Description
newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.
Published: 2026-02-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Credential exposure via offline password cracking
Action: Apply patch
AI Analysis

Impact

newbee-mall stores user passwords using an unsalted MD5 hash without per-user salts or computational cost controls. This weakness, classified as CWE‑327, allows an attacker who obtains password hashes—through database breach, backup leakage, or other compromise—to perform rapid offline brute‑force attacks and recover plaintext credentials. The result is unauthorized system access and potential lateral movement within the affected environment.

Affected Systems

All installations of newbee‑ltd newbee‑mall, including the v1.0.0 release as specified by the CPE identifiers. No specific version patch is listed, indicating the problem persists across at least the versions enumerated.

Risk and Exploitability

The CVSS base score of 9.3 marks the vulnerability as critical, while the EPSS score of less than 1 % suggests a low probability of exploitation at present. The vulnerability is not yet listed in CISA’s Known Exploited Vulnerabilities catalog. Likely attack vectors include any scenario where an attacker can access the password hash database, such as data exfiltration during a breach or exposure of encrypted backups. Once obtained, the hashes can be cracked offline, granting immediate credential compromise.

Generated by OpenCVE AI on April 16, 2026 at 17:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest patch or upgrade newbee‑mall to a release that replaces MD5 hashing with a salt‑based, cost‑controlled algorithm such as bcrypt or Argon2.
  • Force a password reset for all users so new credentials are stored with the stronger algorithm, mitigating the risk of remaining stale MD5 hashes.
  • Secure all database backups and restrict access to credentials tables, ensuring that even if a backup is exfiltrated it cannot be used for rapid offline cracking.

Generated by OpenCVE AI on April 16, 2026 at 17:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:newbee-mall_project:newbee-mall:1.0.0:*:*:*:*:*:*:*

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Newbee-mall Project
Newbee-mall Project newbee-mall
CPEs cpe:2.3:a:newbee-mall_project:newbee-mall:*:*:*:*:*:*:*:*
Vendors & Products Newbee-mall Project
Newbee-mall Project newbee-mall

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Newbee-ltd
Newbee-ltd newbee-mall
Vendors & Products Newbee-ltd
Newbee-ltd newbee-mall

Thu, 12 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.
Title newbee-mall Unsalted MD5 Password Hashing Enables Offline Credential Cracking
Weaknesses CWE-327
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Newbee-ltd Newbee-mall
Newbee-mall Project Newbee-mall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:58.622Z

Reserved: 2026-02-11T20:08:07.944Z

Link: CVE-2026-26219

cve-icon Vulnrichment

Updated: 2026-02-12T19:59:02.628Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T19:15:52.300

Modified: 2026-02-25T16:40:13.200

Link: CVE-2026-26219

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T17:15:17Z

Weaknesses