CRITICAL🇵🇱 Wersja polska

CVE-2026-26219

CVSS 9.3v4.0pub. 2026-02-12upd. 2026-02-25

newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.

CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Newbee Mall Project Newbee Mall

    APP
    Newbee-Mall Project
    ≤ 1.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-26218CRITICAL9.3PL ✓ten sam produkt

Newbee-Mall: domyślne dane logowania administratora umożliwiają przejęcie konta

CVE-2022-27477CRITICAL9.8ten sam produkt

Newbee-Mall v1.0.0 was discovered to contain an arbitrary file upload via the Upload function at /admin/goods/...

CVE-2020-23448CRITICAL9.8ten sam produkt

newbee-mall all versions are affected by incorrect access control to remotely gain privileges through AdminLog...

CVE-2019-19113CRITICAL9.8ten sam produkt

main/resources/mapper/NewBeeMallGoodsMapper.xml in newbee-mall (aka New Bee) before 2019-10-23 allows search?g...

CVE-2024-48178HIGH8.1ten sam produkt

newbee-mall v1.0.0 is vulnerable to Server-Side Request Forgery (SSRF) via the goodsCoverImg parameter.