CWE-328
Use of Weak Hash
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
CVE-2026-11330 (GCVE-0-2026-11330)
Vulnerability from cvelistv5 – Published: 2026-06-05 12:45 – Updated: 2026-06-08 16:04 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/368870 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/368870/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11330 | third-party-advisory |
| https://vuldb.com/submit/832401 | third-party-advisory |
| https://github.com/thedotmack/claude-mem/pull/1494 | issue-trackingpatch |
| https://github.com/thedotmack/claude-mem/commit/f… | patch |
| https://github.com/thedotmack/claude-mem/releases… | patch |
| https://github.com/thedotmack/claude-mem/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| thedotmack | claude-mem |
Affected:
11.0.0
Affected: 11.0.1 Unaffected: 12.0.0 cpe:2.3:a:thedotmack:claude-mem:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11330",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T16:04:38.572755Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T16:04:51.130Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:thedotmack:claude-mem:*:*:*:*:*:*:*:*"
],
"modules": [
"Observation Content Hash Handler"
],
"product": "claude-mem",
"vendor": "thedotmack",
"versions": [
{
"status": "affected",
"version": "11.0.0"
},
{
"status": "affected",
"version": "11.0.1"
},
{
"status": "unaffected",
"version": "12.0.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem00 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in thedotmack claude-mem up to 11.0.1. The affected element is the function computeObservationContentHash of the file src/services/sqlite/observations/store.ts of the component Observation Content Hash Handler. This manipulation causes use of weak hash. The attack can only be executed locally. The attack\u0027s complexity is rated as high. The exploitability is described as difficult. Upgrading to version 12.0.0 is sufficient to fix this issue. Patch name: f32fda8b35e9fe9329f87da65c31149362a03f97. It is suggested to upgrade the affected component."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.6,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.4,
"vectorString": "AV:L/AC:H/Au:S/C:N/I:P/A:P/E:ND/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-05T12:45:12.204Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-368870 | thedotmack claude-mem Observation Content Hash store.ts computeObservationContentHash weak hash",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/368870"
},
{
"name": "VDB-368870 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/368870/cti"
},
{
"name": "CVE-2026-11330 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11330"
},
{
"name": "Submit #832401 | thedotmack claude-mem v10.4.0 - Improper content hash construction - Field-boundary ambiguity",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/832401"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/thedotmack/claude-mem/pull/1494"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thedotmack/claude-mem/commit/f32fda8b35e9fe9329f87da65c31149362a03f97"
},
{
"tags": [
"patch"
],
"url": "https://github.com/thedotmack/claude-mem/releases/tag/v12.0.0"
},
{
"tags": [
"product"
],
"url": "https://github.com/thedotmack/claude-mem/"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-06-05T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-05T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-05T09:01:15.000Z",
"value": "VulDB entry last update"
}
],
"title": "thedotmack claude-mem Observation Content Hash store.ts computeObservationContentHash weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11330",
"datePublished": "2026-06-05T12:45:12.204Z",
"dateReserved": "2026-06-05T06:56:10.993Z",
"dateUpdated": "2026-06-08T16:04:51.130Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11479 (GCVE-0-2026-11479)
Vulnerability from cvelistv5 – Published: 2026-06-08 02:15 – Updated: 2026-06-09 14:46| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369099 | vdb-entry |
| https://vuldb.com/vuln/369099/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11479 | third-party-advisory |
| https://vuldb.com/submit/833971 | third-party-advisory |
| https://github.com/yoanbernabeu/grepai/issues/247 | exploitissue-tracking |
| https://github.com/yoanbernabeu/grepai/pull/248 | issue-trackingpatch |
| https://github.com/yoanbernabeu/grepai/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| yoanbernabeu | grepai |
Affected:
0.35.0
cpe:2.3:a:yoanbernabeu:grepai:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11479",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-09T14:46:05.825597Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-09T14:46:40.423Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:yoanbernabeu:grepai:*:*:*:*:*:*:*:*"
],
"modules": [
"Qdrant Backend"
],
"product": "grepai",
"vendor": "yoanbernabeu",
"versions": [
{
"status": "affected",
"version": "0.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been disclosed to the public and may be used. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.2,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.6,
"vectorString": "AV:N/AC:H/Au:S/C:N/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T02:15:09.333Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369099 | yoanbernabeu grepai Qdrant Backend chunker.go weak hash",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/369099"
},
{
"name": "VDB-369099 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369099/cti"
},
{
"name": "CVE-2026-11479 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11479"
},
{
"name": "Submit #833971 | yoanbernabeu grepai 0.35.0 Improper Isolation",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833971"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/yoanbernabeu/grepai/issues/247"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/yoanbernabeu/grepai/pull/248"
},
{
"tags": [
"product"
],
"url": "https://github.com/yoanbernabeu/grepai/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T11:50:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "yoanbernabeu grepai Qdrant Backend chunker.go weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11479",
"datePublished": "2026-06-08T02:15:09.333Z",
"dateReserved": "2026-06-07T09:45:55.265Z",
"dateUpdated": "2026-06-09T14:46:40.423Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-11481 (GCVE-0-2026-11481)
Vulnerability from cvelistv5 – Published: 2026-06-08 02:45 – Updated: 2026-06-08 13:01| URL | Tags |
|---|---|
| https://vuldb.com/vuln/369101 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/369101/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-11481 | third-party-advisory |
| https://vuldb.com/submit/833997 | third-party-advisory |
| https://github.com/yoanbernabeu/grepai/issues/249 | exploitissue-tracking |
| https://github.com/yoanbernabeu/grepai/pull/250 | issue-trackingpatch |
| https://github.com/yoanbernabeu/grepai/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| yoanbernabeu | grepai |
Affected:
0.1
Affected: 0.2 Affected: 0.3 Affected: 0.4 Affected: 0.5 Affected: 0.6 Affected: 0.7 Affected: 0.8 Affected: 0.9 Affected: 0.10 Affected: 0.11 Affected: 0.12 Affected: 0.13 Affected: 0.14 Affected: 0.15 Affected: 0.16 Affected: 0.17 Affected: 0.18 Affected: 0.19 Affected: 0.20 Affected: 0.21 Affected: 0.22 Affected: 0.23 Affected: 0.24 Affected: 0.25 Affected: 0.26 Affected: 0.27 Affected: 0.28 Affected: 0.29 Affected: 0.30 Affected: 0.31 Affected: 0.32 Affected: 0.33 Affected: 0.34 Affected: 0.35.0 cpe:2.3:a:yoanbernabeu:grepai:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-11481",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-08T13:01:41.955659Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T13:01:50.902Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:yoanbernabeu:grepai:*:*:*:*:*:*:*:*"
],
"modules": [
"Postgres Embedding Cache"
],
"product": "grepai",
"vendor": "yoanbernabeu",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4"
},
{
"status": "affected",
"version": "0.5"
},
{
"status": "affected",
"version": "0.6"
},
{
"status": "affected",
"version": "0.7"
},
{
"status": "affected",
"version": "0.8"
},
{
"status": "affected",
"version": "0.9"
},
{
"status": "affected",
"version": "0.10"
},
{
"status": "affected",
"version": "0.11"
},
{
"status": "affected",
"version": "0.12"
},
{
"status": "affected",
"version": "0.13"
},
{
"status": "affected",
"version": "0.14"
},
{
"status": "affected",
"version": "0.15"
},
{
"status": "affected",
"version": "0.16"
},
{
"status": "affected",
"version": "0.17"
},
{
"status": "affected",
"version": "0.18"
},
{
"status": "affected",
"version": "0.19"
},
{
"status": "affected",
"version": "0.20"
},
{
"status": "affected",
"version": "0.21"
},
{
"status": "affected",
"version": "0.22"
},
{
"status": "affected",
"version": "0.23"
},
{
"status": "affected",
"version": "0.24"
},
{
"status": "affected",
"version": "0.25"
},
{
"status": "affected",
"version": "0.26"
},
{
"status": "affected",
"version": "0.27"
},
{
"status": "affected",
"version": "0.28"
},
{
"status": "affected",
"version": "0.29"
},
{
"status": "affected",
"version": "0.30"
},
{
"status": "affected",
"version": "0.31"
},
{
"status": "affected",
"version": "0.32"
},
{
"status": "affected",
"version": "0.33"
},
{
"status": "affected",
"version": "0.34"
},
{
"status": "affected",
"version": "0.35.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in yoanbernabeu grepai up to 0.35.0. The affected element is the function PostgresStore.LookupByContentHash of the file indexer/chunker.go of the component Postgres Embedding Cache. Executing a manipulation of the argument content_hash can lead to use of weak hash. The attack needs to be launched locally. The attack requires a high level of complexity. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-08T02:45:11.546Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-369101 | yoanbernabeu grepai Postgres Embedding Cache chunker.go PostgresStore.LookupByContentHash weak hash",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/369101"
},
{
"name": "VDB-369101 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/369101/cti"
},
{
"name": "CVE-2026-11481 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-11481"
},
{
"name": "Submit #833997 | yoanbernabeu grepai v0.35.0-1-gf6dbf8d Cache Poisoning",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/833997"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/yoanbernabeu/grepai/issues/249"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/yoanbernabeu/grepai/pull/250"
},
{
"tags": [
"product"
],
"url": "https://github.com/yoanbernabeu/grepai/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-07T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-07T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-07T12:02:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "yoanbernabeu grepai Postgres Embedding Cache chunker.go PostgresStore.LookupByContentHash weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-11481",
"datePublished": "2026-06-08T02:45:11.546Z",
"dateReserved": "2026-06-07T09:57:01.801Z",
"dateUpdated": "2026-06-08T13:01:50.902Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13455 (GCVE-0-2026-13455)
Vulnerability from cvelistv5 – Published: 2026-06-30 15:19 – Updated: 2026-06-30 15:57- CWE-328 - Use of Weak Hash
| Vendor | Product | Version | |
|---|---|---|---|
| DALIBO | PostgreSQL Anonymizer |
Affected:
1 , < 3.1.2
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13455",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-30T15:57:10.838763Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:57:53.085Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "PostgreSQL Anonymizer",
"vendor": "DALIBO",
"versions": [
{
"lessThan": "3.1.2",
"status": "affected",
"version": "1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "The PostgreSQL Anonymizer project thanks user Sarath Kumar for reporting this problem."
}
],
"descriptions": [
{
"lang": "en",
"value": "PostgreSQL Anonymizer contains a vulnerability that allows unprivileged masked users to repeatedly call the anon.hash() function and collects (seed, hash_output) pairs to perform an offline brute-force attack and deduce the salt. The problem is resolved in PostgreSQL Anonymizer 3.1.2 and later versions"
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-30T15:19:57.657Z",
"orgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"shortName": "PostgreSQL"
},
"references": [
{
"url": "https://gitlab.com/dalibo/postgresql_anonymizer/-/issues/649"
}
],
"title": "PostgreSQL Anonymizer: Unrestricted function can leak the secret salt",
"workarounds": [
{
"lang": "en",
"value": "Restrict access to anon.hash() for masked users: SECURITY LABEL FOR anon ON FUNCTION anon.hash(TEXT) IS \u0027RESTRICTED\u0027."
}
]
}
},
"cveMetadata": {
"assignerOrgId": "f86ef6dc-4d3a-42ad-8f28-e6d5547a5007",
"assignerShortName": "PostgreSQL",
"cveId": "CVE-2026-13455",
"datePublished": "2026-06-30T15:19:57.657Z",
"dateReserved": "2026-06-26T18:36:50.872Z",
"dateUpdated": "2026-06-30T15:57:53.085Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13482 (GCVE-0-2026-13482)
Vulnerability from cvelistv5 – Published: 2026-06-28 04:30 – Updated: 2026-06-29 13:49| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374479 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/374479/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13482 | third-party-advisory |
| https://vuldb.com/submit/789927 | third-party-advisory |
| https://github.com/skypilot-org/skypilot/issues/9194 | issue-tracking |
| https://github.com/skypilot-org/skypilot/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| skypilot-org | skypilot |
Affected:
0.1
Affected: 0.2 Affected: 0.3 Affected: 0.4 Affected: 0.5 Affected: 0.6 Affected: 0.7 Affected: 0.8 Affected: 0.9 Affected: 0.10 Affected: 0.11 Affected: 0.12.0 cpe:2.3:a:skypilot-org:skypilot:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13482",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:49:17.325530Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:49:27.633Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:skypilot-org:skypilot:*:*:*:*:*:*:*:*"
],
"modules": [
"User ID Handler"
],
"product": "skypilot",
"vendor": "skypilot-org",
"versions": [
{
"status": "affected",
"version": "0.1"
},
{
"status": "affected",
"version": "0.2"
},
{
"status": "affected",
"version": "0.3"
},
{
"status": "affected",
"version": "0.4"
},
{
"status": "affected",
"version": "0.5"
},
{
"status": "affected",
"version": "0.6"
},
{
"status": "affected",
"version": "0.7"
},
{
"status": "affected",
"version": "0.8"
},
{
"status": "affected",
"version": "0.9"
},
{
"status": "affected",
"version": "0.10"
},
{
"status": "affected",
"version": "0.11"
},
{
"status": "affected",
"version": "0.12.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in skypilot-org skypilot up to 0.12.0. Impacted is the function username.encode of the file sky/users/server.py of the component User ID Handler. The manipulation results in use of weak hash. The attack may be performed from remote. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T04:30:10.004Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374479 | skypilot-org skypilot User ID server.py username.encode weak hash",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/374479"
},
{
"name": "VDB-374479 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374479/cti"
},
{
"name": "CVE-2026-13482 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13482"
},
{
"name": "Submit #789927 | skypilot-org skypilot 0.12.0 Algorithm Downgrade",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/789927"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/skypilot-org/skypilot/issues/9194"
},
{
"tags": [
"product"
],
"url": "https://github.com/skypilot-org/skypilot/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-27T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-27T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-27T15:59:29.000Z",
"value": "VulDB entry last update"
}
],
"title": "skypilot-org skypilot User ID server.py username.encode weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13482",
"datePublished": "2026-06-28T04:30:10.004Z",
"dateReserved": "2026-06-27T13:54:12.298Z",
"dateUpdated": "2026-06-29T13:49:27.633Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-13510 (GCVE-0-2026-13510)
Vulnerability from cvelistv5 – Published: 2026-06-28 22:15 – Updated: 2026-06-29 13:43| URL | Tags |
|---|---|
| https://vuldb.com/vuln/374518 | vdb-entry |
| https://vuldb.com/vuln/374518/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-13510 | third-party-advisory |
| https://vuldb.com/submit/838842 | third-party-advisory |
| https://github.com/simstudioai/sim/issues/4759 | exploitissue-tracking |
| https://github.com/simstudioai/sim/pull/4760 | issue-trackingpatch |
| https://github.com/simstudioai/sim/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| SimStudioAI | sim |
Affected:
0.6.0
