CVE-2026-25803
CRITICAL3dp-manager < 2.0.1 - Use of Hard-coded Credentials
Title source: llmDescription
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_confirm
https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw
Scores
CVSS v3
9.8
EPSS
0.0036
EPSS Percentile
28.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (1)
denpiligrim/3dp-manager
< 2.0.1
Published
Feb 06, 2026
Tracked Since
Feb 18, 2026