CVE-2026-7103 - Vulnerability Details

- code-projects Chat System MD5 Hash update_user.php weak hash

Description

A vulnerability was determined in code-projects Chat System 1.0. Affected is an unknown function of the file update_user.php of the component MD5 Hash Handler. This manipulation of the argument Password causes use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized.

Published: 2026-04-27

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

code-projects Chat System 1.0 contains a flaw in update_user.php where the password argument is hashed with the outdated MD5 algorithm. The CWE-327 and CWE-328 weaknesses allow an attacker to preprocess or brute‑force the hash, potentially revealing user passwords. Because the flaw resides in the authentication component, compromised passwords could lead to unauthorized account access.

Affected Systems

Affected product is the code-projects Chat System, specifically version 1.0. The vulnerability is tied to the MD5 Hash Handler in the update_user.php file. No other versions or upstream products are explicitly listed, so only this version is confirmed to be vulnerable.

Risk and Exploitability

CVSS score 6.3 indicates a moderate risk. EPSS <1% shows that public exploitation is unlikely, and the vulnerability is not in the CISA KEV catalog. The attack vector is remote, with a high complexity and difficult exploitability as stated, but the public disclosure means the threat is still present. Organizations running the vulnerable version should treat this as a medium‑severity threat until a proper cryptographic solution is in place.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

code-projects

Chat System

affected

Version	Status	Constraints
`1.0`	affected	—

No data.

Vendor Product Confidence Versions

Code-projects

Chat System

95%

Version	Status	Scheme	Platform
`[1.0,1.0]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Replace the MD5 hash in update_user.php with a modern password‑hashing algorithm such as bcrypt, Argon2, or PBKDF2, ensuring unique salts per user.
Verify that the updated code correctly hashes, stores, and verifies passwords, and remove any legacy MD5 checks from the codebase.
Deploy the patch to a staging environment first, test authentication flow thoroughly, then roll out to production while monitoring authentication logs for anomalies.

Generated by OpenCVE AI on April 28, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00021.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://code-projects.org/
https://gist.github.com/higordiego/84ae7f08f5c23debebf309de3920bda2
https://vuldb.com/submit/800384
https://vuldb.com/vuln/359678
https://vuldb.com/vuln/359678/cti

History

Mon, 27 Apr 2026 13:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was determined in code-projects Chat System 1.0. Affected is an unknown function of the file update_user.php of the component MD5 Hash Handler. This manipulation of the argument Password causes use of weak hash. The attack is possible to be carried out remotely. The attack's complexity is rated as high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized.
Title		code-projects Chat System MD5 Hash update_user.php weak hash
First Time appeared		Code-projects Code-projects chat System
Weaknesses		CWE-327 CWE-328
CPEs		cpe:2.3:a:code-projects:chat_system::::::::
Vendors & Products		Code-projects Code-projects chat System
References		https://code-projects.org/ https://gist.github.com/higordiego/84ae7f08f5c23debebf309de3920bda2 https://vuldb.com/submit/800384 https://vuldb.com/vuln/359678 https://vuldb.com/vuln/359678/cti
Metrics		cvssV2_0 `{'score': 2.6, 'vector': 'AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 3.7, 'vector': 'CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 3.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Code-projects Chat System

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-27T08:30:10.652Z

Updated: 2026-04-27T12:27:23.279Z

Reserved: 2026-04-26T09:04:38.568Z

Link: CVE-2026-7103

Vulnrichment

Updated: 2026-04-27T12:26:45.323Z

NVD

Status : Deferred

Published: 2026-04-27T09:16:03.127

Modified: 2026-04-27T18:37:59.213

Link: CVE-2026-7103

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T04:45:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Access Vector Network

Access Complexity High

Authentication None

Confidentiality Impact Partial

Integrity Impact None

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object