CVE-2026-25861
Deferred Deferred - Pending Action
Weak Cryptographic Hashing in QloApps Allows Credential Compromise

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: VulnCheck

Description
QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-24
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-22
NVD
CVE-2026-25861
EUVD
EUVD-2026-34042
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
qloapps qloapps to 1.7.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-916 The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking attacks infeasible or expensive.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in QloApps through version 1.7.0 and involves the use of a weak cryptographic algorithm, MD5, for password hashing in the Tools::encrypt() function. The function concatenates a static cookie key with the supplied password before hashing. Because MD5 is weak, attackers can perform offline brute-force attacks to recover user credentials. The risk is increased by the fact that guest-to-customer account conversions generate auto-created 8-character passwords, making it easier for attackers to guess and recover passwords.

Impact Analysis

This vulnerability can lead to the compromise of user credentials. Attackers can exploit the weak MD5 hashing to perform offline brute-force attacks and recover passwords, especially since some passwords are auto-generated and relatively short. This can result in unauthorized access to user accounts, potentially leading to data breaches or misuse of user information.

Mitigation Strategies

The vulnerability is caused by the use of the weak MD5 hashing algorithm for password encryption in QloApps through version 1.7.0.

Immediate mitigation involves updating QloApps to a version that includes the fix from commit 64e9722, which replaces the weak cryptographic algorithm.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25861. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart