๐Ÿ” CVE Alert

CVE-2026-58466

CRITICAL 9.8

AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user()

CVSS Score
9.8
EPSS Score
0.0%
EPSS Percentile
0th

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

CWE CWE-1392
Vendor estrellaxd
Product auto_bangumi
Published Jul 2, 2026
Stay Ahead of the Next One

Get instant alerts for estrellaxd auto_bangumi

Be the first to know when new critical vulnerabilities affecting estrellaxd auto_bangumi are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Affected Versions

EstrellaXD / Auto_Bangumi
0 < 3.2.8

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/EstrellaXD/Auto_Bangumi/releases/tag/3.2.8 github.com: https://github.com/EstrellaXD/Auto_Bangumi/issues/1041 github.com: https://github.com/EstrellaXD/Auto_Bangumi/commit/487bdfec545e805ae416e6ddf28651bd274d6a73 vulncheck.com: https://www.vulncheck.com/advisories/autobangumi-hard-coded-default-credentials-via-add-default-user

Credits

George Chen