VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 3 of 8
  • CVE-2017-6687HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in to the affected device using default credentials present on the system, aka an Insecure Default Password Vulnerability.…

  • CVE-2017-6686HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Ultra Services Framework Element Manager could allow an authenticated, remote attacker with access to the management network to log in as an admin or oper user of the affected device, aka an Insecure Default Credentials Vulnerability. More Information:…

  • CVE-2017-6685HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.01

    A vulnerability in Cisco Ultra Services Framework Staging Server could allow an authenticated, remote attacker with access to the management network to log in as an admin user of the affected device, aka an Insecure Default Credentials Vulnerability. More Information:…

  • CVE-2017-6684HigJun 13, 2017
    risk 0.57cvss 8.8epss 0.02

    A vulnerability in Cisco Elastic Services Controllers could allow an authenticated, remote attacker to log in to an affected system as the Linux admin user, aka an Insecure Default Credentials Vulnerability. More Information: CSCvc76651. Known Affected Releases: 21.0.0.

  • CVE-2026-9039HigMay 28, 2026
    risk 0.56cvss epss 0.00

    A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and…

  • CVE-2026-43581CriMay 6, 2026
    risk 0.55cvss 9.6epss 0.00

    OpenClaw before 2026.4.10 contains an improper network binding vulnerability in the sandbox browser CDP relay that exposes Chrome DevTools Protocol on 0.0.0.0. Attackers can access the DevTools protocol outside intended local sandbox boundaries by exploiting the overly broad…

  • CVE-2026-31818CriApr 3, 2026
    risk 0.55cvss 9.6epss 0.00

    Budibase is an open-source low-code platform. Prior to version 3.33.4, a server-side request forgery (SSRF) vulnerability exists in Budibase's REST datasource connector. The platform's SSRF protection mechanism (IP blacklist) is rendered completely ineffective because the…

  • CVE-2026-44670CriMay 14, 2026
    risk 0.54cvss epss 0.01

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the kernel stores Attribute View (AV / database) names without any HTML escape, then a render template uses raw strings.ReplaceAll(tpl, "${avName}", nodeAvName) to embed the name in HTML before…

  • CVE-2026-44588CriMay 14, 2026
    risk 0.54cvss epss 0.01

    SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, he tooltip mouseover handler in app/src/block/popover.ts reads aria-label via getAttribute and passes it through decodeURIComponent before assigning to messageElement.innerHTML in…

  • CVE-2026-24148HigMar 31, 2026
    risk 0.54cvss 8.3epss 0.00

    NVIDIA Jetson for JetPack contains a vulnerability in the system initialization logic, where an unprivileged attacker could cause the initialization of a resource with an insecure default. A successful exploit of this vulnerability might lead to information disclosure of…

  • CVE-2024-25972HigMar 1, 2024
    risk 0.54cvss 8.3epss 0.00

    Initialization of a resource with an insecure default vulnerability in OET-213H-BTS1 sold in Japan by Atsumi Electric Co., Ltd. allows a network-adjacent unauthenticated attacker to configure and control the affected product.

  • CVE-2026-40994HigJun 11, 2026
    risk 0.53cvss 8.2epss 0.00

    Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules,…

  • CVE-2026-44825HigJun 1, 2026
    risk 0.53cvss 8.1epss 0.01

    Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently…

  • CVE-2026-6866HigMay 12, 2026
    risk 0.53cvss epss 0.00

    CWE-1188 Initialization of a Resource with an Insecure Default vulnerability exists that could cause unauthorized disclosure of sensitive information when credentials revert to initial settings in rare circumstances, enabling unauthorized authentication using known credentials.

  • CVE-2024-47295HigOct 1, 2024
    risk 0.53cvss 8.1epss 0.01

    Insecure initial password configuration issue in SEIKO EPSON Web Config allows a remote unauthenticated attacker to set an arbitrary password and operate the device with an administrative privilege. As for the details of the affected versions, see the information provided by the…

  • CVE-2026-47668criJun 5, 2026
    risk 0.52cvss epss 0.00

    ### Summary DbGate's JSON script runner (`POST /runners/start`) allows remote code execution via code injection in the `functionName` parameter of JSON script `assign` commands. The `functionName` value is interpolated directly into dynamically generated JavaScript source code…

  • CVE-2026-47393criMay 29, 2026
    risk 0.52cvss epss 0.00

    ### Summary CVE-2026-44338 (GHSA-6rmh-7xcm-cpxj) documents that PraisonAI ships a code-generator (`praisonai.deploy.api.generate_api_server_code`) that emits a Flask API server with authentication disabled by default. Users who follow the documented quickstart (`praisonai…

  • CVE-2026-46517HigJun 10, 2026
    risk 0.51cvss 7.8epss 0.00

    LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

  • CVE-2018-3667HigJul 10, 2018
    risk 0.51cvss 7.8epss 0.00

    Installation tool IPDT (Intel Processor Diagnostic Tool) 4.1.0.24 sets permissions of installed files incorrectly, allowing for execution of arbitrary code and potential privilege escalation.

  • CVE-2018-5841HigJun 6, 2018
    risk 0.51cvss 7.8epss 0.00

    dcc_curr_list is initialized with a default invalid value that is expected to be programmed by the user through a sysfs node which could lead to an invalid access in all Android releases from CAF (Android for MSM, Firefox OS for MSM, QRD Android) using the Linux Kernel.