Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-9641

Summary
Assigner-CPANSec
Assigner Org ID-9b29abf9-4ab0-4765-b253-1875cd9b441e
Published At-12 Jun, 2026 | 14:57
Updated At-12 Jun, 2026 | 17:50
Rejected At-
Credits

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:CPANSec
Assigner Org ID:9b29abf9-4ab0-4765-b253-1875cd9b441e
Published At:12 Jun, 2026 | 14:57
Updated At:12 Jun, 2026 | 17:50
Rejected At:
▼CVE Numbering Authority (CNA)
Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.

Affected Products
Vendor
ARODLAND
Product
Crypt::PBKDF2
Collection URL
https://cpan.org/modules
Package Name
Crypt-PBKDF2
Repo
https://github.com/arodland/Crypt-PBKDF2
Default Status
unaffected
Versions
Affected
  • From 0 before 0.261630 (custom)
Problem Types
TypeCWE IDDescription
CWECWE-916CWE-916 Use of Password Hash With Insufficient Computational Effort
Type: CWE
CWE ID: CWE-916
Description: CWE-916 Use of Password Hash With Insufficient Computational Effort
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions

Upgrade to version 0.261630 or later.

Configurations
Workarounds

Change the default algorithm to something stronger, such as "HMACSHA2", and the output_len accordingly (32 for SHA256). The number of iterations should also be increased (600,000 for SHA256, for example).

Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
technical-description
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
release-notes
Hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
Resource:
technical-description
Hyperlink: https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
Resource:
release-notes
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
http://www.openwall.com/lists/oss-security/2026/06/12/5
N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/12/5
Resource: N/A
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:9b29abf9-4ab0-4765-b253-1875cd9b441e
Published At:12 Jun, 2026 | 16:16
Updated At:12 Jun, 2026 | 18:16

Crypt::PBKDF2 versions before 0.261630 for Perl have a weak default algorithm and number of iterations. The default algorithm is HMAC-SHA1, which should only be used for legacy systems. These versions default to using 1000 iterations. Depending on the chosen algorithm, 220,000 to 1,400,000 iterations should be used.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Type: Secondary
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-916Secondary9b29abf9-4ab0-4765-b253-1875cd9b441e
CWE ID: CWE-916
Type: Secondary
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf29b29abf9-4ab0-4765-b253-1875cd9b441e
N/A
https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes9b29abf9-4ab0-4765-b253-1875cd9b441e
N/A
http://www.openwall.com/lists/oss-security/2026/06/12/5af854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Resource: N/A
Hyperlink: https://metacpan.org/release/ARODLAND/Crypt-PBKDF2-0.261630/changes
Source: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Resource: N/A
Hyperlink: http://www.openwall.com/lists/oss-security/2026/06/12/5
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

9Records found
CVE-2025-67168
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.02% / 5.30%
||
7 Day CHG~0.00%
Published-17 Dec, 2025 | 00:00
Updated-18 Dec, 2025 | 19:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

RiteCMS v3.1.0 was discovered to use insecure encryption to store passwords.

Action-Not Available
Vendor-ritecmsn/a
Product-ritecmsn/a
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2021-21253
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.8||MEDIUM
EPSS-0.11% / 28.68%
||
7 Day CHG~0.00%
Published-21 Jan, 2021 | 14:20
Updated-03 Aug, 2024 | 18:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Use of a One-Way Hash without a Salt in OnlineVotingSystem

OnlineVotingSystem is an open source project hosted on GitHub. OnlineVotingSystem before version 1.1.2 hashes user passwords without a salt, which is vulnerable to dictionary attacks. Therefore there is a threat of security breach in the voting system. Without a salt, it is much easier for attackers to pre-compute the hash value using dictionary attack techniques such as rainbow tables to crack passwords. This problem is fixed and published in version 1.1.2. A long randomly generated salt is added to the password hash function to better protect passwords stored in the voting system.

