CVE-2026-26218

newbee-mall Default Seeded Administrator Credentials Allow Account Takeover

CVSS 9.3 CRITICALEPSS 0.4%CWE-798

Vexday Risk Score

28Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 9.3EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

12 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

newbee-ltd · newbee-mall

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/newbee-ltd/newbee-mall/issues/119 https://www.vulncheck.com/advisories/newbee-mall-default-seeded-administrator-credentials-allow-account-takeover