CVE-2026-58466
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk39th percentile — higher than 39% of all known CVEs
Summary
AutoBangumi before version 3.2.8 contains hard-coded default credentials that allow unauthenticated attackers to authenticate as the administrator using publicly known default credentials. These credentials are seeded at startup via add_default_user() in the database user module when the users table is empty.
Risk Assessment
An attacker can gain full control over the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints, leading to system compromise and potential data leakage.
Recommendation
Immediately update AutoBangumi to version 3.2.8 or later, and change the default credentials to a unique and strong password.
Original NVD description (English source)
AutoBangumi before 3.2.8 contains a hard-coded default credentials vulnerability that allows unauthenticated attackers to authenticate as the administrator by using the publicly known default credentials seeded at startup via add_default_user() in the database user module when the users table is empty. Attackers can submit the default credentials to the authentication login endpoint to gain full control of the application, including RSS feed configuration, downloader configuration, and all authenticated API endpoints.

