CVE-2026-9370

LOW
Published May 24, 2026 Modified May 26, 2026 CWE-759 CWE-760

Description

A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CVSS v3.1 Score

3.7
LOW
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

EPSS — Exploit Prediction

0.0002
Probability of exploitation
0.07%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-759 CWE-759
CWE-760 CWE-760

References

Frequently Asked Questions

What is CVE-2026-9370? +
A weakness has been identified in ulisesbocchio jasypt-spring-boot up to 3.0.5/4.0.4. Affected by this vulnerability is the function getSecretKeySaltGenerator of the file jasypt-spring-boot/src/main/java/com/ulisesbocchio/jasyptspringboot/encryptor/SimpleGCMConfig.java of the component Password Hash Handler. Executing a manipulation can lead to use of a one-way hash with a predictable salt. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. It has a CVSS v3.1 base score of 3.7 (LOW).
How severe is CVE-2026-9370? +
CVE-2026-9370 has a CVSS v3.1 score of 3.7 out of 10, rated LOW. This is a low-severity vulnerability with limited impact. The EPSS score is 0.0002, placing it in the 0th percentile for exploitation probability.
How do I check if I'm vulnerable to CVE-2026-9370? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-5922

Access to TSplus Remote Access Admin Tool is restricted to administrators (unless "Disable UAC" option is enabled) and requires a …
CVE-2025-10205 8.8

Use of a One-Way Hash with a Predictable Salt vulnerability in ABB FLXEON.This issue affects FLXEON: through 9.3.5. and newer …
CVE-2025-34208 7.5

Vasion Print (formerly PrinterLogic) Virtual Appliance Host and Application (VA/SaaS deployments) store user passwords using unsalted SHA-512 hashes with a …
CVE-2024-36440 6.8

An issue was discovered on Swissphone DiCal-RED 4009 devices. An attacker with access to the file /etc/deviceconfig may recover the …
CVE-2026-45027 5.9

WeGIA is a web manager for charitable institutions. In versions prior to 3.7.3, when a user logs in, html/login.php hashes …
CVE-2025-53884 5.3

NeuVector stores user passwords and API keys using a simple, unsalted hash. This method is vulnerable to rainbow table attack …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-9370 — free, no signup required.

Start Free Scan