Back to overview

CVE-2026-58466

CRITICAL
9.8
CVSS 3.1
Description
AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

Metadata

CVE ID
CVE-2026-58466
State
PUBLISHED
Assigner
VulnCheck
Reserved
2026-06-30 20:20 UTC
Published
2026-07-02 19:56 UTC
Last updated
2026-07-02 19:56 UTC
Primary CWE
CWE-1392
Use of Default Credentials
Vendor / Product
EstrellaXD / Auto_Bangumi
Sources
cve.org  ·  NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Affected products (1)
VendorProductPlatformVersions
EstrellaXD Auto_Bangumi 0 < 3.2.8
Weakness (CWE)
CWESourceDescription
CWE-1392 cna Use of Default Credentials
CVSS scores (2)
ScoreSeverityVersionSourceVector
9.8 CRITICAL 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 CRITICAL 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Back to overview