CVE-2026-58466

CRITICAL

AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user()

Title source: cna
STIX 2.1

Description

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

Scores

CVSS v3 9.8
EPSS 0.0050
EPSS Percentile 39.5%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-1392
Status published
Products (1)
EstrellaXD/Auto_Bangumi < 3.2.8
Published Jul 02, 2026
Tracked Since Jul 03, 2026