CWE-326— Inadequate Encryption Strength
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.— MITRE CWE catalog
503 active CVEs classified under this weakness category. Sourced from NVD, GHSA, and vendor advisories. Full definition on MITRE →
CVEs classified under CWE-326page 7 of 11
- CVE-2022-22453HIGHCVSS 7.5EG 7.52022-07-14
IBM Security Verify Identity Manager 10.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 224919.
- CVE-2022-22464HIGHCVSS 7.5EG 7.52022-07-08
IBM Security Access Manager Appliance 10.0.0.0, 10.0.1.0, 10.0.2.0, and 10.0.3.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 225081.
- CVE-2022-24116CRITICALCVSS 9.8EG 9.82022-12-26
Certain General Electric Renewable Energy products have inadequate encryption strength. This affects iNET and iNET II before 8.3.0.
- CVE-2022-24318HIGHCVSS 7.5EG 7.52022-02-09
A CWE-326: Inadequate Encryption Strength vulnerability exists that could cause non-encrypted communication with the server when outdated versions of the ViewX client are used. Affected Product: ClearSCADA (All Versions), EcoStruxure Geo S…
- CVE-2022-25012MEDIUMCVSS 5.5EG 5.52022-03-01
Argus Surveillance DVR v4.0 employs weak password encryption.
- CVE-2022-25156HIGHCVSS 8.1EG 8.12022-04-01
Use of Weak Hash vulnerability in Mitsubishi Electric MELSEC iQ-F series FX5U(C) CPU all versions, Mitsubishi Electric MELSEC iQ-F series FX5UJ CPU all versions, Mitsubishi Electric MELSEC iQ-R series R00/01/02CPU all versions, Mitsubishi …
- CVE-2022-2582MEDIUMCVSS 4.3EG 4.32022-12-27
The AWS S3 Crypto SDK sends an unencrypted hash of the plaintext alongside the ciphertext as a metadata field. This hash can be used to brute force the plaintext, if the hash is readable to the attacker. AWS now blocks this metadata field,…
- CVE-2022-26020MEDIUMCVSS 6.5EG 6.52022-05-12
An information disclosure vulnerability exists in the router configuration export functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to increased privileges. An attacker can send an HTTP reque…
- CVE-2022-26306HIGHCVSS 7.5EG 7.52022-07-25
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where the required in…
- CVE-2022-26307HIGHCVSS 8.8EG 8.82022-07-25
LibreOffice supports the storage of passwords for web connections in the user’s configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in LibreOffice existed where master key was …
- CVE-2022-2640HIGHCVSS 7.5EG 7.52022-12-02
The Config-files of Horner Automation’s RCC 972 with firmware version 15.40 are encrypted with weak XOR encryption vulnerable to reverse engineering. This could allow an attacker to obtain credentials to run services such as File Transfe…
- CVE-2022-2758MEDIUMCVSS 6.5EG 5.92022-08-31
Passwords are not adequately encrypted during the communication process between all versions of LS Industrial Systems (LSIS) Co. Ltd LS Electric XG5000 software prior to V4.0 and LS Electric PLCs: all versions of XGK-CPUU/H/A/S/E prior to …
- CVE-2022-2781MEDIUMCVSS 5.3EG 5.32022-10-06
In affected versions of Octopus Server it was identified that the same encryption process was used for both encrypting session cookies and variables.
- CVE-2022-28164MEDIUMCVSS 6.5EG 6.52022-05-06
Brocade SANnav before SANnav 2.2.0 application uses the Blowfish symmetric encryption algorithm for the storage of passwords. This could allow an authenticated attacker to decrypt stored account passwords.
