VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 4 of 8
  • CVE-2026-43892HigMay 12, 2026
    risk 0.50cvss 8.8epss 0.00

    AntSword is a cross-platform website management toolkit. Prior to 2.1.16, incomplete noxss() sanitization leads to 1-click RCE via jquery.terminal format code injection. This vulnerability is fixed in 2.1.16.

  • CVE-2026-27662HigMay 12, 2026
    risk 0.50cvss 7.7epss 0.00

    Affected devices do not properly restrict access to the web browser via the Control Panel when no corresponding security mechanisms are in place. This could allow an unauthenticated attacker to gain unauthorized access to the web browser, potentially enabling the discovery of…

  • CVE-2026-44892HigJun 12, 2026
    risk 0.49cvss 7.5epss 0.00

    Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 codec lacks an enforced maximum header size limit. When a peer does not…

  • CVE-2026-32965HigApr 20, 2026
    risk 0.49cvss 7.5epss 0.00

    Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC Manager provided by silex technology, Inc. When the affected device is connected to the network with the initial (factory-default) configuration, the device can be configured with the…

  • CVE-2018-25193HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.00

    Mongoose Web Server 6.9 contains a denial of service vulnerability that allows remote attackers to crash the service by establishing multiple socket connections. Attackers can repeatedly create connections to the default port and send malformed data to exhaust server resources…

  • CVE-2018-25169HigMar 6, 2026
    risk 0.49cvss 7.5epss 0.00

    AMPPS 2.7 contains a denial of service vulnerability that allows remote attackers to crash the service by sending malformed data to the default HTTP port. Attackers can establish multiple socket connections and transmit invalid payloads to exhaust server resources and cause…

  • CVE-2024-41995HigAug 6, 2024
    risk 0.49cvss 7.5epss 0.01

    Initialization of a resource with an insecure default vulnerability exists in JavaTM Platform Ver.12.89 and earlier. If this vulnerability is exploited, the product may be affected by some known TLS1.0 and TLS1.1 vulnerabilities. As for the specific products/models/versions of…

  • CVE-2018-15685HigAug 23, 2018
    risk 0.49cvss 8.1epss 0.10

    GitHub Electron 1.7.15, 1.8.7, 2.0.7, and 3.0.0-beta.6, in certain scenarios involving IFRAME elements and "nativeWindowOpen: true" or "sandbox: true" options, is affected by a WebPreferences vulnerability that can be leveraged to perform remote code execution.

  • CVE-2017-6750HigJul 25, 2017
    risk 0.49cvss 7.5epss 0.03

    A vulnerability in AsyncOS for the Cisco Web Security Appliance (WSA) could allow an unauthenticated, local attacker to log in to the device with the privileges of a limited user or an unauthenticated, remote attacker to authenticate to certain areas of the web GUI, aka a Static…

  • CVE-2026-33376HigMay 13, 2026
    risk 0.48cvss 7.4epss 0.00

    When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are…

  • CVE-2018-0263HigJun 7, 2018
    risk 0.48cvss 7.4epss 0.01

    A vulnerability in Cisco Meeting Server (CMS) could allow an unauthenticated, adjacent attacker to access services running on internal device interfaces of an affected system. The vulnerability is due to incorrect default configuration of the device, which can expose internal…

  • CVE-2017-9137HigMay 21, 2017
    risk 0.48cvss 7.3epss 0.01

    Ceragon FibeAir IP-10 wireless radios through 7.2.0 have a default password of mateidu for the mateidu account (a hidden user account established by the vendor). This account can be accessed via both the web interface and SSH. In the web interface, this simply grants an attacker…

  • CVE-2017-5155HigFeb 13, 2017
    risk 0.48cvss 7.3epss 0.02

    An issue was discovered in Schneider Electric Wonderware Historian 2014 R2 SP1 P01 and earlier. Wonderware Historian creates logins with default passwords, which can allow a malicious entity to compromise Historian databases. In some installation scenarios, resources beyond…

  • CVE-2026-34780HigApr 4, 2026
    risk 0.47cvss 8.3epss 0.00

    Electron is a framework for writing cross-platform desktop applications using JavaScript, HTML and CSS. From versions 39.0.0-alpha.1 to before 39.8.0, 40.0.0-alpha.1 to before 40.7.0, and 41.0.0-alpha.1 to before 41.0.0-beta.8, apps that pass VideoFrame objects (from the…

  • CVE-2026-34742HigApr 2, 2026
    risk 0.46cvss 8.1epss 0.00

    The Go MCP SDK used Go's standard encoding/json. Prior to version 1.4.0, the Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with…

  • CVE-2025-2442MedApr 9, 2025
    risk 0.44cvss 6.8epss 0.00

    CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could potentially lead to unauthorized access which could result in the loss of confidentially, integrity and availability when a malicious user, having physical access, sets the radio to…

  • CVE-2024-48122MedJan 15, 2025
    risk 0.44cvss 6.7epss 0.00

    Insecure default configurations in HI-SCAN 6040i Hitrax HX-03-19-I allow authenticated attackers with low-level privileges to escalate to root-level privileges.

  • CVE-2026-43527HigMay 5, 2026
    risk 0.43cvss 7.7epss 0.00

    OpenClaw before 2026.4.14 contains a server-side request forgery vulnerability in browser SSRF policy that allows private-network navigation by default. Attackers can exploit this misconfiguration to access internal services or metadata endpoints through browser-driven requests.

  • CVE-2018-10989MedMay 14, 2018
    risk 0.43cvss 6.6epss 0.01

    Arris Touchstone Telephony Gateway TG1682G 9.1.103J6 devices are distributed by some ISPs with a default password of "password" for the admin account that is used over an unencrypted http://192.168.0.1 connection, which might allow remote attackers to bypass intended access…

  • CVE-2026-9262MedJun 16, 2026
    risk 0.42cvss 6.5epss 0.00

    Use of a non-secure protocol as the default FTP configuration in Canon EOS Network Setting Tool Version 1.5.0 or earlier