Description
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
Published: 2026-02-12
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via default credentials
Action: Immediate Fix
AI Analysis

Impact

Newbee-Mall seeds a default administrator account during database initialization with a predictable password. If an installation leaves the provided credentials unchanged, an attacker who can reach the application can authenticate as the administrator without needing any further access privileges. This grants full administrative control over the application, including configuration, user management, and data access, and therefore classifies the vulnerability as an account takeover that can compromise confidentiality, integrity, and availability.

Affected Systems

The vulnerable product is newbee-Mall offered by newbee‑Ltd. The CVE metadata lists the specific release v1.0.0 and also indicates that any revision of the product that uses the same database schema may be affected. Deployments that include the provided initialization script and do not change the seeded credentials pose the risk. No other vendor or product is affected.

Risk and Exploitability

The issue carries a CVSS score of 9.3, denoting critical severity. The EPSS score is reported as less than 1 %, suggesting minimal observed exploitation, but the vulnerability remains a high‑risk vector. It is not present in the CISA KEV catalog. An attacker can exercise the flaw by attempting a simple login with the known default username and password; no additional conditions or exploits are required. The attack is remote, requiring only network access to the authentication endpoint.

Generated by OpenCVE AI on April 17, 2026 at 20:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Immediately change the default administrator password after deployment, ensuring it meets strong complexity requirements.
  • Remove or comment out the pre‑seeded administrator account from the database initialization script to prevent its creation during future deployments.
  • Apply any vendor‑provided patch or upgrade that disables the default credential feature and removes seeded accounts.

Generated by OpenCVE AI on April 17, 2026 at 20:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 05 Mar 2026 02:15:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:newbee-mall_project:newbee-mall:1.0.0:*:*:*:*:*:*:*

Wed, 25 Feb 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Newbee-mall Project
Newbee-mall Project newbee-mall
CPEs cpe:2.3:a:newbee-mall_project:newbee-mall:*:*:*:*:*:*:*:*
Vendors & Products Newbee-mall Project
Newbee-mall Project newbee-mall

Fri, 13 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Newbee-ltd
Newbee-ltd newbee-mall
Vendors & Products Newbee-ltd
Newbee-ltd newbee-mall

Thu, 12 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
Title newbee-mall Default Seeded Administrator Credentials Allow Account Takeover
Weaknesses CWE-798
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Newbee-ltd Newbee-mall
Newbee-mall Project Newbee-mall
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-05T01:30:57.918Z

Reserved: 2026-02-11T20:08:07.944Z

Link: CVE-2026-26218

cve-icon Vulnrichment

Updated: 2026-02-12T21:29:23.184Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-12T19:15:52.120

Modified: 2026-02-25T16:41:25.410

Link: CVE-2026-26218

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T20:15:26Z

Weaknesses