PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-22104 hashtopolis CVE debrief

CVE-2026-22104 is a HIGH severity vulnerability with a CVSS score of 7.1. The vulnerability exists in the Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8, allowing any created account to read all cracked hashes of a Hashtopolis server instance. The CVE record was published on 2026-07-17T10:16:36.550Z and has not been modified since then. Affected product or component is Hashtopolis server, and the vulnerability class is improper access control.

Vendor
hashtopolis
Product
server
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-17
Original CVE updated
2026-07-17
Advisory published
2026-07-17
Advisory updated
2026-07-17

Who should care

Organizations using Hashtopolis server versions prior to 0.14.8 should be aware of this vulnerability and take necessary actions to upgrade to a patched version. Affected operators and platforms should review vulnerability management and security team impact. Security teams should prioritize upgrading Hashtopolis server instances to version 0.14.8 or later.

Technical summary

The vulnerability is caused by improper access control in the Hashtopolis server web-interface chunk activity component. This allows any created account to read all cracked hashes of a Hashtopolis server instance. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:I/V:X/RE:X/U:X. Affected product context requires upgrading to version 0.14.8 or later.

Defensive priority

High priority should be given to upgrading Hashtopolis server instances to version 0.14.8 or later and reviewing compensating controls for exposed systems.

Recommended defensive actions

  • Upgrade Hashtopolis server instances to version 0.14.8 or later
  • Review and restrict access to sensitive components
  • Monitor for suspicious activity
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented

Evidence notes

The CVE record was published on 2026-07-17T10:16:36.550Z and has not been modified since then. The NVD entry is currently Received. The Hashtopolis server web-interface chunk activity component vulnerability allows any created account to read all cracked hashes of a Hashtopolis server instance. Evidence is limited, and defenders should verify affected scope and vendor guidance.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T10:16:36.550Z and has not been modified since then.