By weakness (CWE)

CWE-916: related vulnerabilities

CVEs classified under CWE-916. Understanding the weakness class helps prioritize systemic fixes over one-off patches.

1 published vulnerability

  • CVE-2026-25861MEDIUM 5.9

    QloApps versions through 1.7.0 use MD5 to hash passwords, a cryptographic method that is computationally cheap to crack. The vulnerability is particularly severe because QloApps concatenates a static value (a cookie key) with user passwords before hashing, reducing the effective randomness of the hash. When guest accounts are automatically converted to customer accounts, the system assigns simple 8-character passwords, which are trivially recoverable through offline brute-force attacks. An attacker who gains access to the password database can extract user credentials without needing to interact with the application in real time.