QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php

Advisories

QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php

severity: high
date: 6/2/2026
Affecting: QloApps <= 1.7.0, fixed in commit 64e9722
CVE: CVE-2026-25861
CWE: CWE-916 Use of Password Hash With Insufficient Computational Effort
CVSS: 8.2
CVSS V4 Vector: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
References: Pull Request
Patch Commit
Credit: Chia Min Jun Lennon
Description: QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo