216.73.217.22

CVE-2026-25861

· Published 02/06/2026 23:16 · Modified 02/06/2026 23:16

Labels: CVE-2026-25861 2026-06-02CVE-2026-25861CWE-916[email protected]

Essential information

Published
02/06/2026 23:16
Modified
02/06/2026 23:16
Author
Creator
CVSS
8.2 HIGH (v3) 8.2 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
qloapps / qloapps cpe:2.3:a:qloapps:qloapps:1.7.0:*:*:*:*:*:*:*

References