3dp Manager
CVE-2026-25803
CRITICAL
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionGitHub Advisory
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
AnalysisAI
3DP-MANAGER for 3x-ui has hard-coded credentials (CVSS 9.8) in version 2.0.1 that provide automatic access to the management interface.
Technical ContextAI
3DP-MANAGER 2.0.1 has a CWE-798 hard-coded credential vulnerability where the application automatically generates management credentials that are predictable or well-known.
RemediationAI
Update and change default credentials immediately.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today