DjangoBlog <=2.1.0.0 Security Misconfiguration and Hardcoded Credentials (CVE-2026-790289)

Vulnerability Overview CVE ID: CVE-2026-790289 Vulnerability Title: liangliangyy DjangoBlog <= 2.1.0.0 Security Misconfiguration + Hardcoded Credentials Vulnerability Type: Security Misconfiguration Severity: High (Hardcoded Credentials) Submitted By: Demo (UID 82596) Submission Time: 2026/03/26 05:26 PM Review Time: 2026/04/19 06:06 PM Status: Moderated VulDB Entry: [liangliangyy DjangoBlog up to 2.1.0.0 Setting django/blog/settings.py USER/PASSWORD hard-coded credentials] Vulnerability Description DjangoBlog enables Django’s DEBUG mode by default in versions up to x.x.x and uses hardcoded database credentials (root/root) as fallback values. When deployed without configuring environment variables, exposes detailed error pages (including stack traces, settings, local variables, etc.) and employs easily guessable database credentials. Affected Scope Affected Software: liangliangyy DjangoBlog Affected Versions: <= 2.1.0.0 Affected Components: - - Database connection configuration Risk Points: - DEBUG mode enabled by default - Hardcoded database username/password (root/root) - Sensitive data leakage via error messages Remediation Measures 1. Disable DEBUG Mode: Ensure is set in production environments. 2. Remove Hardcoded Credentials: Use environment variables or configuration files to manage database credentials. 3. Enhance Error Handling: Avoid exposing detailed error information in production environments. 4. Conduct Regular Security Audits: Check for other hardcoded sensitive information in the code. Source Links GitHub Repository: https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-12-DEBUG-Enabled-Hardcoded-DB-Creds.md Notes This vulnerability was submitted to VulDB by a community user. VulDB does not guarantee the authenticity of content; it only performs moderation and verification. The original information may contain malicious code or data; please handle with caution.

Goal Reached Thanks to every supporter — we hit 100%!

DjangoBlog <=2.1.0.0 Security Misconfiguration and Hardcoded Credentials (CVE-2026-790289)