CVE-2026-25803 (GCVE-0-2026-25803)

Vulnerability from cvelistv5 – Published: 2026-02-06 22:52 – Updated: 2026-02-09 15:25
VLAI?
Title
3DP-MANAGER Uses Hard-coded Credentials
Summary
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.
Severity ?
9.8 (Critical)
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE
  • CWE-798 - Use of Hard-coded Credentials
Assigner
References
Impacted products
Vendor Product Version
denpiligrim 3dp-manager Affected: <= 2.0.1
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-25803",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-09T15:22:48.336483Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-09T15:25:57.618Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "3dp-manager",
          "vendor": "denpiligrim",
          "versions": [
            {
              "status": "affected",
              "version": "\u003c= 2.0.1"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application\u0027s login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 9.8,
            "baseSeverity": "CRITICAL",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-798",
              "description": "CWE-798: Use of Hard-coded Credentials",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-06T22:52:40.631Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw"
        },
        {
          "name": "https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248"
        }
      ],
      "source": {
        "advisory": "GHSA-5x57-h7cw-9jmw",
        "discovery": "UNKNOWN"
      },
      "title": "3DP-MANAGER Uses Hard-coded Credentials"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-25803",
    "datePublished": "2026-02-06T22:52:40.631Z",
    "dateReserved": "2026-02-05T19:58:01.641Z",
    "dateUpdated": "2026-02-09T15:25:57.618Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-25803\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-06T23:15:54.973\",\"lastModified\":\"2026-03-17T20:43:52.930\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application\u0027s login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.\"},{\"lang\":\"es\",\"value\":\"3DP-MANAGER es un generador de entrada para 3x-ui. En la versi\u00f3n 2.0.1 y anteriores, la aplicaci\u00f3n crea autom\u00e1ticamente una cuenta administrativa con credenciales predeterminadas conocidas (admin/admin) tras la primera inicializaci\u00f3n. Atacantes con acceso de red a la interfaz de inicio de sesi\u00f3n de la aplicaci\u00f3n pueden obtener control administrativo total, gestionando t\u00faneles VPN y configuraciones del sistema. Este problema ser\u00e1 parcheado en la versi\u00f3n 2.0.2.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-798\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:denpiligrim:3dp-manager:*:*:*:*:*:*:*:*\",\"versionEndIncluding\":\"2.0.1\",\"matchCriteriaId\":\"9E4299E9-A60F-4AC3-AAEE-6164DFCEACCD\"}]}]}],\"references\":[{\"url\":\"https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-25803\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-09T15:22:48.336483Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-09T15:22:49.200Z\"}}], \"cna\": {\"title\": \"3DP-MANAGER Uses Hard-coded Credentials\", \"source\": {\"advisory\": \"GHSA-5x57-h7cw-9jmw\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 9.8, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"CRITICAL\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"denpiligrim\", \"product\": \"3dp-manager\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c= 2.0.1\"}]}], \"references\": [{\"url\": \"https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw\", \"name\": \"https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248\", \"name\": \"https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application\u0027s login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-798\", \"description\": \"CWE-798: Use of Hard-coded Credentials\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-06T22:52:40.631Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-25803\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-09T15:25:57.618Z\", \"dateReserved\": \"2026-02-05T19:58:01.641Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-06T22:52:40.631Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.