Description
A vulnerability was found in SimStudioAI sim up to 0.6.92. Affected by this vulnerability is an unknown functionality in the library apps/sim/lib/core/security/deployment.ts of the component Password Protection Handler. Performing a manipulation results in use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance.
Published: 2026-06-28
Score: 6.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A weakness in the Password Protection Handler of SimStudioAI sim causes a weak hash algorithm to be used when passwords are stored or verified. This flaw can allow an attacker, who can remotely manipulate the affected functionality, to recover or guess user passwords and gain unauthorized access to accounts, compromising confidentiality.

Affected Systems

The vulnerability affects the SimStudioAI sim product up to version 0.6.92, specifically the component located in apps/sim/lib/core/security/deployment.ts. The compromised functionality is present in the library used by SimStudioAI components.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity and the EPSS score is not available, which means no published exploitation probability is known. The attack is described as remote, with high complexity and difficult exploitation. The flaw is not yet listed in CISA KEV, and the fix has not been merged. Until a patch is released, the risk remains moderate but active.

Generated by OpenCVE AI on June 28, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Subscribe to SimStudioAI release notes or watch the pull request that resolves the weak hash issue and apply the update promptly once merged.
  • Replace the current weak hash algorithm in the Password Protection Handler with a strong, salted hashing scheme such as PBKDF2, Argon2, or SHA-256 with a unique salt, and remove any unused or exposed code paths that allow manipulation.
  • Disable or restrict the unknown functionality in deployment.ts that permits remote manipulation until the official fix is deployed.

Generated by OpenCVE AI on June 28, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 28 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in SimStudioAI sim up to 0.6.92. Affected by this vulnerability is an unknown functionality in the library apps/sim/lib/core/security/deployment.ts of the component Password Protection Handler. Performing a manipulation results in use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance.
Title SimStudioAI sim Password Protection deployment.ts weak hash
First Time appeared Sim
Sim sim
Weaknesses CWE-327
CWE-328
CPEs cpe:2.3:a:sim:sim:*:*:*:*:*:*:*:*
Vendors & Products Sim
Sim sim
References
Metrics cvssV2_0

{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Sim Sim
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-28T22:15:11.256Z

Reserved: 2026-06-28T06:27:00.657Z

Link: CVE-2026-13510

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-28T23:30:17Z

Weaknesses
  • CWE-327

    Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328

    Use of Weak Hash