CVE-2026-25861

MEDIUM 5.9

QloApps 1.7.0 Weak Password Hashing via MD5 in Tools.php

CVSS Score

5.9

EPSS Score

0.0%

EPSS Percentile

6th

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

CWE	CWE-916
Vendor	qloapps
Product	qloapps
Published	Jun 2, 2026
Last Updated	Jun 3, 2026

Stay Ahead of the Next One

Get instant alerts for qloapps qloapps

Be the first to know when new medium vulnerabilities affecting qloapps qloapps are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Affected Versions

QloApps / QloApps

0 ≤ 1.7.0 64e9722e7e6a8fda77dd53964d988fb6b5c3d174

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/Qloapps/QloApps/pull/1689 github.com: https://github.com/Qloapps/QloApps/commit/64e9722e7e6a8fda77dd53964d988fb6b5c3d174 vulncheck.com: https://www.vulncheck.com/advisories/qloapps-weak-password-hashing-via-md5-in-tools-php

Credits

Chia Min Jun Lennon VulnCheck