Common Weakness Enumeration

CWE-326

Allowed-with-Review

Inadequate Encryption Strength

Abstraction: Class · Status: Draft

The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.

631 vulnerabilities reference this CWE, most recent first.

GHSA-3JRW-Q59W-MPR2

Vulnerability from github – Published: 2025-06-03 15:31 – Updated: 2025-06-03 21:30
VLAI
Details

An issue was discovered in Unicom Focal Point 7.6.1. The database is encrypted with a hardcoded key, making it easier to recover the cleartext data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-43925"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-06-03T15:15:58Z",
    "severity": "MODERATE"
  },
  "details": "An issue was discovered in Unicom Focal Point 7.6.1. The database is encrypted with a hardcoded key, making it easier to recover the cleartext data.",
  "id": "GHSA-3jrw-q59w-mpr2",
  "modified": "2025-06-03T21:30:37Z",
  "published": "2025-06-03T15:31:26Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-43925"
    },
    {
      "type": "WEB",
      "url": "https://www.unicomsi.com/products/focal-point"
    },
    {
      "type": "WEB",
      "url": "https://www.unicomsi.com/security-advisory"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MPR-VW5V-HQ89

Vulnerability from github – Published: 2022-05-24 19:10 – Updated: 2022-07-13 00:01
VLAI
Details

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37551"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-08-06T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.",
  "id": "GHSA-3mpr-vw5v-hq89",
  "modified": "2022-07-13T00:01:34Z",
  "published": "2022-05-24T19:10:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37551"
    },
    {
      "type": "WEB",
      "url": "https://blog.jetbrains.com/blog/2021/08/05/jetbrains-security-bulletin-q2-2021"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3MVX-8XGC-HH5R

Vulnerability from github – Published: 2022-04-21 00:00 – Updated: 2022-05-01 00:00
VLAI
Details

Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1318"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-203",
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-04-20T16:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Hills ComNav version 3002-19 suffers from a weak communication channel. Traffic across the local network for the configuration pages can be viewed by a malicious actor. The size of certain communications packets are predictable. This would allow an attacker to learn the state of the system if they can observe the traffic. This would be possible even if the traffic were encrypted, e.g., using WPA2, as the packet sizes would remain observable. The communication encryption scheme is theoretically sound, but is not strong enough for the level of protection required.",
  "id": "GHSA-3mvx-8xgc-hh5r",
  "modified": "2022-05-01T00:00:38Z",
  "published": "2022-04-21T00:00:24Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1318"
    },
    {
      "type": "WEB",
      "url": "https://www.corporate.carrier.com/Images/CARR-PSA-Hills-ComNav-002-1121_tcm558-149392.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3PCW-VP3F-6HVH

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been designed to achieve security purposes and therefore does not include any encryption algorithms because of their negative effect on performance and throughput. An attacker can forge arbitrary ADS packets when legitimate ADS traffic is observable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-16726"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2018-06-27T19:29:00Z",
    "severity": "CRITICAL"
  },
  "details": "Beckhoff TwinCAT supports communication over ADS. ADS is a protocol for industrial automation in protected environments. ADS has not been designed to achieve security purposes and therefore does not include any encryption algorithms because of their negative effect on performance and throughput. An attacker can forge arbitrary ADS packets when legitimate ADS traffic is observable.",
  "id": "GHSA-3pcw-vp3f-6hvh",
  "modified": "2022-05-13T01:37:21Z",
  "published": "2022-05-13T01:37:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-16726"
    },
    {
      "type": "WEB",
      "url": "https://download.beckhoff.com/download/Document/product-security/Advisories/advisory-2017-001.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QPW-79H9-Q4JC

Vulnerability from github – Published: 2022-05-17 03:00 – Updated: 2022-05-17 03:00
VLAI
Details

IBM AppScan Source uses a one-way hash without salt to encrypt highly sensitive information, which could allow a local attacker to decrypt information more easily.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2016-3034"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2017-02-01T20:59:00Z",
    "severity": "MODERATE"
  },
  "details": "IBM AppScan Source uses a one-way hash without salt to encrypt highly sensitive information, which could allow a local attacker to decrypt information more easily.",
  "id": "GHSA-3qpw-79h9-q4jc",
  "modified": "2022-05-17T03:00:02Z",
  "published": "2022-05-17T03:00:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2016-3034"
    },
    {
      "type": "WEB",
      "url": "http://www.ibm.com/support/docview.wss?uid=swg21995903"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/95195"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3QRC-JGQF-VG35

