CVE-2026-26219

CRITICAL EPSS 8.9%

Published Feb 12, 20264mo ago · Modified Feb 25, 20264mo ago

9.3 CVSS 4.0

Critical

Published Feb 12, 2026 4mo ago

Last Modified Feb 25, 2026 4mo ago

Description

newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.

CVSS Details

Base Score

9.3

Exploitability

—

Impact

—

Vector string

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope X

Threat Intelligence

EPSS Exploit Probability

8.9% percentile

Exploit & Patch Status

Public Exploit Known

No Patch Available

Weaknesses 1

CWE-327

Affected Products 1

Vendor	Product	Version	Range
newbee-mall_project	newbee-mall	*	≤1.0.0

References 2

github.com https://github.com/newbee-ltd/newbee-mall/issues/119

ExploitIssue TrackingVendor Advisory
vulncheck.com https://www.vulncheck.com/advisories/newbee-mall-unsalted-md5-password-hashing-enables-offline-credential-cracking

Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.