CVE-2026-26219CRITICAL 9.1EPSS p8.9%

CVE-2026-26219CVE-2026-26219

Description

newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.

Scoring

CVSS 3.19.1 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS0.19% probability of exploitation · percentile 8.9% · 2026-06-18T12:00:27Z
Published2026-02-12
Last modified2026-02-25

Underlying weaknesses· 1

CWE-327

References

  1. https://github.com/newbee-ltd/newbee-mall/issues/119
  2. https://www.vulncheck.com/advisories/newbee-mall-unsalted-md5-password-hashing-enables-offline-credential-cracking

1

TypeTargetConfidenceTier
WeaknessUse of a Broken or Risky Cryptographic Algorithmcwe-3270%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-26218
CVE
CVE-2025-4259
CVE
CVE-2025-45612
CVE
CVE-2026-29861
CVE
CVE-2026-25861
CVE
CVE-2025-1956
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.