- CVE-2022-29161MEDIUMCVSS 5.4EG 5.42022-05-06
XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for u…
- CVE-2022-29249HIGHCVSS 7.5EG 7.52022-05-24
JavaEZ is a library that adds new functions to make Java easier. A weakness in JavaEZ 1.6 allows force decryption of locked text by unauthorized actors. The issue is NOT critical for non-secure applications, however may be critical in a si…
- CVE-2022-29566HIGHCVSS 8.1EG 8.12022-04-21
The Bulletproofs 2017/1066 paper mishandles Fiat-Shamir generation because the hash computation fails to include all of the public values from the Zero Knowledge proof statement as well as all of the public values computed in the proof, ak…
- CVE-2022-29835MEDIUMCVSS 5.3EG 5.32022-09-19
WD Discovery software executable files were signed with an unsafe SHA-1 hashing algorithm. An attacker could use this weakness to create forged certificate signatures due to the use of a hashing algorithm that is not collision-free. This c…
- CVE-2022-30285CRITICALCVSS 9.8EG 9.82022-08-02
In Quest KACE Systems Management Appliance (SMA) through 12.0, a hash collision is possible during authentication. This may allow authentication with invalid credentials.
- CVE-2022-30683MEDIUMCVSS 5.3EG 5.32022-09-16
Adobe Experience Manager versions 6.5.13.0 (and earlier) is affected by a Violation of Secure Design Principles vulnerability that could lead to bypass the security feature of the encryption mechanism in the backend . An attacker could lev…
- CVE-2022-31459HIGHCVSS 7.4EG 6.52022-06-02
Owl Labs Meeting Owl 5.2.0.15 allows attackers to retrieve the passcode hash via a certain c 10 value over Bluetooth.
- CVE-2022-3206MEDIUMCVSS 5.9EG 5.92022-10-17
The Passster WordPress plugin before 3.5.5.5.2 stores the password inside a cookie named "passster" using base64 encoding method which is easy to decode. This puts the password at risk in case the cookies get leaked.
- CVE-2022-32222MEDIUMCVSS 5.3EG 5.32022-07-14
A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the…
- CVE-2022-3273CRITICALCVSS 9.8EG 9.82022-10-06
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a4.
- CVE-2022-32753MEDIUMCVSS 4.5EG 4.52024-03-22
IBM Security Verify Directory 10.0.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. IBM X-Force ID: 228444.
- CVE-2022-3433MEDIUMCVSS 6.5EG 6.52022-10-10
The aeson library is not safe to use to consume untrusted JSON input. A remote user could abuse this flaw to produce a hash collision in the underlying unordered-containers library by sending specially crafted JSON data, resulting in a den…
- CVE-2022-34385MEDIUMCVSS 5.5EG 5.52023-02-11
SupportAssist for Home PCs (version 3.11.4 and prior) and SupportAssist for Business PCs (version 3.2.0 and prior) contain cryptographic weakness vulnerability. An authenticated non-admin user could potentially exploit the issue and obt…
- CVE-2022-34445MEDIUMCVSS 6.0EG 4.42023-02-11
Dell PowerScale OneFS, versions 8.2.x through 9.3.x contain a weak encoding for a password. A malicious local privileged attacker may potentially exploit this vulnerability, leading to information disclosure.
- CVE-2022-34826MEDIUMCVSS 5.9EG 5.92022-07-15
In Couchbase Server 7.1.x before 7.1.1, an encrypted Private Key passphrase may be leaked in the logs.
- CVE-2022-35931LOWCVSS 2.7EG 2.72022-09-06
Nextcloud Password Policy is an app that enables a Nextcloud server admin to define certain rules for passwords. Prior to versions 22.2.10, 23.0.7, and 24.0.3 the random password generator may, in very rare cases, generate common passwords…
- CVE-2022-36555CRITICALCVSS 9.8EG 9.82022-08-29
Hytec Inter HWL-2511-SS v1.05 and below implements a SHA512crypt hash for the root account which can be easily cracked via a brute-force attack.
- CVE-2022-37400HIGHCVSS 8.8EG 8.82022-08-15
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where the required…
- CVE-2022-37401HIGHCVSS 8.8EG 8.82022-08-15
Apache OpenOffice supports the storage of passwords for web connections in the user's configuration database. The stored passwords are encrypted with a single master key provided by the user. A flaw in OpenOffice existed where master key w…
- CVE-2022-38469HIGHCVSS 7.5EG 7.52023-01-18
An unauthorized user with network access and the decryption key could decrypt sensitive data, such as usernames and passwords.
- CVE-2022-38659MEDIUMCVSS 6.0EG 7.82022-12-19
In specific scenarios, on Windows the operator credentials may be encrypted in a manner that is not completely machine-dependent.
- CVE-2022-40141HIGHCVSS 7.5EG 7.52022-09-19
A vulnerability in Trend Micro Apex One and Apex One as a Service could allow an attacker to intercept and decode certain communication strings that may contain some identification attributes of a particular Apex One server.
- CVE-2022-4036MEDIUMCVSS 5.3EG 5.32022-11-29
The Appointment Hour Booking plugin for WordPress is vulnerable to CAPTCHA bypass in versions up to, and including, 1.3.72. This is due to the use of insufficiently strong hashing algorithm on the CAPTCHA secret that is also displayed to t…
- CVE-2022-4048HIGHCVSS 7.7EG 7.72023-05-15
Inadequate Encryption Strength in CODESYS Development System V3 versions prior to V3.5.18.40 allows an unauthenticated local attacker to access and manipulate code of the encrypted boot application.
- CVE-2022-40745MEDIUMCVSS 5.5EG 5.52024-04-19
IBM Aspera Faspex 5.0.0 through 5.0.7 could allow a local user to obtain sensitive information due to weaker than expected security. IBM X-Force ID: 236452.
- CVE-2022-41209MEDIUMCVSS 5.2EG 5.22022-10-11
SAP Customer Data Cloud (Gigya mobile app for Android) - version 7.4, uses encryption method which lacks proper diffusion and does not hide the patterns well. This can lead to information disclosure. In certain scenarios, application might…
- CVE-2022-43460HIGHCVSS 7.5EG 7.52023-02-13
Driver Distributor v2.2.3.1 and earlier contains a vulnerability where passwords are stored in a recoverable format. If an attacker obtains a configuration file of Driver Distributor, the encrypted administrator's credentials may be decryp…
- CVE-2022-43922MEDIUMCVSS 5.3EG 6.52023-02-01
IBM App Connect Enterprise Certified Container 4.1, 4.2, 5.0, 5.1, 5.2, 6.0, 6.1, and 6.2 could disclose sensitive information to an attacker due to a weak hash of an API Key in the configuration. IBM X-Force ID: 241583.
- CVE-2022-45141CRITICALCVSS 9.8EG 9.82023-03-06
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tick…
- CVE-2022-45379HIGHCVSS 7.5EG 7.52022-11-15
Jenkins Script Security Plugin 1189.vb_a_b_7c8fd5fde and earlier stores whole-script approvals as the SHA-1 hash of the script, making it vulnerable to collision attacks.
- CVE-2022-45453HIGHCVSS 7.5EG 5.32023-05-18
TLS/SSL weak cipher suites enabled. The following products are affected: Acronis Cyber Protect 15 (Windows, Linux) before build 30984.
- CVE-2022-46783MEDIUMCVSS 5.3EG 5.32023-08-28
An issue was discovered in Stormshield SSL VPN Client before 3.2.0. If multiple address books are used, an attacker may be able to access the other encrypted address book.
- CVE-2022-46825MEDIUMCVSS 4.0EG 3.32022-12-08
In JetBrains IntelliJ IDEA before 2022.3 the built-in web server leaked information about open projects.
- CVE-2022-47931CRITICALCVSS 9.1EG 9.12022-12-23
IO FinNet tss-lib before 2.0.0 allows a collision of hash values.
- CVE-2022-48193MEDIUMCVSS 5.9EG 5.92023-11-06
Weak ciphers in Softing smartLink SW-HT before 1.30 are enabled during secure communication (SSL).
- CVE-2023-0525HIGHCVSS 7.5EG 7.52023-08-04
Weak Encoding for Password vulnerability in Mitsubishi Electric Corporation GOT2000 Series GT27 model versions 01.49.000 and prior, GT25 model versions 01.49.000 and prior, GT23 model versions 01.49.000 and prior, GT21 model versions 01.49…
Map vulnerabilities like CWE-326 to your infrastructure
EchelonGraph correlates every CVE — across CWE-326 and 150+ other weakness categories — against the assets you actually run. See blast radius, fix versions, and remediation steps in one graph.
Start Free Scan →