Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-aqfp-r12f-audq
Summary
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. 

As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.jsonĀ or change their passwords.
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.

Not affected:
  *  Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
  *  Clusters where template users have been assigned strong passwords after bootstrap
Aliases
0
alias CVE-2026-44825
Fixed_packages
0
url pkg:deb/debian/lucene-solr@0?distro=trixie
purl pkg:deb/debian/lucene-solr@0?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@0%3Fdistro=trixie
1
url pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie
purl pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-24?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-24%3Fdistro=trixie
2
url pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie
purl pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-26?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-26%3Fdistro=trixie
3
url pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie
purl pkg:deb/debian/lucene-solr@3.6.2%2Bdfsg-27?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/lucene-solr@3.6.2%252Bdfsg-27%3Fdistro=trixie
Affected_packages
References
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-44825
reference_id
reference_type
scores
0
value 0.00471
scoring_system epss
scoring_elements 0.65083
published_at 2026-06-11T12:55:00Z
1
value 0.00471
scoring_system epss
scoring_elements 0.65184
published_at 2026-06-12T12:55:00Z
2
value 0.00471
scoring_system epss
scoring_elements 0.65195
published_at 2026-06-13T12:55:00Z
3
value 0.00471
scoring_system epss
scoring_elements 0.65193
published_at 2026-06-14T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-44825
1
reference_url https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch
reference_id 5xg6xr99glocp3zsg9ht2zlbwlrst7ch
reference_type
scores
0
value 8.1
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-06-01T12:46:21Z/
url https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch
Weaknesses
0
cwe_id 798
name Use of Hard-coded Credentials
description The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.
1
cwe_id 1188
name Initialization of a Resource with an Insecure Default
description The product initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.
Exploits
Severity_range_score8.1 - 8.1
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-aqfp-r12f-audq