CWE-328 (Use of Weak Hash) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack).
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
| technology | — | ICS/OT | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-10814 | 2026-06-04 | A vulnerability has been found in milvus-io milvus up to 2.6.13. This vulnerability affects unknown code of the file internal/metastore/kv/rootcoord/kv_catalog.go of the component Grantee ID Hash Hand… |
| CVE-2026-10813 | 2026-06-04 | A flaw has been found in LMCache up to 0.4.6. This affects the function hex_hash_to_int16 of the file lmcache/integration/vllm/utils.py of the component KV Cache Handler. Executing a manipulation can … |
| CVE-2026-10812 | 2026-06-04 | A vulnerability was detected in zilliztech GPTCache up to 0.1.44. Affected by this issue is the function BufferedReader.peek of the file gptcache/processor/pre.py of the component Cache Key Handler. P… |
| CVE-2026-10804 | 2026-06-04 | A vulnerability has been found in Streamlit up to 1.53.0. Impacted is an unknown function in the library lib/streamlit/runtime/caching/hashing.py of the component Palette Handler. Such manipulation le… |
| CVE-2026-10803 | 2026-06-04 | A flaw has been found in MLflow up to 3.10.0. This issue affects the function mlflow.data.digest_utils of the file mlflow/data/digest_utils.py of the component Dataset Digest Computation. This manipul… |
| CVE-2026-10801 | 2026-06-04 | A security vulnerability has been detected in modelscope ms-swift up to 4.2.0. This affects the function Template._save_pil_image of the file swift/template/base.py of the component PIL Image Cache Ke… |
| CVE-2026-10800 | 2026-06-04 | A weakness has been identified in PaddlePaddle FastDeploy up to 2.4.1. Affected by this issue is the function hash_features of the file fastdeploy/multimodal/hasher.py of the component MultimodalHashe… |
| CVE-2026-10783 | 2026-06-04 | A security flaw has been discovered in gradio-app gradio 6.14.0. This affects the function save_audio_to_cache of the component Audio Cache Key Handler. Performing a manipulation results in use of wea… |
| CVE-2026-10766 | 2026-06-03 | A vulnerability has been found in mlrun up to 1.12.0-rc3. This impacts the function mlrun.utils.helpers.calculate_dataframe_hash of the file mlrun/utils/helpers.py of the component DataFrame Hash Hand… |
| CVE-2026-45413 | 2026-05-26 | MaxKB is an open-source AI assistant for enterprise. Prior to 2.9.1, user passwords are stored using unsalted MD5 hashes, making them trivially crackable via rainbow tables or GPU-accelerated brute fo… |
| CVE-2026-8803 | 2026-05-18 | A flaw has been found in opensourcepos Open Source Point of Sale up to 3.4.2. Impacted is the function Login of the file app/Models/Employee.php of the component Employee Login. This manipulation caus… |
| CVE-2026-44582 | 2026-05-13 | Next.js is a React framework for building full-stack web applications. From 13.4.6 to before 15.5.16 and 16.2.5, React Server Component responses can be vulnerable to cache poisoning in deployments th… |
| CVE-2020-37168 | 2026-05-13 | Ecommerce Systempay 1.0 contains a weak cryptographic implementation vulnerability that allows attackers to brute force the 16-character production secret key used for payment signature generation. At… |
| CVE-2026-34527 | 2026-05-05 | Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high … |
| CVE-2026-7845 | 2026-05-05 | A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py o… |
| CVE-2026-7103 | 2026-04-27 | A vulnerability was determined in code-projects Chat System 1.0. Affected is an unknown function of the file update_user.php of the component MD5 Hash Handler. This manipulation of the argument Passwo… |
| CVE-2026-40164 | 2026-04-14 | jq is a command-line JSON processor. Before commit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784, jq used MurmurHash3 with a hardcoded, publicly visible seed (0x432A9843) for all JSON object hash table ope… |
| CVE-2026-21717 | 2026-03-30 | A flaw in V8's string hashing mechanism causes integer-like strings to be hashed to their numeric value, making hash collisions trivially predictable. By crafting a request that causes many such colli… |
| CVE-2026-32129 | 2026-03-12 | soroban-poseidon provides Poseidon and Poseidon2 cryptographic hash functions for Soroban smart contracts. Poseidon V1 (PoseidonSponge) accepts variable-length inputs without injective padding. When a… |
| CVE-2025-41762 | 2026-03-09 | An unauthenticated attacker can abuse the weak hash of the backup generated by the wwwdnload.cgi endpoint to gain unauthorized access to sensitive data, including password hashes and certificates. |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Observed_Example, Taxonomy_Mappings |
| 2008-10-14 | CWE Content Team | 1.0.1 | — | updated Description |
| 2009-01-12 | CWE Content Team | 1.2 | — | updated Description, References |
| 2009-10-29 | CWE Content Team | 1.6 | — | updated Relationships |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated References, Related_Attack_Patterns, Relationships |
| 2012-10-30 | CWE Content Team | 2.3 | — | updated Demonstrative_Examples, Potential_Mitigations, References |
| 2014-02-18 | CWE Content Team | 2.6 | — | updated Potential_Mitigations, References |
| 2014-06-23 | CWE Content Team | 2.7 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Modes_of_Introduction, References, Relationships |
| 2018-03-27 | CWE Content Team | 3.1 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Demonstrative_Examples |
| 2021-10-28 | CWE Content Team | 4.6 | — | updated Description, Maintenance_Notes, Name, Observed_Examples, References, Relationships |
| 2022-10-13 | CWE Content Team | 4.9 | — | updated Demonstrative_Examples, Observed_Examples, References |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Applicable_Platforms |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Detection_Factors, References, Relationships |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes, Relationships |
| 2024-02-29 | CWE Content Team | 4.14 | — | updated Demonstrative_Examples, Description, References |
| 2025-09-09 | CWE Content Team | 4.18 | — | updated References |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Relationships, Weakness_Ordinalities |