PatchSiren cyber security CVE debrief
CVE-2026-22104 hashtopolis CVE debrief
CVE-2026-22104 is a HIGH severity vulnerability with a CVSS score of 7.1. The vulnerability exists in the Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8, allowing any created account to read all cracked hashes of a Hashtopolis server instance. The CVE record was published on 2026-07-17T10:16:36.550Z and has not been modified since then. Affected product or component is Hashtopolis server, and the vulnerability class is improper access control.
- Vendor
- hashtopolis
- Product
- server
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-17
- Original CVE updated
- 2026-07-17
- Advisory published
- 2026-07-17
- Advisory updated
- 2026-07-17
Who should care
Organizations using Hashtopolis server versions prior to 0.14.8 should be aware of this vulnerability and take necessary actions to upgrade to a patched version. Affected operators and platforms should review vulnerability management and security team impact. Security teams should prioritize upgrading Hashtopolis server instances to version 0.14.8 or later.
Technical summary
The vulnerability is caused by improper access control in the Hashtopolis server web-interface chunk activity component. This allows any created account to read all cracked hashes of a Hashtopolis server instance. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:I/V:X/RE:X/U:X. Affected product context requires upgrading to version 0.14.8 or later.
Defensive priority
High priority should be given to upgrading Hashtopolis server instances to version 0.14.8 or later and reviewing compensating controls for exposed systems.
Recommended defensive actions
- Upgrade Hashtopolis server instances to version 0.14.8 or later
- Review and restrict access to sensitive components
- Monitor for suspicious activity
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record was published on 2026-07-17T10:16:36.550Z and has not been modified since then. The NVD entry is currently Received. The Hashtopolis server web-interface chunk activity component vulnerability allows any created account to read all cracked hashes of a Hashtopolis server instance. Evidence is limited, and defenders should verify affected scope and vendor guidance.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-17T10:16:36.550Z and has not been modified since then.