Affected: 0.6.1 Affected: 0.6.2 Affected: 0.6.3 Affected: 0.6.4 Affected: 0.6.5 Affected: 0.6.6 Affected: 0.6.7 Affected: 0.6.8 Affected: 0.6.9 Affected: 0.6.10 Affected: 0.6.11 Affected: 0.6.12 Affected: 0.6.13 Affected: 0.6.14 Affected: 0.6.15 Affected: 0.6.16 Affected: 0.6.17 Affected: 0.6.18 Affected: 0.6.19 Affected: 0.6.20 Affected: 0.6.21 Affected: 0.6.22 Affected: 0.6.23 Affected: 0.6.24 Affected: 0.6.25 Affected: 0.6.26 Affected: 0.6.27 Affected: 0.6.28 Affected: 0.6.29 Affected: 0.6.30 Affected: 0.6.31 Affected: 0.6.32 Affected: 0.6.33 Affected: 0.6.34 Affected: 0.6.35 Affected: 0.6.36 Affected: 0.6.37 Affected: 0.6.38 Affected: 0.6.39 Affected: 0.6.40 Affected: 0.6.41 Affected: 0.6.42 Affected: 0.6.43 Affected: 0.6.44 Affected: 0.6.45 Affected: 0.6.46 Affected: 0.6.47 Affected: 0.6.48 Affected: 0.6.49 Affected: 0.6.50 Affected: 0.6.51 Affected: 0.6.52 Affected: 0.6.53 Affected: 0.6.54 Affected: 0.6.55 Affected: 0.6.56 Affected: 0.6.57 Affected: 0.6.58 Affected: 0.6.59 Affected: 0.6.60 Affected: 0.6.61 Affected: 0.6.62 Affected: 0.6.63 Affected: 0.6.64 Affected: 0.6.65 Affected: 0.6.66 Affected: 0.6.67 Affected: 0.6.68 Affected: 0.6.69 Affected: 0.6.70 Affected: 0.6.71 Affected: 0.6.72 Affected: 0.6.73 Affected: 0.6.74 Affected: 0.6.75 Affected: 0.6.76 Affected: 0.6.77 Affected: 0.6.78 Affected: 0.6.79 Affected: 0.6.80 Affected: 0.6.81 Affected: 0.6.82 Affected: 0.6.83 Affected: 0.6.84 Affected: 0.6.85 Affected: 0.6.86 Affected: 0.6.87 Affected: 0.6.88 Affected: 0.6.89 Affected: 0.6.90 Affected: 0.6.91 Affected: 0.6.92 cpe:2.3:a:sim:sim:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-13510",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-29T13:43:36.108785Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-29T13:43:53.156Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:sim:sim:*:*:*:*:*:*:*:*"
],
"modules": [
"Password Protection Handler"
],
"product": "sim",
"vendor": "SimStudioAI",
"versions": [
{
"status": "affected",
"version": "0.6.0"
},
{
"status": "affected",
"version": "0.6.1"
},
{
"status": "affected",
"version": "0.6.2"
},
{
"status": "affected",
"version": "0.6.3"
},
{
"status": "affected",
"version": "0.6.4"
},
{
"status": "affected",
"version": "0.6.5"
},
{
"status": "affected",
"version": "0.6.6"
},
{
"status": "affected",
"version": "0.6.7"
},
{
"status": "affected",
"version": "0.6.8"
},
{
"status": "affected",
"version": "0.6.9"
},
{
"status": "affected",
"version": "0.6.10"
},
{
"status": "affected",
"version": "0.6.11"
},
{
"status": "affected",
"version": "0.6.12"
},
{
"status": "affected",
"version": "0.6.13"
},
{
"status": "affected",
"version": "0.6.14"
},
{
"status": "affected",
"version": "0.6.15"
},
{
"status": "affected",
"version": "0.6.16"
},
{
"status": "affected",
"version": "0.6.17"
},
{
"status": "affected",
"version": "0.6.18"
},
{
"status": "affected",
"version": "0.6.19"
},
{
"status": "affected",
"version": "0.6.20"
},
{
"status": "affected",
"version": "0.6.21"
},
{
"status": "affected",
"version": "0.6.22"
},
{
"status": "affected",
"version": "0.6.23"
},
{
"status": "affected",
"version": "0.6.24"
},
{
"status": "affected",
"version": "0.6.25"
},
{
"status": "affected",
"version": "0.6.26"
},
{
"status": "affected",
"version": "0.6.27"
},
{
"status": "affected",
"version": "0.6.28"
},
{
"status": "affected",
"version": "0.6.29"
},
{
"status": "affected",
"version": "0.6.30"
},
{
"status": "affected",
"version": "0.6.31"
},
{
"status": "affected",
"version": "0.6.32"
},
{
"status": "affected",
"version": "0.6.33"
},
{
"status": "affected",
"version": "0.6.34"
},
{
"status": "affected",
"version": "0.6.35"
},
{
"status": "affected",
"version": "0.6.36"
},
{
"status": "affected",
"version": "0.6.37"
},
{
"status": "affected",
"version": "0.6.38"
},
{
"status": "affected",
"version": "0.6.39"
},
{
"status": "affected",
"version": "0.6.40"
},
{
"status": "affected",
"version": "0.6.41"
},
{
"status": "affected",
"version": "0.6.42"
},
{
"status": "affected",
"version": "0.6.43"
},
{
"status": "affected",
"version": "0.6.44"
},
{
"status": "affected",
"version": "0.6.45"
},
{
"status": "affected",
"version": "0.6.46"
},
{
"status": "affected",
"version": "0.6.47"
},
{
"status": "affected",
"version": "0.6.48"
},
{
"status": "affected",
"version": "0.6.49"
},
{
"status": "affected",
"version": "0.6.50"
},
{
"status": "affected",
"version": "0.6.51"
},
{
"status": "affected",
"version": "0.6.52"
},
{
"status": "affected",
"version": "0.6.53"
},
{
"status": "affected",
"version": "0.6.54"
},
{
"status": "affected",
"version": "0.6.55"
},
{
"status": "affected",
"version": "0.6.56"
},
{
"status": "affected",
"version": "0.6.57"
},
{
"status": "affected",
"version": "0.6.58"
},
{
"status": "affected",
"version": "0.6.59"
},
{
"status": "affected",
"version": "0.6.60"
},
{
"status": "affected",
"version": "0.6.61"
},
{
"status": "affected",
"version": "0.6.62"
},
{
"status": "affected",
"version": "0.6.63"
},
{
"status": "affected",
"version": "0.6.64"
},
{
"status": "affected",
"version": "0.6.65"
},
{
"status": "affected",
"version": "0.6.66"
},
{
"status": "affected",
"version": "0.6.67"
},
{
"status": "affected",
"version": "0.6.68"
},
{
"status": "affected",
"version": "0.6.69"
},
{
"status": "affected",
"version": "0.6.70"
},
{
"status": "affected",
"version": "0.6.71"
},
{
"status": "affected",
"version": "0.6.72"
},
{
"status": "affected",
"version": "0.6.73"
},
{
"status": "affected",
"version": "0.6.74"
},
{
"status": "affected",
"version": "0.6.75"
},
{
"status": "affected",
"version": "0.6.76"
},
{
"status": "affected",
"version": "0.6.77"
},
{
"status": "affected",
"version": "0.6.78"
},
{
"status": "affected",
"version": "0.6.79"
},
{
"status": "affected",
"version": "0.6.80"
},
{
