CVE Catalog

CVE-2026-58466

CriticalCVSS 9.8
Published: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.51%

39th percentile — higher than 39% of all known CVEs

Summary

AutoBangumi before version 3.2.8 contains hard-coded default credentials that allow unauthenticated attackers to authenticate as the administrator using publicly known default credentials. These credentials are seeded at startup via add_default_user() in the database user module when the users table is empty.

Risk Assessment

An attacker can gain full control over the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints, leading to system compromise and potential data leakage.

Recommendation

Immediately update AutoBangumi to version 3.2.8 or later, and change the default credentials to a unique and strong password.

Original NVD description (English source)

AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS