CVE-2026-25803

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-25803
3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application's login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248 Patch
https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw Vendor Advisory
Configurations

Configuration 1 (hide)

cpe:2.3:a:denpiligrim:3dp-manager:*:*:*:*:*:*:*:*
History

17 Mar 2026, 20:43

Type Values Removed Values Added
Summary
  • (es) 3DP-MANAGER es un generador de entrada para 3x-ui. En la versión 2.0.1 y anteriores, la aplicación crea automáticamente una cuenta administrativa con credenciales predeterminadas conocidas (admin/admin) tras la primera inicialización. Atacantes con acceso de red a la interfaz de inicio de sesión de la aplicación pueden obtener control administrativo total, gestionando túneles VPN y configuraciones del sistema. Este problema será parcheado en la versión 2.0.2.
CPE cpe:2.3:a:denpiligrim:3dp-manager:*:*:*:*:*:*:*:*
First Time Denpiligrim 3dp-manager
Denpiligrim
References () https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248 - () https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248 - Patch
References () https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw - () https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5x57-h7cw-9jmw - Vendor Advisory

06 Feb 2026, 23:15

Type Values Removed Values Added
New CVE
Information

Published : 2026-02-06 23:15

Updated : 2026-03-17 20:43

NVD link : CVE-2026-25803

Mitre link : CVE-2026-25803

CVE.ORG link : CVE-2026-25803

JSON object : View

Products Affected

denpiligrim

  • 3dp-manager
CWE
CWE-798

Use of Hard-coded Credentials