Vulnerability from github – Published: 2022-12-22 21:30 – Updated: 2025-04-16 18:31
VLAI
Details

When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird < 91.9.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-1520"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326",
      "CWE-346"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-22T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "When viewing an email message A, which contains an attached message B, where B is encrypted or digitally signed or both, Thunderbird may show an incorrect encryption or signature status. After opening and viewing the attached message B, when returning to the display of message A, the message A might be shown with the security status of message B. This vulnerability affects Thunderbird \u003c 91.9.",
  "id": "GHSA-3qrc-jgqf-vg35",
  "modified": "2025-04-16T18:31:35Z",
  "published": "2022-12-22T21:30:30Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1520"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1745019"
    },
    {
      "type": "WEB",
      "url": "https://www.mozilla.org/security/advisories/mfsa2022-18"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3R87-4XWQ-XH86

Vulnerability from github – Published: 2025-11-10 21:30 – Updated: 2025-11-10 21:30
VLAI
Details

Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-12439"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-10T20:15:38Z",
    "severity": "MODERATE"
  },
  "details": "Inappropriate implementation in App-Bound Encryption in Google Chrome on Windows prior to 142.0.7444.59 allowed a local attacker to obtain potentially sensitive information from process memory via a malicious file. (Chromium security severity: Medium)",
  "id": "GHSA-3r87-4xwq-xh86",
  "modified": "2025-11-10T21:30:35Z",
  "published": "2025-11-10T21:30:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12439"
    },
    {
      "type": "WEB",
      "url": "https://chromereleases.googleblog.com/2025/10/stable-channel-update-for-desktop_28.html"
    },
    {
      "type": "WEB",
      "url": "https://issues.chromium.org/issues/382234536"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3W5V-CCPQ-XW6C

Vulnerability from github – Published: 2022-05-24 19:09 – Updated: 2023-08-08 15:31
VLAI
Details

In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2021-37588"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2021-07-30T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "In Charm 0.43, any two users can collude to achieve the ability to decrypt YCT14 data.",
  "id": "GHSA-3w5v-ccpq-xw6c",
  "modified": "2023-08-08T15:31:19Z",
  "published": "2022-05-24T19:09:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-37588"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JHUISI/charm/issues/276"
    },
    {
      "type": "WEB",
      "url": "https://eprint.iacr.org/2020/460"
    },
    {
      "type": "WEB",
      "url": "https://github.com/JHUISI/charm/blob/dev/charm/schemes/abenc/abenc_yct14.py"
    },
    {
      "type": "WEB",
      "url": "https://www2.hci.uni-hannover.de/papers/Tan2019.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3W75-3VFV-C67R

Vulnerability from github – Published: 2022-05-13 01:37 – Updated: 2022-05-13 01:37
VLAI
Details

IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2017-1695"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2019-02-15T20:29:00Z",
    "severity": "HIGH"
  },
  "details": "IBM QRadar SIEM 7.2 and 7.3 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 134177.",
  "id": "GHSA-3w75-3vfv-c67r",
  "modified": "2022-05-13T01:37:02Z",
  "published": "2022-05-13T01:37:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-1695"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/134177"
    },
    {
      "type": "WEB",
      "url": "https://www.ibm.com/support/docview.wss?uid=ibm10719107"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/107060"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-3WMF-WHVW-C22M

Vulnerability from github – Published: 2026-07-07 12:31 – Updated: 2026-07-08 21:30
VLAI
Details

The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-14868"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-326"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-07-07T10:16:40Z",
    "severity": "HIGH"
  },
  "details": "The encryption algorithm used to protect the configuration of user accounts, stored in the built-in user directory of PcVue projects, all\u00a0versions prior to 17.0.0, is not strong enough for the level of protection required. A local attacker could alter the existing configuration and ultimately gain privileged access to the PcVue application.",
  "id": "GHSA-3wmf-whvw-c22m",
  "modified": "2026-07-08T21:30:25Z",
  "published": "2026-07-07T12:31:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14868"
    },
    {
      "type": "WEB",
      "url": "https://www.pcvue.com/security/#SB2026-5"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:U/V:X/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

Mitigation
Architecture and Design

Use an encryption scheme that is currently considered to be strong by experts in the field.

CAPEC-112: Brute Force

In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.

CAPEC-192: Protocol Analysis

An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.

CAPEC-20: Encryption Brute Forcing

An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.