Action-Not Available
Vendor-onlinevotingsystem_projectdbijaya
Product-onlinevotingsystemOnlineVotingSystem
CWE ID-CWE-759
Use of a One-Way Hash without a Salt
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2023-41646
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.07% / 20.57%
||
7 Day CHG~0.00%
Published-07 Sep, 2023 | 00:00
Updated-26 Sep, 2024 | 19:51
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Buttercup v2.20.3 allows attackers to obtain the hash of the master password for the password manager via accessing the file /vaults.json/

Action-Not Available
Vendor-perrymitchelln/a
Product-buttercupn/a
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2022-40258
Matching Score-4
Assigner-CERT/CC
ShareView Details
Matching Score-4
Assigner-CERT/CC
CVSS Score-5.3||MEDIUM
EPSS-0.17% / 38.59%
||
7 Day CHG~0.00%
Published-31 Jan, 2023 | 00:53
Updated-27 Mar, 2025 | 17:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Weak password hashes for Redfish & API

AMI Megarac Weak password hashes for Redfish & API

Action-Not Available
Vendor-AMI
Product-megarac_spx-13megarac_spx-12MegaRAC SPx-13MegaRAC SPx-12
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2019-12737
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.00% / 0.04%
||
7 Day CHG~0.00%
Published-02 Oct, 2019 | 18:47
Updated-04 Aug, 2024 | 23:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

UserHashedTableAuth in JetBrains Ktor framework before 1.2.0-rc uses a One-Way Hash with a Predictable Salt for storing user credentials.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-ktorn/a
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2024-29886
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-5.3||MEDIUM
EPSS-0.16% / 37.11%
||
7 Day CHG~0.00%
Published-27 Mar, 2024 | 18:42
Updated-08 Jan, 2026 | 19:09
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Improved security for stored password hashes

Serverpod is an app and web server, built for the Flutter and Dart ecosystem. An issue was identified with the old password hash algorithm that made it susceptible to rainbow attacks if the database was compromised. This vulnerability is fixed by 1.2.6.

Action-Not Available
Vendor-serverpodserverpodserverpod
Product-serverpodserverpodserverpod
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2022-23348
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-1.21% / 79.37%
||
7 Day CHG~0.00%
Published-21 Mar, 2022 | 19:33
Updated-03 Aug, 2024 | 03:36
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

BigAnt Software BigAnt Server v5.6.06 was discovered to utilize weak password hashes.

Action-Not Available
Vendor-bigantsoftn/a
Product-bigant_servern/a
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2021-38314
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-5.3||MEDIUM
EPSS-84.08% / 99.32%
||
7 Day CHG~0.00%
Published-02 Sep, 2021 | 16:53
Updated-05 May, 2025 | 14:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gutenberg Template Library & Redux Framework <= 4.2.11 Sensitive Information Disclosure

The Gutenberg Template Library & Redux Framework plugin <= 4.2.11 for WordPress registered several AJAX actions available to unauthenticated users in the `includes` function in `redux-core/class-redux-core.php` that were unique to a given site but deterministic and predictable given that they were based on an md5 hash of the site URL with a known salt value of '-redux' and an md5 hash of the previous hash with a known salt value of '-support'. These AJAX actions could be used to retrieve a list of active plugins and their versions, the site's PHP version, and an unsalted md5 hash of site’s `AUTH_KEY` concatenated with the `SECURE_AUTH_KEY`.

Action-Not Available
Vendor-reduxRedux.io
Product-gutenberg_template_library_\&_redux_frameworkGutenberg Template Library & Redux Framework
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-760
Use of a One-Way Hash with a Predictable Salt
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
CVE-2021-37551
Matching Score-4
Assigner-MITRE Corporation
ShareView Details
Matching Score-4
Assigner-MITRE Corporation
CVSS Score-5.3||MEDIUM
EPSS-0.00% / 0.03%
||
7 Day CHG~0.00%
Published-06 Aug, 2021 | 13:31
Updated-04 Aug, 2024 | 01:23
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

In JetBrains YouTrack before 2021.2.16363, system user passwords were hashed with SHA-256.

Action-Not Available
Vendor-n/aJetBrains s.r.o.
Product-youtrackn/a
CWE ID-CWE-916
Use of Password Hash With Insufficient Computational Effort
Details not found