.01

    Weak secrethash can be brute-forced in GitHub repository livehelperchat/livehelperchat prior to 3.96.

  • CVE-2021-39182Nov 8, 2021
    risk 0.00cvss epss 0.01

    EnroCrypt is a Python module for encryption and hashing. Prior to version 1.1.4, EnroCrypt used the MD5 hashing algorithm in the hashing file. Beginners who are unfamiliar with hashes can face problems as MD5 is considered an insecure hashing algorithm. The vulnerability is…

  • CVE-2021-33563May 24, 2021
    risk 0.00cvss epss 0.01

    Koel before 5.1.4 lacks login throttling, lacks a password strength policy, and shows whether a failed login attempt had a valid username. This might make brute-force attacks easier.