CVE-2026-26219

CriticalPublic PoC

Published: 12 February 2026

Published

12 February 2026

Modified

25 February 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0002 7.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-26219 is a critical-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Newbee-Mall Project Newbee-Mall. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Cracking (T1110.002); ranked at the 7.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Cracking (T1110.002). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match

prevent

IA-5 mandates secure management and storage of authenticators like passwords using strong cryptographic hashing with salts, directly preventing offline cracking enabled by unsalted MD5.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely identification, reporting, and remediation of flaws such as the broken unsalted MD5 password hashing implementation in newbee-mall.

SC-28 Protection of Information at Rest partial match

prevent

SC-28 protects the confidentiality of password hashes at rest through encryption, mitigating impacts from database exposures or backup leaks even if weak hashing is present.

MITRE ATT&CK Enterprise TechniquesAI

T1110.002 Password Cracking Credential Access

Adversaries may use password cracking to attempt to recover usable credentials, such as plaintext passwords, when credential material such as password hashes are obtained.

attack.mitre.org →

Why these techniques?

Unsalted MD5 password storage directly enables efficient offline password cracking (T1110.002) once hashes are obtained via DB exposure or similar, allowing rapid plaintext recovery without per-user salts or cost factors.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly…

recover plaintext credentials via offline attacks.

Deeper analysisAI

CVE-2026-26219 is a critical vulnerability in the newbee-mall application, published on 2026-02-12, where user passwords are stored and verified using an unsalted MD5 hashing algorithm. The implementation lacks per-user salts or computational cost controls, making it susceptible to rapid plaintext recovery. It carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N) and is associated with CWE-327 (Broken Cryptographic Algorithm).

Attackers can exploit this vulnerability after obtaining password hashes via database exposure, backup leakage, or other compromise vectors. No privileges, user interaction, or network access to the application during cracking are required, allowing unauthenticated remote actors to perform efficient offline attacks and recover plaintext credentials, leading to high confidentiality and integrity impacts.

Advisories referenced in the CVE, including https://github.com/newbee-ltd/newbee-mall/issues/119 and https://www.vulncheck.com/advisories/newbee-mall-unsalted-md5-password-hashing-enables-offline-credential-cracking, detail the unsalted MD5 issue in newbee-mall and its implications for credential cracking.