CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
631 vulnerabilities reference this CWE, most recent first.
GHSA-CJQJ-G595-FH5J
Vulnerability from github – Published: 2022-05-24 16:59 – Updated: 2022-05-24 16:59Adobe Acrobat and Reader versions 2019.012.20034 and earlier; 2019.012.20035 and earlier versions; 2017.011.30142 and earlier versions; 2017.011.30143 and earlier versions; 2015.006.30497 and earlier versions; 2015.006.30498 and earlier versions have an Insufficiently Robust Encryption vulnerability. Successful exploitation could lead to Security feature bypass in the context of the current user.
{
"affected": [],
"aliases": [
"CVE-2019-8237"
],
"database_specific": {
"cwe_ids": [
"CWE-326",
"CWE-327"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-10-23T21:15:00Z",
"severity": "HIGH"
},
"details": "Adobe Acrobat and Reader versions 2019.012.20034 and earlier; 2019.012.20035 and earlier versions; 2017.011.30142 and earlier versions; 2017.011.30143 and earlier versions; 2015.006.30497 and earlier versions; 2015.006.30498 and earlier versions have an Insufficiently Robust Encryption vulnerability. Successful exploitation could lead to Security feature bypass in the context of the current user.",
"id": "GHSA-cjqj-g595-fh5j",
"modified": "2022-05-24T16:59:47Z",
"published": "2022-05-24T16:59:47Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-8237"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/acrobat/apsb19-41.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CJR2-G7QM-XQ33
Vulnerability from github – Published: 2022-05-24 19:02 – Updated: 2022-05-24 19:02Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).
{
"affected": [],
"aliases": [
"CVE-2020-27020"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-14T11:15:00Z",
"severity": "HIGH"
},
"details": "Password generator feature in Kaspersky Password Manager was not completely cryptographically strong and potentially allowed an attacker to predict generated passwords in some cases. An attacker would need to know some additional information (for example, time of password generation).",
"id": "GHSA-cjr2-g7qm-xq33",
"modified": "2022-05-24T19:02:30Z",
"published": "2022-05-24T19:02:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27020"
},
{
"type": "WEB",
"url": "https://support.kaspersky.com/general/vulnerability.aspx?el=12430#270421"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-CPVM-F36G-55VG
Vulnerability from github – Published: 2022-05-24 17:12 – Updated: 2022-10-07 18:15A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.
{
"affected": [],
"aliases": [
"CVE-2019-14855"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-03-20T16:15:00Z",
"severity": "MODERATE"
},
"details": "A flaw was found in the way certificate signatures could be forged using collisions found in the SHA-1 algorithm. An attacker could use this weakness to create forged certificate signatures. This issue affects GnuPG versions before 2.2.18.",
"id": "GHSA-cpvm-f36g-55vg",
"modified": "2022-10-07T18:15:56Z",
"published": "2022-05-24T17:12:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-14855"
},
{
"type": "WEB",
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14855"
},
{
"type": "WEB",
"url": "https://dev.gnupg.org/T4755"
},
{
"type": "WEB",
"url": "https://lists.gnupg.org/pipermail/gnupg-announce/2019q4/000442.html"
},
{
"type": "WEB",
"url": "https://rwc.iacr.org/2020/slides/Leurent.pdf"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/4516-1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CQM6-HRGQ-6869
Vulnerability from github – Published: 2022-05-13 01:47 – Updated: 2022-11-22 18:57Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.openmeetings:openmeetings-parent"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "3.3.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2017-7673"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": true,
"github_reviewed_at": "2022-11-22T18:57:29Z",
"nvd_published_at": "2017-07-17T13:18:00Z",
"severity": "CRITICAL"
},
"details": "Apache OpenMeetings 1.0.0 uses not very strong cryptographic storage, captcha is not used in registration and forget password dialogs and auth forms missing brute force protection.",
"id": "GHSA-cqm6-hrgq-6869",
"modified": "2022-11-22T18:57:29Z",
"published": "2022-05-13T01:47:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-7673"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/openmeetings"
},
{
"type": "WEB",
"url": "http://markmail.org/message/3hshl26omwjo6c5i"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/99587"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Apache OpenMeetings has Inadequate Encryption Strength"
}
GHSA-CR6F-25F8-7583
Vulnerability from github – Published: 2022-05-13 01:36 – Updated: 2022-05-13 01:36Cryptanalysis vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows attackers to view confidential information via insecure use of RC4 encryption cyphers.
