CVE-2026-34527

Name of the Vulnerable Software and Affected Versions Sandboxie-Plus versions prior to 1.17.3

Description The SbieIniServer::HashPassword() function incorrectly converts a SHA-1 digest to hexadecimal by shifting the high nibble of each byte right by 8 instead of 4. This process results in the high nibble always being zero for an 8-bit value, meaning the stored EditPassword hash only preserves the low nibble of each digest byte. Consequently, the effective entropy is reduced from 160 bits to 80 bits. This flaw, combined with an unsalted SHA-1 scheme, makes leaked or backed-up password hashes significantly easier to brute-force.

Recommendations Update to version 1.17.3.