5.3 CVE-2026-34527

Enriched by CISA Privilege Escalation

Sandboxie-Plus is an open source sandbox-based isolation software for Windows. In versions 1.17.2 and earlier, SbieIniServer::HashPassword converts a SHA-1 digest to hexadecimal incorrectly. The high nibble of each byte is shifted right by 8 instead of 4, which always produces zero for an 8-bit value. As a result, the stored EditPassword hash only preserves the low nibble of each digest byte, reducing the effective entropy from 160 bits to 80 bits. This is layered on top of an unsalted SHA-1 scheme. The reduced entropy makes leaked or backed-up password hashes materially easier to brute-force. This issue has been fixed in version 1.17.3.
https://nvd.nist.gov/vuln/detail/CVE-2026-34527

Categories

CWE-328 : Use of Weak Hash
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably determine the original input (preimage attack), find another input that can produce the same hash (2nd preimage attack), or find multiple inputs that evaluate to the same hash (birthday attack). Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.) Programmable Logic Controller (PLC) uses a protocol with a cryptographically insecure hashing algorithm for passwords. SHA-1 algorithm is not collision-resistant. DNS product uses a weak hash (CRC32 or SHA-1) of the query name, allowing attacker to forge responses by computing domain names with the same hash. blogging product uses MD5-based algorithm for passwords. forging of certificate signatures using SHA-1 collisions. mobile app for backup sends SHA-1 hash of password in cleartext. Hard-coded hashed values for username and password contained in client-side script, allowing brute-force offline attacks.

References

134c704f-9b21-4f2e-91b3-4a467353bcc0

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w37h-qm9... Mitigation Vendor Advisory

security-advisories@github.com

https://github.com/sandboxie-plus/Sandboxie/security/advisories/GHSA-w37h-qm9... Mitigation Vendor Advisory

AFFECTED (from MITRE)

Vendor	Product	Versions
sandboxie-plus	Sandboxie	< 1.17.3 [affected]
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

CPE

cpe	start	end
Configuration 1
cpe:2.3:a:sandboxie-plus:sandboxie:::::plus:::*		< 1.17.3

REMEDIATION

EXPLOITS

Exploit-db.com

id	description	date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits

CAPEC

Common Attack Pattern Enumerations and Classifications

id	description	severity
461	Web Services API Signature Forgery Leveraging Hash Function Extension Weakness An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service. [Find a vulnerable web service] The adversary finds a web service that uses a vulnerable authentication scheme, where an authentication token is concatenated with the parameters of a request and then hashed [Attempt adding padding to parameters] An adversary tests if they can simply add padding to the parameters of a request such that the request is technically changed, with the hash remaining the same [Add malicious parameters to request] Add malicious parameters to a captured request in addition to what is already present. Do this by exploiting the padding weakness of the hash function and send the request to the web service so that it believes it is authenticated and acts on the extra parameters.	High
68	Subvert Code-signing Facilities Many languages use code signing facilities to vouch for code's identity and to thus tie code to its assigned privileges within an environment. Subverting this mechanism can be instrumental in an attacker escalating privilege. Any means of subverting the way that a virtual machine enforces code signing classifies for this style of attack.	Very High

MITRE

Techniques

id	description
T1553.002	Subvert Trust Controls:Code Signing
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Cybersecurity needs ?

Strengthen software security from the outset with our DevSecOps expertise

Integrate security right from the start of the software development cycle for more robust applications and greater customer confidence.
Our team of DevSecOps experts can help you secure your APIs, data pipelines, CI/CD chains, Docker containers and Kubernetes deployments.

Discover this offer

Soutenez No Hack Me sur Tipeee