CVE-2026-25861 HIGH

CVE-2026-25861: QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php

Vendor Qloapps

Product QloApps

Weakness CWE-916

Published June 2, 2026

Last update June 3, 2026

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

Key dates

Disclosure timeline

June 2, 2026 CVE published

June 3, 2026 Record updated

Identifiers

CVE CVE-2026-25861

CWE CWE-916

CVSS 8.2 / HIGH

Affected versions

Vendor Qloapps

Product QloApps

Affected ≤ 1.7.0

Vendor Qloapps

Product QloApps

Affected 64e9722e7e6a8fda77dd53964d988fb6b5c3d174