Hard-Coded Default Credentials Vulnerability in AutoBangumi by EstrellaXD
CVE-2026-58466

9.3CRITICAL

Key Information:

Vendor

Estrellaxd

Vendor
CVE Published:
2 July 2026

What is CVE-2026-58466?

AutoBangumi versions prior to 3.2.8 are susceptible to a vulnerability that allows unauthenticated attackers to access the application as an administrator using hard-coded default credentials. This occurs when the users table is empty and the add_default_user() function seeds these credentials at startup. Attackers can exploit this flaw to gain complete control over the application, compromising crucial settings such as RSS feed and downloader configurations, as well as accessing all authenticated API endpoints.

Affected Version(s)

Auto_Bangumi 0 < 3.2.8

References

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

George Chen
.