VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 5 of 8
  • CVE-2026-36612MedJun 3, 2026
    risk 0.42cvss 6.4epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).

  • CVE-2026-35672HigMay 28, 2026
    risk 0.42cvss 7.5epss 0.00

    phpMyFAQ before 4.1.3 contains an authentication bypass vulnerability in API v4.0 where the default empty api.apiClientToken allows unauthenticated users to create and modify FAQ entries. Attackers can send an empty x-pmf-token header to bypass token validation and inject…

  • CVE-2026-24197MedMay 26, 2026
    risk 0.42cvss 6.5epss 0.00

    NVIDIA Display Driver for Linux contains a vulnerability in the Multi-Instance GPU (MIG) partition management, where an insecure default initialization of memory subsystem routing resources could lead to data corruption or a hang during partition reconfiguration. A successful…

  • CVE-2026-45728HigMay 26, 2026
    risk 0.42cvss 7.5epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled. debugMode activates the PrettyError renderer, which on any Lua or…

  • CVE-2025-41713MedSep 15, 2025
    risk 0.42cvss 6.5epss 0.00

    During a short time frame while the device is booting an unauthenticated remote attacker can send traffic to unauthorized networks due to the switch operating in an undefined state until a CPU-induced reset allows proper configuration.

  • CVE-2019-25219HigOct 29, 2024
    risk 0.42cvss 7.5epss 0.00

    Asio C++ Library before 1.13.0 lacks a fallback error code in the case of SSL_ERROR_SYSCALL with no associated error information from the SSL library being used.

  • CVE-2026-2617MedFeb 17, 2026
    risk 0.41cvss 6.3epss 0.01

    A vulnerability was found in Beetel 777VR1 up to 01.00.09. This affects an unknown function of the component Telnet Service/SSH Service. The manipulation results in insecure default initialization of resource. The attack can only be performed from the local network. The exploit…

  • CVE-2026-44338HigMay 8, 2026
    risk 0.40cvss 7.3epss 0.27

    PraisonAI is a multi-agent teams system. From version 2.5.6 to before version 4.6.34, PraisonAI ships a legacy Flask API server with authentication disabled by default. When that server is used, any caller that can reach it can access /agents and trigger the configured…

  • CVE-2017-4971MedJun 13, 2017
    risk 0.40cvss 5.9epss 0.16

    An issue was discovered in Pivotal Spring Web Flow through 2.4.4. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states…

  • CVE-2026-54359HigJun 12, 2026
    risk 0.39cvss epss 0.00

    MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site…

  • CVE-2026-41432HigMay 8, 2026
    risk 0.39cvss 7.1epss 0.00

    New API is a large language mode (LLM) gateway and artificial intelligence (AI) asset management system. Prior to version 0.12.10, a vulnerability exists in the Stripe webhook handler that allows an unauthenticated attacker to forge webhook events and credit arbitrary quota to…

  • CVE-2026-36616MedJun 3, 2026
    risk 0.38cvss 5.9epss 0.00

    Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware binary.

  • CVE-2018-3825MedSep 19, 2018
    risk 0.38cvss 5.9epss 0.01

    In Elastic Cloud Enterprise (ECE) versions prior to 1.1.4 a default master encryption key is used in the process of granting ZooKeeper access to Elasticsearch clusters. Unless explicitly overwritten, this master key is predictable across all ECE deployments. If an attacker can…

  • CVE-2017-8039MedNov 27, 2017
    risk 0.38cvss 5.9epss 0.01

    An issue was discovered in Pivotal Spring Web Flow through 2.4.5. Applications that do not change the value of the MvcViewFactoryCreator useSpringBinding property which is disabled by default (i.e., set to 'false') can be vulnerable to malicious EL expressions in view states…

  • CVE-2025-46599MedApr 25, 2025
    risk 0.37cvss 6.8epss 0.00

    CNCF K3s 1.32 before 1.32.4-rc1+k3s1 has a Kubernetes kubelet configuration change with the unintended consequence that, in some situations, ReadOnlyPort is set to 10255. For example, the default behavior of a K3s online installation might allow unauthenticated access to this…

  • CVE-2025-2129MedMar 9, 2025
    risk 0.37cvss 5.6epss 0.01

    A vulnerability was found in Mage AI 0.9.75. It has been classified as problematic. This affects an unknown part. The manipulation leads to insecure default initialization of resource. It is possible to initiate the attack remotely. The complexity of an attack is rather high.…

  • CVE-2025-14758MedDec 16, 2025
    risk 0.35cvss 6.5epss 0.00

    Incorrect configuration of replication security in the MariaDB component of the infra-operator in YAOOK Operator allows an on-path attacker to read database contents, potentially including credentials

  • CVE-2025-52622MedDec 2, 2025
    risk 0.35cvss 5.4epss 0.00

    The BigFix SaaS's HTTP responses were missing some security headers. The absence of these headers weakens the application's client-side security posture, making it more vulnerable to common web attacks that these headers are designed to mitigate, such as Cross-Site Scripting…

  • CVE-2017-5491MedJan 15, 2017
    risk 0.35cvss 5.3epss 0.03

    wp-mail.php in WordPress before 4.7.1 might allow remote attackers to bypass intended posting restrictions via a spoofed mail server with the mail.example.com name.

  • CVE-2024-41975MedMar 18, 2025
    risk 0.34cvss 5.3epss 0.00

    An unauthenticated remote attacker can gain limited information of the PLC network but the user management of the PLCs prevents the actual access to the PLCs.