Auth bypass in Hashtopolis Server
CVE-2026-22104
Improper access control in Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8 allows any created account to read all cracked hashes of a Hashtopolis server instance.
Vulnerability class: IDOR (Insecure Direct Object Reference)
Affected products
- Hashtopolis Server — versions 0
Weakness classification (CWE)
References
- csirt@divd.nl (third-party-advisory)
- csirt@divd.nl (third-party-advisory)
- csirt@divd.nl (vendor-advisory)