"status": "affected",
"version": "0.6.81"
},
{
"status": "affected",
"version": "0.6.82"
},
{
"status": "affected",
"version": "0.6.83"
},
{
"status": "affected",
"version": "0.6.84"
},
{
"status": "affected",
"version": "0.6.85"
},
{
"status": "affected",
"version": "0.6.86"
},
{
"status": "affected",
"version": "0.6.87"
},
{
"status": "affected",
"version": "0.6.88"
},
{
"status": "affected",
"version": "0.6.89"
},
{
"status": "affected",
"version": "0.6.90"
},
{
"status": "affected",
"version": "0.6.91"
},
{
"status": "affected",
"version": "0.6.92"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem000000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in SimStudioAI sim up to 0.6.92. Affected by this vulnerability is an unknown functionality in the library apps/sim/lib/core/security/deployment.ts of the component Password Protection Handler. Performing a manipulation results in use of weak hash. The attack is possible to be carried out remotely. The attack\u0027s complexity is rated as high. The exploitation appears to be difficult. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-28T22:15:11.256Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-374518 | SimStudioAI sim Password Protection deployment.ts weak hash",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/374518"
},
{
"name": "VDB-374518 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/374518/cti"
},
{
"name": "CVE-2026-13510 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-13510"
},
{
"name": "Submit #838842 | Sim Studio / simstudioai sim Affected at least commit 7b572f1f61a8bbcee31fd7389097814a71f8f094; still present in origin/main commit e532e0a6da6fd22eee98310ba Improper Verification of Cryptographic Signature (CWE-347), Use",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/838842"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/simstudioai/sim/issues/4759"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/simstudioai/sim/pull/4760"
},
{
"tags": [
"product"
],
"url": "https://github.com/simstudioai/sim/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-06-28T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-06-28T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-06-28T08:32:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "SimStudioAI sim Password Protection deployment.ts weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-13510",
"datePublished": "2026-06-28T22:15:11.256Z",
"dateReserved": "2026-06-28T06:27:00.657Z",
"dateUpdated": "2026-06-29T13:43:53.156Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14630 (GCVE-0-2026-14630)
Vulnerability from cvelistv5 – Published: 2026-07-04 14:00 – Updated: 2026-07-06 19:05 X_Open Source| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376146 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376146/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14630 | third-party-advisory |
| https://vuldb.com/submit/845672 | third-party-advisory |
| https://github.com/ForceInjection/AI-fundamentals… | exploitissue-tracking |
| https://github.com/ForceInjection/AI-fundamentals… | issue-trackingpatch |
| https://github.com/ForceInjection/AI-fundamentals… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| ForceInjection | AI-fundermentals |
Affected:
2.0
Affected: 3.0 cpe:2.3:a:forceinjection:ai-fundermentals:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14630",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T19:05:27.496583Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T19:05:32.208Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://vuldb.com/submit/845672"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:forceinjection:ai-fundermentals:*:*:*:*:*:*:*:*"
],
"modules": [
"Memory Recall Handler"
],
"product": "AI-fundermentals",
"vendor": "ForceInjection",
"versions": [
{
"status": "affected",
"version": "2.0"
},
{
"status": "affected",
"version": "3.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem00000 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in ForceInjection AI-fundermentals 2.0/3.0. Affected by this vulnerability is the function get_conversation_history of the file 08_agentic_system/memory/langchain/code/smart_customer_service.py of the component Memory Recall Handler. The manipulation leads to use of weak hash. Remote exploitation of the attack is possible. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is f57277fdd9ba373ace72d83c272023ec67f720d6. It is suggested to install a patch to address this issue. The project confirms (translated from Chinese): \"We now require session ownership verification in methods such as `username`, `sessionowner`, etc., and we\u0027ve chat()changed the generation of `sessionowner` to include verified user identity and security context metadata.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.1,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-04T14:00:10.026Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376146 | ForceInjection AI-fundermentals Memory Recall smart_customer_service.py get_conversation_history weak hash",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376146"
},
{
"name": "VDB-376146 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376146/cti"
},
{
"name": "CVE-2026-14630 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14630"
},
{
