VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 6 of 8
  • CVE-2024-5801MedAug 12, 2024
    risk 0.34cvss epss 0.00

    Enabled IP Forwarding feature in B&R Automation Runtime versions before 6.0.2 may allow remote attack-ers to compromise network security by routing IP-based packets through the host, potentially by-passing firewall, router, or NAC filtering.

  • CVE-2025-41245MedSep 29, 2025
    risk 0.32cvss 4.9epss 0.01

    VMware Aria Operations contains an information disclosure vulnerability. A malicious actor with non-administrative privileges in Aria Operations may exploit this vulnerability to disclose credentials of other users of Aria Operations.

  • CVE-2025-2441MedApr 9, 2025
    risk 0.30cvss 4.6epss 0.00

    CWE-1188: Initialization of a Resource with an Insecure Default vulnerability exists that could lead to loss of confidentiality when a malicious user, having physical access, sets the radio in factory default mode where the product does not correctly initialize all data.

  • CVE-2025-27809MedMar 25, 2025
    risk 0.28cvss 5.4epss 0.00

    Mbed TLS before 2.28.10 and 3.x before 3.6.3, on the client side, accepts servers that have trusted certificates for arbitrary hostnames unless the TLS client application calls mbedtls_ssl_set_hostname.

  • CVE-2026-41931MedMay 6, 2026
    risk 0.27cvss 5.3epss 0.00

    Vvveb before version 1.0.8.2 contains an information disclosure vulnerability that allows unauthenticated attackers to obtain sensitive server information by triggering unhandled exceptions in the password-reset module. Attackers can access the admin password-reset endpoint to…

  • CVE-2026-1675MedFeb 7, 2026
    risk 0.27cvss 5.3epss 0.00

    The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This…

  • CVE-2025-53602MedJul 4, 2025
    risk 0.27cvss 5.3epss 0.00

    Zipkin through 3.5.1 has a /heapdump endpoint (associated with the use of Spring Boot Actuator), a similar issue to CVE-2025-48927.

  • CVE-2025-31974LowMay 6, 2026
    risk 0.25cvss 3.9epss 0.00

    HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only. An improperly configured root file system may allow unintended modifications to critical system components, potentially increasing the risk of system compromise or unauthorized…

  • CVE-2025-59044MedSep 9, 2025
    risk 0.22cvss 4.4epss 0.00

    Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Himmelblau 0.9.x derives numeric GIDs for Entra ID groups from the group display name when himmelblau.conf `id_attr_map = name` (the default configuration). Because Microsoft Entra ID allows…

  • CVE-2026-46430MedMay 26, 2026
    risk 0.21cvss 4.3epss 0.00

    Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553")…

  • CVE-2024-56433LowDec 26, 2024
    risk 0.17cvss 3.6epss 0.00

    shadow-utils (aka shadow) 4.4 through 4.17.0 establishes a default /etc/subuid behavior (e.g., uid 100000 through 165535 for the first user account) that can realistically conflict with the uids of users defined on locally administered networks, potentially leading to account…

  • CVE-2023-27524KEVApr 24, 2023
    risk 0.16cvss epss 0.97

    Session Validation attacks in Apache Superset versions up to and including 2.0.1. Installations that have not altered the default configured SECRET_KEY according to installation instructions allow for an attacker to authenticate and access unauthorized resources. This does not…

  • CVE-2020-13927KEVNov 10, 2020
    risk 0.16cvss epss 1.00

    The previous default setting for Airflow's Experimental API was to allow all API requests without authentication, but this poses security risks to users who miss this fact. From Airflow 1.10.11 the default has been changed to deny all requests by default and is documented at…

  • CVE-2024-34063LowMay 3, 2024
    risk 0.09cvss 2.5epss 0.00

    vodozemac is an implementation of Olm and Megolm in pure Rust. Versions 0.5.0 and 0.5.1 of vodozemac have degraded secret zeroization capabilities, due to changes in third-party cryptographic dependencies (the Dalek crates), which moved secret zeroization capabilities behind a…

  • CVE-2024-51758LowNov 7, 2024
    risk 0.08cvss epss 0.01

    Filament is a collection of full-stack components for accelerated Laravel development. All Filament features that interact with storage use the `default_filesystem_disk` config option. This allows the user to easily swap their storage driver to something production-ready like…

  • CVE-2026-39398Apr 9, 2026
    risk 0.00cvss epss

    Rejected reason: The affected product and advisory are not public.

  • CVE-2026-31975Mar 11, 2026
    risk 0.00cvss epss 0.03

    Cloud CLI (aka Claude Code UI) is a desktop and mobile UI for Claude Code, Cursor CLI, Codex, and Gemini-CLI. Prior to 1.25.0, OS Command Injection via WebSocket Shell. Both projectPath and initialCommand in server/index.js are taken directly from the WebSocket message payload…

  • CVE-2026-26190Feb 13, 2026
    risk 0.00cvss epss 0.28

    Milvus is an open-source vector database built for generative AI applications. Prior to 2.5.27 and 2.6.10, Milvus exposes TCP port 9091 by default, which enables authentication bypasses. The /expr debug endpoint uses a weak, predictable default authentication token derived from…

  • CVE-2026-25894Feb 9, 2026
    risk 0.00cvss epss 0.01

    FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An insecure default configuration in FUXA allows an unauthenticated, remote attacker to gain administrative access and execute arbitrary code on the server. This affects FUXA through version 1.2.9 when…

  • CVE-2026-25499Feb 4, 2026
    risk 0.00cvss epss 0.00

    Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This…