CVE-2026-26218 CRITICAL

CVE-2026-26218: newbee-mall Default Seeded Administrator Credentials Allow Account Takeover

Vendor Newbee-Ltd
Product newbee-mall
Weakness CWE-798 · Hardcoded credentials
Published February 12, 2026
Last update March 5, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.

Key dates

02Disclosure timeline

February 12, 2026 CVE published
March 5, 2026 Record updated