newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking

Advisories

newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking

severity: critical
date: 2/12/2026
Affecting: newbee-mall <= 1.0.0
CVE: CVE-2026-26219
CWE: CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
References: newbee-mall GitHub Issue
Credit: Lennon Chia
Description: newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo