CVE-2026-25861
Weak Cryptographic Hashing in QloApps Allows Credential Compromise
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qloapps | qloapps | to 1.7.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-916 | The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in QloApps through version 1.7.0 and involves the use of a weak cryptographic algorithm, MD5, for password hashing in the Tools::encrypt() function. The function concatenates a static cookie key with the supplied password before hashing. Because MD5 is weak, attackers can perform offline brute-force attacks to recover user credentials. The risk is increased by the fact that guest-to-customer account conversions generate auto-created 8-character passwords, making it easier for attackers to guess and recover passwords.
How can this vulnerability impact me? :
This vulnerability can lead to the compromise of user credentials. Attackers can exploit the weak MD5 hashing to perform offline brute-force attacks and recover passwords, especially since some passwords are auto-generated and relatively short. This can result in unauthorized access to user accounts, potentially leading to data breaches or misuse of user information.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is caused by the use of the weak MD5 hashing algorithm for password encryption in QloApps through version 1.7.0.
Immediate mitigation involves updating QloApps to a version that includes the fix from commit 64e9722, which replaces the weak cryptographic algorithm.