CVE-2026-25861

Name of the Vulnerable Software and Affected Versions QloApps versions prior to 1.7.0 commit 64e9722

Description The software uses a weak cryptographic algorithm for password hashing. Specifically, the encrypt() function in classes/Tools.php utilizes MD5, concatenating a static cookie key with the password. This allows attackers to perform offline brute-force attacks to compromise user credentials. The risk is increased because guest-to-customer account conversions in classes/Customer.php assign auto-generated 8-character passwords, simplifying credential recovery.

Recommendations Update to the version containing commit 64e9722. As a temporary mitigation, restrict access to the encrypt() function within classes/Tools.php if possible.