"name": "Submit #845672 | ForceInjection AI-fundermentals 5bb92c73a5aa0560c753beeb56e7ad4314dc8a7a Insecure Direct Object Reference (IDOR) / Cross-Tenant Data Expo",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/845672"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/ForceInjection/AI-fundamentals/issues/17"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/ForceInjection/AI-fundamentals/pull/18"
},
{
"tags": [
"patch"
],
"url": "https://github.com/ForceInjection/AI-fundamentals/commit/f57277fdd9ba373ace72d83c272023ec67f720d6"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-07-03T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-03T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-03T19:19:59.000Z",
"value": "VulDB entry last update"
}
],
"title": "ForceInjection AI-fundermentals Memory Recall smart_customer_service.py get_conversation_history weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14630",
"datePublished": "2026-07-04T14:00:10.026Z",
"dateReserved": "2026-07-03T17:14:51.596Z",
"dateUpdated": "2026-07-06T19:05:32.208Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14738 (GCVE-0-2026-14738)
Vulnerability from cvelistv5 – Published: 2026-07-05 10:15 – Updated: 2026-07-06 13:33| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376321 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376321/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14738 | third-party-advisory |
| https://vuldb.com/submit/848737 | third-party-advisory |
| https://github.com/exo-explore/exo/issues/2151 | exploitissue-tracking |
| https://github.com/exo-explore/exo/pull/2152 | issue-trackingpatch |
| https://github.com/exo-explore/exo/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| exo-explore | exo |
Affected:
1.0.0
Affected: 1.0.1 Affected: 1.0.2 Affected: 1.0.3 Affected: 1.0.4 Affected: 1.0.5 Affected: 1.0.6 Affected: 1.0.7 Affected: 1.0.8 Affected: 1.0.9 Affected: 1.0.10 Affected: 1.0.11 Affected: 1.0.12 Affected: 1.0.13 Affected: 1.0.14 Affected: 1.0.15 Affected: 1.0.16 Affected: 1.0.17 Affected: 1.0.18 Affected: 1.0.19 Affected: 1.0.20 Affected: 1.0.21 Affected: 1.0.22 Affected: 1.0.23 Affected: 1.0.24 Affected: 1.0.25 Affected: 1.0.26 Affected: 1.0.27 Affected: 1.0.28 Affected: 1.0.29 Affected: 1.0.30 Affected: 1.0.31 Affected: 1.0.32 Affected: 1.0.33 Affected: 1.0.34 Affected: 1.0.35 Affected: 1.0.36 Affected: 1.0.37 Affected: 1.0.38 Affected: 1.0.39 Affected: 1.0.40 Affected: 1.0.41 Affected: 1.0.42 Affected: 1.0.43 Affected: 1.0.44 Affected: 1.0.45 Affected: 1.0.46 Affected: 1.0.47 Affected: 1.0.48 Affected: 1.0.49 Affected: 1.0.50 Affected: 1.0.51 Affected: 1.0.52 Affected: 1.0.53 Affected: 1.0.54 Affected: 1.0.55 Affected: 1.0.56 Affected: 1.0.57 Affected: 1.0.58 Affected: 1.0.59 Affected: 1.0.60 Affected: 1.0.61 Affected: 1.0.62 Affected: 1.0.63 Affected: 1.0.64 Affected: 1.0.65 Affected: 1.0.66 Affected: 1.0.67 Affected: 1.0.68 Affected: 1.0.69 Affected: 1.0.70 Affected: 1.0.71 cpe:2.3:a:exo-explore:exo:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14738",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T13:33:25.251146Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T13:33:34.713Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:exo-explore:exo:*:*:*:*:*:*:*:*"
],
"modules": [
"Vision Feature Cache"
],
"product": "exo",
"vendor": "exo-explore",
"versions": [
{
"status": "affected",
"version": "1.0.0"
},
{
"status": "affected",
"version": "1.0.1"
},
{
"status": "affected",
"version": "1.0.2"
},
{
"status": "affected",
"version": "1.0.3"
},
{
"status": "affected",
"version": "1.0.4"
},
{
"status": "affected",
"version": "1.0.5"
},
{
"status": "affected",
"version": "1.0.6"
},
{
"status": "affected",
"version": "1.0.7"
},
{
"status": "affected",
"version": "1.0.8"
},
{
"status": "affected",
"version": "1.0.9"
},
{
"status": "affected",
"version": "1.0.10"
},
{
"status": "affected",
"version": "1.0.11"
},
{
"status": "affected",
"version": "1.0.12"
},
{
"status": "affected",
"version": "1.0.13"
},
{
"status": "affected",
"version": "1.0.14"
},
{
"status": "affected",
"version": "1.0.15"
},
{
"status": "affected",
"version": "1.0.16"
},
{
"status": "affected",
"version": "1.0.17"
},
{
"status": "affected",
"version": "1.0.18"
},
{
"status": "affected",
"version": "1.0.19"
},
{
"status": "affected",
"version": "1.0.20"
},
{
"status": "affected",
"version": "1.0.21"
},
{
"status": "affected",
"version": "1.0.22"
},
{
"status": "affected",
"version": "1.0.23"
},
{
"status": "affected",
"version": "1.0.24"
},
{
"status": "affected",
"version": "1.0.25"
},
{
"status": "affected",
"version": "1.0.26"
},
{
"status": "affected",
"version": "1.0.27"
},
{
"status": "affected",
"version": "1.0.28"
},
{
"status": "affected",
"version": "1.0.29"
},
{
"status": "affected",
"version": "1.0.30"
},
{
"status": "affected",
"version": "1.0.31"
},
{
"status": "affected",
"version": "1.0.32"
},
{
"status": "affected",
"version": "1.0.33"
},
{
"status": "affected",
"version": "1.0.34"
},
{
"status": "affected",
"version": "1.0.35"
},
{
"status": "affected",
"version": "1.0.36"
},
{
"status": "affected",
"version": "1.0.37"
},
{
"status": "affected",
"version": "1.0.38"
},
{
"status": "affected",
"version": "1.0.39"
},
{
"status": "affected",
"version": "1.0.40"
},
{
"status": "affected",
"version": "1.0.41"
},
{
"status": "affected",
"version": "1.0.42"
},
{
"status": "affected",
"version": "1.0.43"
},
{
"status": "affected",
"version": "1.0.44"
},
{
"status": "affected",
