Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2026-58466: AutoBangumi < 3.2.8: Default Credentials Can Be Used to Take Control
CVE-2026-58466
CVE-2026-58466
Summary
AutoBangumi versions before 3.2.8 contain a security flaw that allows attackers to use a known set of default login credentials to gain full access to the application. This is a concern because an attacker could use these credentials to change settings and access sensitive information. To fix this issue, update to version 3.2.8 or later.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| estrellaxd | auto_bangumi | < 3.2.8 |
Original title
AutoBangumi < 3.2.8 - Hard-coded Default Credentials via add_default_user()
Original description
AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-1392
Published: 2 Jul 2026 · Updated: 3 Jul 2026 · First seen: 2 Jul 2026