CVE-2026-34527: CWE-328: Use of Weak Hash in sandboxie-plus Sandboxie
Sandboxie-Plus versions 1.17.2 and earlier contain a weakness in the password hashing implementation where the SHA-1 digest is incorrectly converted to hexadecimal, reducing the effective entropy of stored password hashes from 160 bits to 80 bits. This issue is compounded by the use of an unsalted SHA-1 hash. The vulnerability makes brute-forcing leaked or backed-up password hashes easier. The issue has been fixed in version 1.17.3. The CVSS score is low, reflecting limited impact and exploitability.
AI Analysis
Technical Summary
Sandboxie-Plus, an open source sandbox isolation software for Windows, in versions prior to 1.17.3, improperly converts SHA-1 password hashes by shifting the high nibble incorrectly, resulting in stored password hashes that only preserve the low nibble of each digest byte. This reduces the effective entropy from 160 bits to 80 bits on top of using an unsalted SHA-1 scheme, weakening password hash strength and making brute-force attacks easier. The vulnerability is identified as CWE-328 (Use of Weak Hash). The flaw was corrected in version 1.17.3.
Potential Impact
The reduced entropy in password hashes lowers the computational effort required to brute-force passwords if hashes are leaked or backed up. However, the overall impact is limited due to the local attack vector and the requirement for privileged access to obtain the hashes. There are no known exploits in the wild. The CVSS score of 2 (low severity) reflects the limited attack surface and difficulty of exploitation.
Mitigation Recommendations
Upgrade Sandboxie-Plus to version 1.17.3 or later, where the password hashing issue has been fixed. Since the vendor advisory does not provide additional remediation details, applying this update is the recommended action. Patch status is not explicitly stated but the fix is included in version 1.17.3.
CVE-2026-34527: CWE-328: Use of Weak Hash in sandboxie-plus Sandboxie
Description
Sandboxie-Plus versions 1.17.2 and earlier contain a weakness in the password hashing implementation where the SHA-1 digest is incorrectly converted to hexadecimal, reducing the effective entropy of stored password hashes from 160 bits to 80 bits. This issue is compounded by the use of an unsalted SHA-1 hash. The vulnerability makes brute-forcing leaked or backed-up password hashes easier. The issue has been fixed in version 1.17.3. The CVSS score is low, reflecting limited impact and exploitability.
CVSS v4.0
Score 2.0low
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Sandboxie-Plus, an open source sandbox isolation software for Windows, in versions prior to 1.17.3, improperly converts SHA-1 password hashes by shifting the high nibble incorrectly, resulting in stored password hashes that only preserve the low nibble of each digest byte. This reduces the effective entropy from 160 bits to 80 bits on top of using an unsalted SHA-1 scheme, weakening password hash strength and making brute-force attacks easier. The vulnerability is identified as CWE-328 (Use of Weak Hash). The flaw was corrected in version 1.17.3.
Potential Impact
The reduced entropy in password hashes lowers the computational effort required to brute-force passwords if hashes are leaked or backed up. However, the overall impact is limited due to the local attack vector and the requirement for privileged access to obtain the hashes. There are no known exploits in the wild. The CVSS score of 2 (low severity) reflects the limited attack surface and difficulty of exploitation.
Mitigation Recommendations
Upgrade Sandboxie-Plus to version 1.17.3 or later, where the password hashing issue has been fixed. Since the vendor advisory does not provide additional remediation details, applying this update is the recommended action. Patch status is not explicitly stated but the fix is included in version 1.17.3.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-30T16:03:31.048Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fa4dc2cbff5d86102152ac
Added to database: 5/5/2026, 8:06:26 PM
Last enriched: 5/13/2026, 3:52:32 AM
Last updated: 6/20/2026, 8:43:48 AM
Views: 85
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.