{
"affected": [],
"aliases": [
"CVE-2017-3971"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-04-04T13:29:00Z",
"severity": "MODERATE"
},
"details": "Cryptanalysis vulnerability in the web interface in McAfee Network Security Management (NSM) before 8.2.7.42.2 allows attackers to view confidential information via insecure use of RC4 encryption cyphers.",
"id": "GHSA-cr6f-25f8-7583",
"modified": "2022-05-13T01:36:40Z",
"published": "2022-05-13T01:36:40Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2017-3971"
},
{
"type": "WEB",
"url": "https://kc.mcafee.com/corporate/index?page=content\u0026id=SB10192"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CV7H-78V9-R3JF
Vulnerability from github – Published: 2026-01-13 03:32 – Updated: 2026-01-13 03:32The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.
{
"affected": [],
"aliases": [
"CVE-2026-0510"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-01-13T02:15:53Z",
"severity": "LOW"
},
"details": "The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attacker with high-privileged access to exploit the vulnerability under specific conditions potentially leading to partial disclosure of sensitive information.This has low impact on confidentiality with no impact on integrity and availability of the application.",
"id": "GHSA-cv7h-78v9-r3jf",
"modified": "2026-01-13T03:32:09Z",
"published": "2026-01-13T03:32:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0510"
},
{
"type": "WEB",
"url": "https://me.sap.com/notes/3593356"
},
{
"type": "WEB",
"url": "https://url.sap/sapsecuritypatchday"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CV8V-H856-HHXW
Vulnerability from github – Published: 2022-05-24 16:49 – Updated: 2023-03-03 21:30IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158092.
{
"affected": [],
"aliases": [
"CVE-2019-4102"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-07-01T15:15:00Z",
"severity": "MODERATE"
},
"details": "IBM DB2 for Linux, UNIX and Windows (includes DB2 Connect Server) 9.7, 10.1, 10.5, and 11.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 158092.",
"id": "GHSA-cv8v-h856-hhxw",
"modified": "2023-03-03T21:30:18Z",
"published": "2022-05-24T16:49:09Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-4102"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/158092"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=ibm10880743"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/109026"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVFX-WFGC-G5XW
Vulnerability from github – Published: 2024-06-13 12:30 – Updated: 2024-06-13 12:30ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.
{
"affected": [],
"aliases": [
"CVE-2024-34113"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2024-06-13T12:15:11Z",
"severity": "MODERATE"
},
"details": "ColdFusion versions 2023u7, 2021u13 and earlier are affected by a Weak Cryptography for Passwords vulnerability that could result in a security feature bypass. This vulnerability arises due to the use of insufficiently strong cryptographic algorithms or flawed implementation that compromises the confidentiality of password data. An attacker could exploit this weakness to decrypt or guess passwords, potentially gaining unauthorized access to protected resources. Exploitation of this issue does not require user interaction.",
"id": "GHSA-cvfx-wfgc-g5xw",
"modified": "2024-06-13T12:30:34Z",
"published": "2024-06-13T12:30:34Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34113"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/coldfusion/apsb24-41.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-CVV7-5999-M892
Vulnerability from github – Published: 2025-03-27 15:31 – Updated: 2025-03-27 15:31The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.
As older versions of WPS Office did not validate the update server's certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.
{
"affected": [],
"aliases": [
"CVE-2025-2516"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-03-27T15:16:01Z",
"severity": "CRITICAL"
},
"details": "The use of a weak cryptographic key pair in the signature verification process in WPS Office (Kingsoft) on Windows allows an attacker who successfully recovered the private key to sign components.\n\nAs older versions of WPS Office did not validate the update server\u0027s certificate, an Adversary-In-The-Middle attack was possible allowing updates to be hijacked.",
"id": "GHSA-cvv7-5999-m892",
"modified": "2025-03-27T15:31:14Z",
"published": "2025-03-27T15:31:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2516"
},
{
"type": "WEB",
"url": "https://www.welivesecurity.com/en/eset-research/nspx30-sophisticated-aitm-enabled-implant-evolving-since-2005"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-F4FH-MR9X-PQGF
Vulnerability from github – Published: 2025-12-11 00:30 – Updated: 2025-12-11 21:31Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.
{
"affected": [],
"aliases": [
"CVE-2025-65295"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-10T22:16:27Z",
"severity": "HIGH"
},
"details": "Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without proper verification. The device fails to validate firmware signatures during updates, uses outdated cryptographic methods that can be exploited to forge valid signatures, and exposes information through improperly initialized memory.",
"id": "GHSA-f4fh-mr9x-pqgf",
"modified": "2025-12-11T21:31:28Z",
"published": "2025-12-11T00:30:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65295"
},
{
"type": "WEB",
"url": "https://github.com/Chapoly1305/myCVEReports/blob/main/Aqara/OTA-Firmware-Insecurity.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.