Weak Cryptographic Algorithm Vulnerability in QloApps by QloApps
CVE-2026-25861

8.2HIGH

Key Information:

Vendor

Qloapps

Status
Qloapps
Vendor
CVE Published:
2 June 2026

What is CVE-2026-25861?

QloApps versions prior to 1.7.0 utilize a weak cryptographic algorithm for password hashing. The reliance on MD5 within the Tools::encrypt() function compromises user credential security. This vulnerability allows attackers to conduct offline brute-force attacks against user passwords. The situation is further aggravated by the use of auto-generated 8-character passwords for guest-to-customer account creation, making the recovery of credentials alarmingly simple. It is imperative for users to upgrade to the patched version to safeguard their accounts from potential exploitation.

Affected Version(s)

QloApps 0 <= 1.7.0

QloApps 0 <= 1.7.0

QloApps 64e9722e7e6a8fda77dd53964d988fb6b5c3d174

References

https://github.com/Qloapps/QloApps/pull/1689
issue-tracking
https://github.com/Qloapps/QloApps/commit/64e9722e7e6a8fd...
patch
https://www.vulncheck.com/advisories/qloapps-weak-passwor...
third-party-advisory

CVSS V4

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Chia Min Jun Lennon
VulnCheck
.