CVE-2026-25861

Published: Giu 03, 2026 Last Modified: Giu 03, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 8,2
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Confidentiality: N/A
Integrity: N/A
Availability: N/A
MEDIUM 5,9
Source: [email protected]
Attack Vector: network
Attack Complexity: high
Privileges Required: none
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: none
Availability: none

Description

AI Translation Available

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

916

Use of Password Hash With Insufficient Computational Effort

Incomplete
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism Gain Privileges Or Assume Identity
Applicable Platforms
All platforms may be affected
View CWE Details
https://github.com/Qloapps/QloApps/commit/64e9722e7e6a8fda7…
https://github.com/Qloapps/QloApps/commit/64e9722e7e6a8fda77dd53964d988fb6b5c3d…
https://github.com/Qloapps/QloApps/pull/1689
https://github.com/Qloapps/QloApps/pull/1689
https://www.vulncheck.com/advisories/qloapps-weak-password-…
https://www.vulncheck.com/advisories/qloapps-weak-password-hashing-via-md5-in-t…