"version": "1.0.45"
},
{
"status": "affected",
"version": "1.0.46"
},
{
"status": "affected",
"version": "1.0.47"
},
{
"status": "affected",
"version": "1.0.48"
},
{
"status": "affected",
"version": "1.0.49"
},
{
"status": "affected",
"version": "1.0.50"
},
{
"status": "affected",
"version": "1.0.51"
},
{
"status": "affected",
"version": "1.0.52"
},
{
"status": "affected",
"version": "1.0.53"
},
{
"status": "affected",
"version": "1.0.54"
},
{
"status": "affected",
"version": "1.0.55"
},
{
"status": "affected",
"version": "1.0.56"
},
{
"status": "affected",
"version": "1.0.57"
},
{
"status": "affected",
"version": "1.0.58"
},
{
"status": "affected",
"version": "1.0.59"
},
{
"status": "affected",
"version": "1.0.60"
},
{
"status": "affected",
"version": "1.0.61"
},
{
"status": "affected",
"version": "1.0.62"
},
{
"status": "affected",
"version": "1.0.63"
},
{
"status": "affected",
"version": "1.0.64"
},
{
"status": "affected",
"version": "1.0.65"
},
{
"status": "affected",
"version": "1.0.66"
},
{
"status": "affected",
"version": "1.0.67"
},
{
"status": "affected",
"version": "1.0.68"
},
{
"status": "affected",
"version": "1.0.69"
},
{
"status": "affected",
"version": "1.0.70"
},
{
"status": "affected",
"version": "1.0.71"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in exo-explore exo up to 1.0.71. Affected is the function _image_cache_key of the file src/exo/worker/engines/mlx/vision.py of the component Vision Feature Cache. The manipulation results in use of weak hash. It is possible to launch the attack remotely. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been released to the public and may be used for attacks. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.7,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.6,
"vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T10:15:09.187Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376321 | exo-explore exo Vision Feature Cache vision.py _image_cache_key weak hash",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376321"
},
{
"name": "VDB-376321 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376321/cti"
},
{
"name": "CVE-2026-14738 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14738"
},
{
"name": "Submit #848737 | exo-explore exo 1.0.71 Use of Weak Hash",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/848737"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/exo-explore/exo/issues/2151"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/exo-explore/exo/pull/2152"
},
{
"tags": [
"product"
],
"url": "https://github.com/exo-explore/exo/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T11:11:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "exo-explore exo Vision Feature Cache vision.py _image_cache_key weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14738",
"datePublished": "2026-07-05T10:15:09.187Z",
"dateReserved": "2026-07-04T09:06:11.045Z",
"dateUpdated": "2026-07-06T13:33:34.713Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-14742 (GCVE-0-2026-14742)
Vulnerability from cvelistv5 – Published: 2026-07-05 10:45 – Updated: 2026-07-06 17:59| URL | Tags |
|---|---|
| https://vuldb.com/vuln/376328 | vdb-entrytechnical-description |
| https://vuldb.com/vuln/376328/cti | signaturepermissions-required |
| https://vuldb.com/cve/CVE-2026-14742 | third-party-advisory |
| https://vuldb.com/submit/849217 | third-party-advisory |
| https://github.com/langchain-ai/langgraph/issues/8009 | exploitissue-tracking |
| https://github.com/langchain-ai/langgraph/pull/8069 | issue-trackingpatch |
| https://github.com/langchain-ai/langgraph/ | product |
| Vendor | Product | Version | |
|---|---|---|---|
| langchain-ai | langgraph |
Affected:
1.2.0
Affected: 1.2.1 Affected: 1.2.2 Affected: 1.2.3 Affected: 1.2.4 cpe:2.3:a:langchain-ai:langgraph:*:*:*:*:*:*:*:* |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-14742",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-07-06T17:59:36.498934Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-07-06T17:59:43.776Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:langchain-ai:langgraph:*:*:*:*:*:*:*:*"
],
"modules": [
"Task Result Cache"
],
"product": "langgraph",
"vendor": "langchain-ai",
"versions": [
{
"status": "affected",
"version": "1.2.0"
},
{
"status": "affected",
"version": "1.2.1"
},
{
"status": "affected",
"version": "1.2.2"
},
{
"status": "affected",
"version": "1.2.3"
},
{
"status": "affected",
"version": "1.2.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Dem0 (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB CNA Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in langchain-ai langgraph up to 1.2.4. The affected element is the function _freeze of the file libs/langgraph/langgraph/_internal/_cache.py of the component Task Result Cache. This manipulation of the argument default_cache_key causes use of weak hash. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. The pull request to fix this issue awaits acceptance."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2.3,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.1,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 2.1,
"vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-327",
"description": "Risky Cryptographic Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-07-05T10:45:09.243Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-376328 | langchain-ai langgraph Task Result Cache _cache.py _freeze weak hash",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/376328"
