CVE-2026-26218

CRITICAL EPSS 28.6%
Published Feb 12, 20264mo ago · Modified Feb 25, 20264mo ago
9.3 CVSS 4.0
Critical
Find Similar
Published Feb 12, 2026 4mo ago
Last Modified Feb 25, 2026 4mo ago

Description

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

CVSS Details

Base Score
9.3
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
28.6% percentile
Exploit & Patch Status
Public Exploit Known
No Patch Available

Weaknesses 1

CWE-798 Use of Hard-coded Credentials Authentication

Affected Products 1

VendorProductVersionRange
newbee-mall_projectnewbee-mall* ≤1.0.0

References 2

  • github.com https://github.com/newbee-ltd/newbee-mall/issues/119
    ExploitIssue TrackingVendor Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover
    Third Party Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.