CVE-2026-7845

import hashlib from PIL import Image import io # Conceptual PoC for Weak Hash Collision in Image Handling # This script demonstrates how image data is converted to bytes and hashed # In the vulnerable version, a weak hash mechanism is used. def generate_collision_image(): # Create a dummy image img = Image.new('RGB', (100, 100), color = 'red') # Convert to bytes as done in the vulnerable function img_bytes = img.tobytes() # Simulate the weak hash usage (e.g., using a simple checksum or short hash) # Assuming the vulnerability involves predictable or collidable hashes weak_hash = hash(img_bytes) # Python's built-in hash is randomized per session, but illustrates the point print(f"Image Bytes Length: {len(img_bytes)}") print(f"Weak Hash Value: {weak_hash}") # An attacker would craft image_data that results in a specific hash collision # to bypass checks or corrupt storage integrity. return img_bytes if __name__ == "__main__": data = generate_collision_image() print("PoC executed: Image data processed with weak hash.")

{"cve": {"id": "CVE-2026-7845", "sourceIdentifier": "[email protected]", "published": "2026-05-05T16:16:19.383", "lastModified": "2026-05-05T20:16:41.363", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in chatchat-space Langchain-Chatchat up to 0.3.1.3. This issue affects the function PIL.Image.tobytes of the file libs/chatchat-server/chatchat/webui_pages/dialogue/dialogue.py of the component Vision Chat Paste Image Handler. This manipulation of the argument paste_image.image_data causes use of weak hash. The attacker needs to be present on the local network. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.2, "baseSeverity": "LOW", "attackVector": "ADJACENT", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 2.6, "baseSeverity": "LOW", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 1.2, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:A/AC:H/Au:S/C:N/I:P/A:N", "baseScore": 1.4, "accessVector": "ADJACENT_NETWORK", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 2.5, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-327"}, {"lang": "en", "value": "CWE-328"}]}], "references": [{"url": "https://github.com/3em0/cve_repo/blob/main/Langchain-Chatchat/Vuln-1-tobytes-Hash-Collision.md", "source": "[email protected]"}, {"url": "https://github.com/chatchat-space/Langchain-Chatchat/", "source": "[email protected]"}, {"url": "https://github.com/chatchat-space/Langchain-Chatchat/issues/5462", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/807794", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/361124", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/361124/cti", "source": "[email protected]"}, {"url": "https://github.com/chatchat-space/Langchain-Chatchat/issues/5462", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}