},
{
"name": "VDB-376328 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/376328/cti"
},
{
"name": "CVE-2026-14742 | CVE Analysis and Report",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/cve/CVE-2026-14742"
},
{
"name": "Submit #849217 | langchain-ai langgraph 1.2.4 Use of Weak Hash",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/849217"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/langchain-ai/langgraph/issues/8009"
},
{
"tags": [
"issue-tracking",
"patch"
],
"url": "https://github.com/langchain-ai/langgraph/pull/8069"
},
{
"tags": [
"product"
],
"url": "https://github.com/langchain-ai/langgraph/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-07-04T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-07-04T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-07-04T14:51:42.000Z",
"value": "VulDB entry last update"
}
],
"title": "langchain-ai langgraph Task Result Cache _cache.py _freeze weak hash"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-14742",
"datePublished": "2026-07-05T10:45:09.243Z",
"dateReserved": "2026-07-04T12:46:38.803Z",
"dateUpdated": "2026-07-06T17:59:43.776Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27754 (GCVE-0-2026-27754)
Vulnerability from cvelistv5 – Published: 2026-02-27 18:09 – Updated: 2026-03-03 18:09- CWE-328 - Use of Weak Hash
| URL | Tags |
|---|---|
| https://www.sodola-network.com/products/sodola-6-… | product |
| https://www.vulncheck.com/advisories/sodola-sl902… | third-party-advisory |
| Vendor | Product | Version | |
|---|---|---|---|
| Shenzhen Hongyavision Technology Co., Ltd. (Sodola Networks) | SODOLA SL902-SWTGW124AS |
Affected:
0 , ≤ 200.1.20
(semver)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27754",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-27T19:02:56.043556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-03T18:09:56.948Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unknown",
"product": "SODOLA SL902-SWTGW124AS",
"vendor": "Shenzhen Hongyavision Technology Co., Ltd. (Sodola Networks)",
"versions": [
{
"lessThanOrEqual": "200.1.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:o:sodolanetworks:sodola_sl902-swtgw124as_firmware:*:*:*:*:*:*:*:*",
"versionEndIncluding": "200.1.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Kazuma Matsumoto, a security researcher at GMO Cybersecurity by IERAE, Inc."
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5\u0027s collision vulnerabilities to forge valid session cookies and gain unauthorized access to the device."
}
],
"value": "SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 use the cryptographically broken MD5 hash function for session cookie generation, weakening session security. Attackers can exploit predictable session tokens combined with MD5\u0027s collision vulnerabilities to forge valid session cookies and gain unauthorized access to the device."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
},
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-328",
"description": "CWE-328 Use of Weak Hash",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-02T17:29:59.974Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"product"
],
"url": "https://www.sodola-network.com/products/sodola-6-port-2-5g-easy-web-managed-switch-4-x-2-5g-base-t-ports-2-x-10g-sfp-static-aggregation-qos-vlan-igmp-2-5gb-network-home-lab-switch"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/sodola-sl902-swtgw124as-md5-session-token-generation"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "SODOLA SL902-SWTGW124AS \u003c= 200.1.20 MD5 Session Token Generation",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-27754",
"datePublished": "2026-02-27T18:09:33.191Z",
"dateReserved": "2026-02-23T21:38:48.842Z",
"dateUpdated": "2026-03-03T18:09:56.948Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-51
Phase: Architecture and Design
Description:
- Use an adaptive hash function that can be configured to change the amount of computational effort needed to compute the hash, such as the number of iterations ("stretching") or the amount of memory required. Some hash functions perform salting automatically. These functions can significantly increase the overhead for a brute force attack compared to intentionally-fast functions such as MD5. For example, rainbow table attacks can become infeasible due to the high computing overhead. Finally, since computing power gets faster and cheaper over time, the technique can be reconfigured to increase the workload without forcing an entire replacement of the algorithm in use.
- Some hash functions that have one or more of these desired properties include bcrypt [REF-291], scrypt [REF-292], and PBKDF2 [REF-293]. While there is active debate about which of these is the most effective, they are all stronger than using salts with hash functions with very little computing overhead.
- Note that using these functions can have an impact on performance, so they require special consideration to avoid denial-of-service attacks. However, their configurability provides finer control over how much CPU and memory is used, so it could be adjusted to suit the environment's needs.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-68: Subvert Code-signing Facilities
Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.