CVE-2026-26218
CRITICALnewbee-mall < 1.0.0 - Unauthenticated Account Takeover via Default Administrator Credentials
Title source: llmDescription
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
References (2)
Core 2
Core References
Issue Tracking issue-tracking
https://github.com/newbee-ltd/newbee-mall/issues/119
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover
Scores
CVSS v3
9.8
EPSS
0.0037
EPSS Percentile
28.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-798
Status
published
Products (1)
newbee-mall_project/newbee-mall
< 1.0.0
Published
Feb 12, 2026
Tracked Since
Feb 18, 2026