CVE-2026-26218

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/newbee-ltd/newbee-mall/issues/119	Exploit Issue Tracking Vendor Advisory
https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover	Third Party Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:newbee-mall_project:newbee-mall:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-12 19:15

Updated : 2026-02-25 16:41

NVD link : CVE-2026-26218

Mitre link : CVE-2026-26218

CVE.ORG link : CVE-2026-26218

JSON object : View

Products Affected

newbee-mall_project

newbee-mall

CWE

CWE-798

Use of Hard-coded Credentials

{"id": "CVE-2026-26218", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "disclosure@vulncheck.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "disclosure@vulncheck.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-12T19:15:52.120", "references": [{"url": "https://github.com/newbee-ltd/newbee-mall/issues/119", "tags": ["Exploit", "Issue Tracking", "Vendor Advisory"], "source": "disclosure@vulncheck.com"}, {"url": "https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover", "tags": ["Third Party Advisory"], "source": "disclosure@vulncheck.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "disclosure@vulncheck.com", "description": [{"lang": "en", "value": "CWE-798"}]}], "descriptions": [{"lang": "en", "value": "newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application."}, {"lang": "es", "value": "newbee-mall incluye cuentas de administrador precargadas en su script de inicializaci\u00f3n de base de datos. Estas cuentas se aprovisionan con una contrase\u00f1a predeterminada predecible. Las implementaciones que inicializan o restablecen la base de datos utilizando el esquema proporcionado y no cambian las credenciales administrativas predeterminadas pueden permitir a atacantes no autenticados iniciar sesi\u00f3n como administrador y obtener control administrativo total de la aplicaci\u00f3n."}], "lastModified": "2026-02-25T16:41:25.410", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:newbee-mall_project:newbee-mall:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "5713EBA1-D599-4500-B0B1-59C9CBB5DFA1", "versionEndIncluding": "1.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "disclosure@vulncheck.com"}