VYPR

CWE-1188

Initialization of a Resource with an Insecure Default

BaseIncomplete

Description

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Hierarchy (View 1000)

Children

Related attack patterns (CAPEC)

CAPEC-665

CVEs mapped to this weakness (144)

page 7 of 8
  • CVE-2025-69970Feb 3, 2026
    risk 0.00cvss epss 0.00

    FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The 'secureEnabled' flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access…

  • CVE-2025-66482Dec 15, 2025
    risk 0.00cvss epss 0.00

    Misskey is an open source, federated social media platform. Attackers who use an untrusted reverse proxy or not using a reverse proxy at all can bypass IP rate limiting by adding a forged X-Forwarded-For header. Starting with version 2025.9.1, an option (`trustProxy`) has been…

  • CVE-2025-66416Dec 2, 2025
    risk 0.00cvss epss 0.00

    The MCP Python SDK, called `mcp` on PyPI, is a Python implementation of the Model Context Protocol (MCP). Prior to version 1.23.0, tThe Model Context Protocol (MCP) Python SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP…

  • CVE-2025-66414Dec 2, 2025
    risk 0.00cvss epss 0.00

    MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to 1.24.0, The Model Context Protocol (MCP) TypeScript SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on…

  • CVE-2025-13357Nov 21, 2025
    risk 0.00cvss epss 0.00

    Vault’s Terraform Provider incorrectly set the default deny_null_bind parameter for the LDAP auth method to false by default, potentially resulting in an insecure configuration. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in…

  • CVE-2025-64135Oct 29, 2025
    risk 0.00cvss epss 0.00

    Jenkins Eggplant Runner Plugin 0.0.1.301.v963cffe8ddb_8 and earlier sets the Java system property `jdk.http.auth.tunneling.disabledSchemes` to an empty value, disabling a protection mechanism of the Java runtime.

  • CVE-2025-43797Sep 15, 2025
    risk 0.00cvss epss 0.00

    In Liferay Portal 7.1.0 through 7.4.3.111, and Liferay DXP 2023.Q4.0, 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions, the default membership type of a newly created site is “Open” which allows any registered…

  • CVE-2025-54127Jul 21, 2025
    risk 0.00cvss epss 0.00

    HAXcms with nodejs backend allows users to start the server in any HAXsite or HAXcms instance. In versions 11.0.6 and below, the NodeJS version of HAXcms uses an insecure default configuration designed for local development. The default configuration does not perform…

  • CVE-2025-32378Apr 9, 2025
    risk 0.00cvss epss 0.00

    Shopware is an open source e-commerce software platform. Prior to 6.6.10.3 or 6.5.8.17, the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are Newsletter: Double Opt-in set to active, Newsletter: Double…

  • CVE-2024-45217Oct 16, 2024
    risk 0.00cvss epss 0.01

    Insecure Default Initialization of Resource vulnerability in Apache Solr. New ConfigSets that are created via a Restore command, which copy a configSet from the backup and give it a new name, are created without setting the "trusted" metadata. ConfigSets that do not contain the…

  • CVE-2024-32114May 2, 2024
    risk 0.00cvss epss 0.07

    In Apache ActiveMQ 6.x, the default configuration doesn't secure the API web context (where the Jolokia JMX REST API and the Message REST API are located). It means that anyone can use these layers without any required authentication. Potentially, anyone can interact with the…

  • CVE-2024-26267Feb 20, 2024
    risk 0.00cvss epss 0.01

    In Liferay Portal 7.2.0 through 7.4.3.25, and older unsupported versions, and Liferay DXP 7.4 before update 26, 7.3 before update 5, 7.2 before fix pack 19, and older unsupported versions the default value of the portal property `http.header.version.verbosity` is set to `full`,…

  • CVE-2024-25610Feb 20, 2024
    risk 0.00cvss epss 0.01

    In Liferay Portal 7.2.0 through 7.4.3.12, and older unsupported versions, and Liferay DXP 7.4 before update 9, 7.3 before update 4, 7.2 before fix pack 19, and older unsupported versions, the default configuration does not sanitize blog entries of JavaScript, which allows remote…

  • CVE-2024-22207Jan 15, 2024
    risk 0.00cvss epss 0.02

    fastify-swagger-ui is a Fastify plugin for serving Swagger UI. Prior to 2.1.0, the default configuration of `@fastify/swagger-ui` without `baseDir` set will lead to all files in the module's directory being exposed via http routes served by the module. The vulnerability is…

  • CVE-2023-45312Oct 10, 2023
    risk 0.00cvss epss 0.02

    In the mtproto_proxy (aka MTProto proxy) component through 0.7.2 for Erlang, a low-privileged remote attacker can access an improperly secured default installation without authenticating and achieve remote command execution ability.

  • CVE-2023-3485Jun 30, 2023
    risk 0.00cvss epss 0.00

    Insecure defaults in open-source Temporal Server before version 1.20 on all platforms allows an attacker to craft a task token with access to a namespace other than the one specified in the request. Creation of this task token must be done outside of the normal Temporal server…

  • CVE-2023-33949May 24, 2023
    risk 0.00cvss epss 0.01

    In Liferay Portal 7.3.0 and earlier, and Liferay DXP 7.2 and earlier the default configuration does not require users to verify their email address, which allows remote attackers to create accounts using fake email addresses or email addresses which they don't control. The…

  • CVE-2023-31101May 22, 2023
    risk 0.00cvss epss 0.01

    Insecure Default Initialization of Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.5.0 through 1.6.0. Users registered in InLong who joined later can see deleted users' data. Users are advised to upgrade to Apache…

  • CVE-2022-42467Oct 19, 2022
    risk 0.00cvss epss 0.01

    When running in prototype mode, the h2 webconsole module (accessible from the Prototype menu) is automatically made available with the ability to directly query the database. It was felt that it is safer to require the developer to explicitly enable this capability. As of…

  • CVE-2022-1278Sep 13, 2022
    risk 0.00cvss epss 0.01

    A flaw was found in WildFly, where an attacker can see deployment names, endpoints, and any other data the trace payload may contain.