CVE-2026-26218
Awaiting Analysis Awaiting Analysis - Queue
Default Credential Vulnerability in newbee-mall Administrator Accounts

Publication date: 2026-02-12

Last updated on: 2026-02-25

Assigner: VulnCheck

Description
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-12
Last Modified
2026-02-25
Generated
2026-06-16
AI Q&A
2026-02-12
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26218
EUVD
EUVD-2026-6192
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
newbee-mall_project newbee-mall to 1.0.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-26218 is a critical vulnerability in newbee-mall versions up to 1.0.0 caused by default administrator accounts included in the database initialization script.

These accounts have predictable, hard-coded passwords. If the database is initialized or reset using the provided schema and the default credentials are not changed, unauthenticated attackers can log in as administrators.

This allows attackers to gain full administrative control of the application without needing any privileges or user interaction.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to log in as administrators, resulting in full administrative control over the application.

  • Complete compromise of confidentiality, integrity, and availability of the application.
  • Attackers can manipulate data, disrupt services, and access sensitive information.
  • No user interaction or prior privileges are required to exploit this vulnerability.
Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the default seeded administrator accounts with predictable passwords are present in the database initialization script or active in the system.

You can attempt to log in using the known default administrator credentials to verify if the vulnerability exists.

Commands to detect this might include querying the database for default administrator accounts or attempting authentication with default passwords.

  • Run a database query to list administrator accounts and check for default usernames.
  • Attempt login via the application interface using default credentials.
Mitigation Strategies

Immediately change the default seeded administrator passwords to strong, unique passwords.

Avoid using the default database initialization script without modification.

If the database has been initialized or reset using the default schema, reset the administrator passwords immediately.

Implement access controls and monitor for unauthorized login attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26218. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart