CWE-326
Allowed-with-ReviewInadequate Encryption Strength
Abstraction: Class · Status: Draft
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
633 vulnerabilities reference this CWE, most recent first.
GHSA-P5MP-XG3R-JXWF
Vulnerability from github – Published: 2022-05-13 01:22 – Updated: 2022-05-13 01:22controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage.
{
"affected": [],
"aliases": [
"CVE-2019-7648"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-08T17:29:00Z",
"severity": "HIGH"
},
"details": "controller/fetchpwd.php and controller/doAction.php in Hotels_Server through 2018-11-05 rely on base64 in an attempt to protect password storage.",
"id": "GHSA-p5mp-xg3r-jxwf",
"modified": "2022-05-13T01:22:52Z",
"published": "2022-05-13T01:22:52Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-7648"
},
{
"type": "WEB",
"url": "https://github.com/FantasticLBP/Hotels_Server/issues/2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P5X3-568X-9FQ9
Vulnerability from github – Published: 2022-05-14 01:22 – Updated: 2022-05-14 01:22Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR < 52.8 and Thunderbird < 52.8.
{
"affected": [],
"aliases": [
"CVE-2018-5184"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-06-11T21:29:00Z",
"severity": "HIGH"
},
"details": "Using remote content in encrypted messages can lead to the disclosure of plaintext. This vulnerability affects Thunderbird ESR \u003c 52.8 and Thunderbird \u003c 52.8.",
"id": "GHSA-p5x3-568x-9fq9",
"modified": "2022-05-14T01:22:00Z",
"published": "2022-05-14T01:22:00Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-5184"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1725"
},
{
"type": "WEB",
"url": "https://access.redhat.com/errata/RHSA-2018:1726"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1411592"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2018/05/msg00013.html"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/201811-13"
},
{
"type": "WEB",
"url": "https://usn.ubuntu.com/3660-1"
},
{
"type": "WEB",
"url": "https://www.debian.org/security/2018/dsa-4209"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2018-13"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/104240"
},
{
"type": "WEB",
"url": "http://www.securitytracker.com/id/1040946"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-P723-W3QM-QPVW
Vulnerability from github – Published: 2022-05-24 17:34 – Updated: 2022-05-24 17:34Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.
{
"affected": [],
"aliases": [
"CVE-2020-8761"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2020-11-12T18:15:00Z",
"severity": "MODERATE"
},
"details": "Inadequate encryption strength in subsystem for Intel(R) CSME versions before 13.0.40 and 13.30.10 may allow an unauthenticated user to potentially enable information disclosure via physical access.",
"id": "GHSA-p723-w3qm-qpvw",
"modified": "2022-05-24T17:34:14Z",
"published": "2022-05-24T17:34:14Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8761"
},
{
"type": "WEB",
"url": "https://security.netapp.com/advisory/ntap-20201113-0002"
},
{
"type": "WEB",
"url": "https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00391"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-PC4M-VCWH-9C5H
Vulnerability from github – Published: 2022-11-01 19:00 – Updated: 2022-11-03 19:00The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.
{
"affected": [],
"aliases": [
"CVE-2020-4099"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-11-01T18:15:00Z",
"severity": "HIGH"
},
"details": "The application was signed using a key length less than or equal to 1024 bits, making it potentially vulnerable to forged digital signatures. An attacker could forge the same digital signature of the app after maliciously modifying the app.",
"id": "GHSA-pc4m-vcwh-9c5h",
"modified": "2022-11-03T19:00:25Z",
"published": "2022-11-01T19:00:28Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-4099"
},
{
"type": "WEB",
"url": "https://support.hcltechsw.com/csm?id=kb_article\u0026sysparm_article=KB0100861"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PC4P-7W58-PGG2
Vulnerability from github – Published: 2022-04-30 18:18 – Updated: 2024-02-14 18:30Pathways Homecare 6.5 uses weak encryption for user names and passwords, which allows local users to gain privileges by recovering the passwords from the pwhc.ini file.
{
"affected": [],
"aliases": [
"CVE-2001-1546"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2001-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Pathways Homecare 6.5 uses weak encryption for user names and passwords, which allows local users to gain privileges by recovering the passwords from the pwhc.ini file.",
"id": "GHSA-pc4p-7w58-pgg2",
"modified": "2024-02-14T18:30:21Z",
"published": "2022-04-30T18:18:17Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2001-1546"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/7682.php"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/archive/1/244367"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/3653"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-PFQV-VHWJ-2RJW
Vulnerability from github – Published: 2026-05-11 18:31 – Updated: 2026-05-11 18:31In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.
