CVE-2026-25803

3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248	Patch
https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:denpiligrim:3dp-manager:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-06 23:15

Updated : 2026-03-17 20:43

NVD link : CVE-2026-25803

Mitre link : CVE-2026-25803

CVE.ORG link : CVE-2026-25803

JSON object : View

Products Affected

denpiligrim

3dp-manager

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2026-25803", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-02-06T23:15:54.973", "references": [{"url": "https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2."}, {"lang": "es", "value": "3DP-MANAGER es un generador de entrada para 3x-ui. En la versi\u00f3n 2.0.1 y anteriores, la aplicaci\u00f3n crea autom\u00e1ticamente una cuenta administrativa con credenciales predeterminadas conocidas (admin/admin) tras la primera inicializaci\u00f3n. Atacantes con acceso de red a la interfaz de inicio de sesi\u00f3n de la aplicaci\u00f3n pueden obtener control administrativo total, gestionando t\u00faneles VPN y configuraciones del sistema. Este problema ser\u00e1 parcheado en la versi\u00f3n 2.0.2."}], "lastModified": "2026-03-17T20:43:52.930", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:denpiligrim:3dp-manager:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "9E4299E9-A60F-4AC3-AAEE-6164DFCEACCD", "versionEndIncluding": "2.0.1"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}