VYPR

CWE-453

Insecure Default Variable Initialization

VariantDraft

Description

The product, by default, initializes an internal variable with an insecure or less secure value than is possible.

Hierarchy (View 1000)

Parents

Children

none

CVEs mapped to this weakness (6)

  • CVE-2025-30206CriApr 15, 2025
    risk 0.57cvss 9.8epss 0.01

    Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw…

  • CVE-2025-61926MedOct 9, 2025
    risk 0.23cvss epss 0.00

    Allstar is a GitHub App to set and enforce security policies. In versions prior to 4.5, a vulnerability in Allstar’s Reviewbot component caused inbound webhook requests to be validated against a hard-coded, shared secret. The value used for the secret token was compiled into…

  • CVE-2026-41330MedApr 21, 2026
    risk 0.22cvss 4.4epss 0.00

    OpenClaw before 2026.3.31 contains an environment variable override vulnerability in host exec policy that fails to properly enforce proxy, TLS, Docker, and Git TLS controls. Attackers can bypass security controls by overriding environment variables to circumvent proxy settings,…

  • CVE-2008-6540Mar 30, 2009
    risk 0.03cvss epss 0.03

    DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the…

  • CVE-2024-41255Jul 31, 2024
    risk 0.00cvss epss 0.00

    filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go.

  • CVE-2020-28481Jan 19, 2021
    risk 0.00cvss epss 0.01

    The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.