{
"affected": [],
"aliases": [
"CVE-2026-33361"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-11T17:16:30Z",
"severity": "HIGH"
},
"details": "In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (\u003c= 1.8.x), baby monitor \".jpgx3\" files use reversible XOR over only the first 1024 bytes with a predictable key derivation model.",
"id": "GHSA-pfqv-vhwj-2rjw",
"modified": "2026-05-11T18:31:45Z",
"published": "2026-05-11T18:31:45Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33361"
},
{
"type": "WEB",
"url": "https://github.com/xn0tsa/nobody-puts-baby-in-a-corner"
},
{
"type": "WEB",
"url": "https://www.runzero.com/advisories/meari-weak-xor-obfuscation-cve-2026-33361"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PFV4-G52J-F26M
Vulnerability from github – Published: 2023-03-22 18:30 – Updated: 2023-03-22 18:30Experience Manager versions 6.5.15.0 (and earlier) are affected by a Weak Cryptography for Passwords vulnerability that can lead to a security feature bypass. A low-privileged attacker can exploit this in order to decrypt a user's password. The attack complexity is high since a successful exploitation requires to already have in possession this encrypted secret.
{
"affected": [],
"aliases": [
"CVE-2023-22271"
],
"database_specific": {
"cwe_ids": [
"CWE-261",
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-03-22T17:15:00Z",
"severity": "MODERATE"
},
"details": "Experience Manager versions 6.5.15.0 (and earlier) are affected by a Weak Cryptography for Passwords vulnerability that can lead to a security feature bypass. A low-privileged attacker can exploit this in order to decrypt a user\u0027s password. The attack complexity is high since a successful exploitation requires to already have in possession this encrypted secret.",
"id": "GHSA-pfv4-g52j-f26m",
"modified": "2023-03-22T18:30:39Z",
"published": "2023-03-22T18:30:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22271"
},
{
"type": "WEB",
"url": "https://helpx.adobe.com/security/products/experience-manager/apsb23-18.html"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHPW-4P8W-67HR
Vulnerability from github – Published: 2022-05-24 19:08 – Updated: 2023-08-08 15:31A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.
{
"affected": [],
"aliases": [
"CVE-2021-36769"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-07-17T00:15:00Z",
"severity": "MODERATE"
},
"details": "A reordering issue exists in Telegram before 7.8.1 for Android, Telegram before 7.8.3 for iOS, and Telegram Desktop before 2.8.8. An attacker can cause the server to receive messages in a different order than they were sent a client.",
"id": "GHSA-phpw-4p8w-67hr",
"modified": "2023-08-08T15:31:18Z",
"published": "2022-05-24T19:08:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-36769"
},
{
"type": "WEB",
"url": "https://mtpsym.github.io"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PHVM-XXQQ-RG95
Vulnerability from github – Published: 2022-04-03 00:01 – Updated: 2022-04-12 00:01An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06.
{
"affected": [],
"aliases": [
"CVE-2021-32945"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-04-01T23:15:00Z",
"severity": "HIGH"
},
"details": "An attacker could decipher the encryption and gain access to MDT AutoSave versions prior to v6.02.06.",
"id": "GHSA-phvm-xxqq-rg95",
"modified": "2022-04-12T00:01:11Z",
"published": "2022-04-03T00:01:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-32945"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/uscert/ics/advisories/icsa-21-189-02"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-PP2F-P95F-2XHX
Vulnerability from github – Published: 2022-04-30 18:22 – Updated: 2024-02-14 18:30Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.
{
"affected": [],
"aliases": [
"CVE-2002-1872"
],
"database_specific": {
"cwe_ids": [
"CWE-326"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2002-12-31T05:00:00Z",
"severity": "MODERATE"
},
"details": "Microsoft SQL Server 6.0 through 2000, with SQL Authentication enabled, uses weak password encryption (XOR), which allows remote attackers to sniff and decrypt the password.",
"id": "GHSA-pp2f-p95f-2xhx",
"modified": "2024-02-14T18:30:22Z",
"published": "2022-04-30T18:22:02Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2002-1872"
},
{
"type": "WEB",
"url": "http://online.securityfocus.com/archive/1/298361"
},
{
"type": "WEB",
"url": "http://www.iss.net/security_center/static/10542.php"
},
{
"type": "WEB",
"url": "http://www.nextgenss.com/papers/tp-SQL2000.pdf"
},
{
"type": "WEB",
"url": "http://www.securityfocus.com/bid/6097"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
Mitigation
Use an encryption scheme that is currently considered to be strong by experts in the field.
CAPEC-112: Brute Force
In this attack, some asset (information, functionality, identity, etc.) is protected by a finite secret value. The attacker attempts to gain access to this asset by using trial-and-error to exhaustively explore all the possible secret values in the hope of finding the secret (or a value that is functionally equivalent) that will unlock the asset.
CAPEC-192: Protocol Analysis
An adversary engages in activities to decipher and/or decode protocol information for a network or application communication protocol used for transmitting information between interconnected nodes or systems on a packet-switched data network. While this type of analysis involves the analysis of a networking protocol inherently, it does not require the presence of an actual or physical network.
CAPEC-20: Encryption Brute Forcing
An attacker, armed with the cipher text and the encryption algorithm used, performs an exhaustive (brute force) search on the key space to determine the key that decrypts the cipher text to obtain the plaintext.