Skip to main content

Auto Bangumi

2 CVEs product

Monthly

CVE-2026-58466 CRITICAL PATCH Act Now

Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). No public exploit identified at time of analysis, but the credentials are public and exploitation is trivial against any un-upgraded, freshly-initialized instance.

Information Disclosure Auto Bangumi
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-59101 MEDIUM PATCH This Month

Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.0 base score is 6.9 (Medium), reflecting unauthenticated network access with limited confidentiality impact.

SSRF Auto Bangumi
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

Authentication bypass via hard-coded default credentials in AutoBangumi before 3.2.8 lets unauthenticated remote attackers log in as administrator using publicly known credentials that the application seeds at startup via add_default_user() whenever the users table is empty. Successful login grants full control over RSS feed and downloader configuration and every authenticated API endpoint (CVSS 4.0 9.3). No public exploit identified at time of analysis, but the credentials are public and exploitation is trivial against any un-upgraded, freshly-initialized instance.

Information Disclosure Auto Bangumi
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Server-side request forgery in AutoBangumi before 3.2.8 allows unauthenticated remote attackers to probe internal network services by submitting arbitrary host values to the unprotected POST /api/v1/setup/test-downloader endpoint during the application's initial setup window. The server issues outbound HTTP GET requests to attacker-controlled targets - including internal or reserved IP ranges - and leaks reachability data through echoed connection-error responses, enabling internal network mapping. No active exploitation is confirmed (not in CISA KEV) and no public exploit code has been identified at time of analysis; the CVSS 4.0 base score is 6.9 (Medium), reflecting unauthenticated network access with limited confidentiality impact.

SSRF Auto Bangumi
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy