Primary

Context

Sulu Weak Cryptographic Hash Vulnerability in Password Reset and API Key Generation

Vulnerability

Patched

A vulnerability exists in Sulu, an open-source PHP content management system, prior to versions 2.6.23 and 3.0.6. The issue arises because the password reset token and API key generation processes utilize a weak cryptographic hash algorithm. This vulnerability has been addressed in the mentioned versions.

Impact

The use of a weak cryptographic hash algorithm for generating password reset tokens and API keys can lead to predictable token values, potentially allowing unauthorized users to reset passwords or impersonate users by generating valid API keys.

Remediation

Users can upgrade to Sulu versions 2.6.23 or 3.0.6 to address this vulnerability. Instructions for upgrading are available in the Sulu documentation.

Added: Jun 1, 2026, 5:21 PM

Updated: Jun 1, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

7.6

remediation

7.7

relevance

9.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

3.1

exploitability

7.6

remediation

7.7

relevance

9.7

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Sulu Weak Cryptographic Hash Vulnerability in Password Reset and API Key Generation

Vulnerability

Impact

Remediation

Affected Products

Sulu

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating