CVE-2025-52026
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2026-01-23

Last updated on: 2026-02-12

Assigner: MITRE

Description
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. As MD5 is a broken cryptographic function, the hashes can be easily reversed using public tools, exposing user credentials in plaintext. This allows remote attackers to perform unauthorized logins and potentially gain access to sensitive POS operations or backend functions.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-23
Last Modified
2026-02-12
Generated
2026-06-16
AI Q&A
2026-01-23
EPSS Evaluated
2026-06-15
NVD
CVE-2025-52026
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
aptsys gemscms_backend to 2025-05-28 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-327 The product uses a broken or risky cryptographic algorithm or protocol.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an information disclosure issue in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform. The endpoint is unauthenticated and returns a list of cashier accounts including sensitive information such as names, email addresses, usernames, and passwords hashed with MD5. Since MD5 is a weak cryptographic function, the password hashes can be easily reversed using public tools, exposing the plaintext passwords to attackers.

Impact Analysis

An attacker can exploit this vulnerability to obtain plaintext credentials of cashier accounts by reversing the weak MD5 password hashes. This allows unauthorized logins, potentially giving attackers access to sensitive point-of-sale operations or backend functions, which could lead to data theft, fraud, or further compromise of the system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-52026. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart