CWE-326 (Inadequate Encryption Strength) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-41860 | 2026-06-04 | CWE-326 in BOSH allows a local attacker to steal Basic-auth credentials or redirect UAA token requests via MITM. HttpRequestHelper#create_async_endpoint and #send_http_get_request_synchronous hard-cod… |
| CVE-2026-8878 | 2026-06-03 | Version 3.0.7 of the Securly Chrome Extension exposes multiple publicly accessible endpoints that allow unauthenticated access to sensitive data. The exposed information consists of SHA-1 hashes that … |
| CVE-2026-45787 | 2026-05-28 | electerm is an open-sourced terminal/ssh/sftp/telnet/serialport/RDP/VNC/Spice/ftp client. Prior to 3.9.5, deterministic AES-192-CBC with a fixed zero IV, constant KDF salt, and no MAC leads to confide… |
| CVE-2026-44523 | 2026-05-14 | Note Mark is an open-source note-taking application. Prior to 0.19.4, no minimum length or entropy is enforced on the JWT_SECRET configuration value. The application accepts any base64-decodable secre… |
| CVE-2026-44351 | 2026-05-13 | fast-jwt provides fast JSON Web Token (JWT) implementation. Prior to 6.2.4, a critical authentication-bypass vulnerability in fast-jwt's async key-resolver flow allows any unauthenticated attacker to … |
| CVE-2026-33361 | 2026-05-11 | In Meari IoT SDK image handling (libmrplayer.so) as observed in CloudEdge 5.5.0 (build 220), Arenti 1.8.1 (build 220), and related white-label apps (<= 1.8.x), baby monitor ".jpgx3" files use reversib… |
| CVE-2018-25272 | 2026-04-22 | ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to t… |
| CVE-2025-1241 | 2026-04-21 | Encrypted values in Fortra's GoAnywhere MFT prior to version 7.10.0 and GoAnywhere Agents prior to version 2.2.0 utilize a static IV which allows admin users to brute-force decryption of data. |
| CVE-2026-5363 | 2026-04-16 | Inadequate Encryption Strength vulnerability in TP-Link Archer C7 v5 and v5.8 (uhttpd modules) allows Password Recovery Exploitation. The web interface encrypts the admin password client-side using RS… |
| CVE-2026-5889 | 2026-04-08 | Cryptographic Flaw in PDFium in Google Chrome prior to 147.0.7727.55 allowed an attacker to read potentially sensitive information from encrypted PDFs via a brute-force attack. (Chromium security seve… |
| CVE-2026-39349 | 2026-04-07 | OrangeHRM is a comprehensive human resource management (HRM) system. From 5.0 to 5.8, OrangeHRM Open Source encrypts certain sensitive fields with AES in ECB mode, which preserves block-aligned plaint… |
| CVE-2026-28377 | 2026-03-26 | A vulnerability in Grafana Tempo exposes the S3 SSE-C encryption key in plaintext through the /status/config endpoint, potentially allowing unauthorized users to obtain the key used to encrypt trace d… |
| CVE-2026-33512 | 2026-03-23 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the API plugin exposes a `decryptString` action without any authentication. Anyone can submit ciphertext and receive… |
| CVE-2026-33488 | 2026-03-23 | WWBN AVideo is an open source video platform. In versions up to and including 26.0, the `createKeys()` function in the LoginControl plugin's PGP 2FA system generates 512-bit RSA keys, which have been … |
| CVE-2025-36379 | 2026-02-17 | IBM Security QRadar EDR 3.12 through 3.12.23 IBM Security ReaQta uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. |
| CVE-2025-68703 | 2026-01-13 | Jervis is a library for Job DSL plugin scripts and shared Jenkins pipeline libraries. Prior to 2.2, the salt is derived from sha256Sum(passphrase). Two encryption operations with the same password wil… |
| CVE-2026-0510 | 2026-01-13 | The User Management Engine (UME) in NetWeaver Application Server for Java (NW AS Java) utilizes an obsolete cryptographic algorithm for encrypting User Mapping data. This weakness could allow an attac… |
| CVE-2025-65295 | 2025-12-10 | Multiple vulnerabilities in Aqara Hub firmware update process in the Camera Hub G3 4.1.9_0027, Hub M2 4.3.6_0027, and Hub M3 4.3.6_0025 devices, allow attackers to install malicious firmware without p… |
| CVE-2025-41743 | 2025-12-02 | Insufficient encryption strength in Sprecher Automation SPRECON-E-C, SPRECON-E-P, and SPRECON-E-T3 allows a local unprivileged attacker to extract data from update images and thus obtain limited infor… |
| CVE-2025-11935 | 2025-11-21 | With TLS 1.3 pre-shared key (PSK) a malicious or faulty server could ignore the request for PFS (perfect forward secrecy) and the client would continue on with the connection using PSK without PFS. Th… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-08-15 | — | 1.0 | — | Suggested OWASP Top Ten 2004 mapping |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Maintenance_Notes, Relationships, Taxonomy_Mappings |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2009-05-27 | CWE Content Team | 1.4 | — | updated Related_Attack_Patterns |
| 2009-07-08 | CWE Content Team | 1.5 | Critical | Clarified entry to focus on algorithms that do not have major weaknesses, but may not be strong enough for some purposes. |
| 2009-07-27 | CWE Content Team | 1.5 | — | updated Common_Consequences, Description, Maintenance_Notes, Name |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Relationships |
| 2010-02-16 | CWE Content Team | 1.8 | — | updated References |
| 2010-06-21 | CWE Content Team | 1.9 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated References, Relationships |
| 2013-07-17 | CWE Content Team | 2.5 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2015-12-07 | CWE Content Team | 2.9 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated References, Relationships |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Related_Attack_Patterns |
| 2019-06-20 | CWE Content Team | 3.3 | — | updated Relationships |
| 2020-02-24 | CWE Content Team | 4.0 | — | updated Maintenance_Notes, Potential_Mitigations, Relationships |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description, Relationships |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |