CVE-2026-58466
AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user()
CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th
AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.
| CWE | CWE-1392 |
| Vendor | estrellaxd |
| Product | auto_bangumi |
| Published | Jul 2, 2026 |
Stay Ahead of the Next One
Get instant alerts for estrellaxd auto_bangumi
Be the first to know when new critical vulnerabilities affecting estrellaxd auto_bangumi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
EstrellaXD / Auto_Bangumi
0 < 3.2.8
References
github.com: https://github.com/EstrellaXD/Auto_Bangumi/releases/tag/3.2.8 github.com: https://github.com/EstrellaXD/Auto_Bangumi/issues/1041 github.com: https://github.com/EstrellaXD/Auto_Bangumi/commit/487bdfec545e805ae416e6ddf28651bd274d6a73 vulncheck.com: https://www.vulncheck.com/advisories/autobangumi-hard-coded-default-credentials-via-add-default-user
Credits
George Chen