Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CWE-1188 (不安全的默认资源初始化) — Vulnerability Class 93

93 vulnerabilities classified as CWE-1188 (不安全的默认资源初始化). AI Chinese analysis included.

CWE-1188 represents an initialization weakness where a software component establishes a resource using a default configuration that lacks adequate security controls. This flaw typically arises when developers prioritize rapid deployment or ease of use over robust security hygiene, leaving critical settings such as passwords, encryption keys, or access permissions in a vulnerable state. Attackers exploit this by identifying these predictable, insecure defaults to gain unauthorized access, escalate privileges, or exfiltrate sensitive data without needing to bypass complex authentication mechanisms. To mitigate this risk, developers must enforce the principle of least privilege by generating strong, random credentials during installation or runtime. Furthermore, implementing mandatory configuration checks that prevent the application from operating with insecure defaults ensures that administrators are compelled to secure the environment before the system becomes accessible to potential threats.

MITRE CWE Description
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
Common Consequences (1)
OtherVaries by Context
The impact of insecure defaults varies widely depending on the functionality that the product controls.
Examples (1)
This code attempts to login a user using credentials from a POST request:
// $user and $pass automatically set from POST request if (login_user($user,$pass)) { $authorized = true; } ... if ($authorized) { generatePage(); }
Bad · PHP
$user = $_POST['user']; $pass = $_POST['pass']; $authorized = false; if (login_user($user,$pass)) { $authorized = true; } ...
Good · PHP
CVE IDTitleCVSSSeverityPublished
CVE-2026-44109 OpenClaw < 2026.4.15 - Authentication Bypass in Feishu Webhook and Card-Action Validation — OpenClaw 9.8 Critical2026-05-06
CVE-2026-43581 OpenClaw < 2026.4.10 - Chrome DevTools Protocol Exposure via Overly Broad CDP Relay Binding — OpenClaw 9.6 Critical2026-05-06
CVE-2026-41931 Vvveb < 1.0.8.2 Information Disclosure via Debug Exception Handler — Vvveb 5.3 Medium2026-05-06
CVE-2025-31974 HCL BigFix Service Management (SM) is susceptible to a Root File System Not Mounted as Read-Only — BigFix Service Management (SM) 3.9 Low2026-05-06
CVE-2026-39920 BridgeHead FileStore < 24A Apache Axis2 Default Credentials RCE — FileStore 9.8 Critical2026-04-24
CVE-2026-6043 Insecure Default Configuration in P4 Server — Helix Core Server (P4D) 9.8AICriticalAI2026-04-24
CVE-2026-32965 Silex SD-330AC和Silex AMC Manager 安全漏洞 — SD-330AC 7.5 High2026-04-20
CVE-2026-28205 Initialization of a resource with an insecure default in OpenPLC_V3 — OpenPLC_V3 9.8AICriticalAI2026-04-09
CVE-2026-34742 Model Context Protocol Go SDK: DNS Rebinding Protection Disabled by Default for Servers Running on Localhost — go-sdk 7.1AIHighAI2026-04-02
CVE-2026-24148 NVIDIA Jetson for JetPack 安全漏洞 — Jetson Xavier Series and Jetson Orin Series 8.3 High2026-03-31
CVE-2026-32046 OpenClaw < 2026.2.21 - OS-level Sandbox Bypass via --no-sandbox Flag — OpenClaw 5.3 Medium2026-03-21
CVE-2026-33037 WWBN AVideo has predictable default admin credentials in official Docker deployment path — AVideo 8.1 High2026-03-20
CVE-2026-31957 Himmelblau unset domain configuration can allow any-tenant authentication at first login for remote deployments — himmelblau 10.0 Critical2026-03-11
CVE-2018-25193 Mongoose Web Server 6.9 Denial of Service via Socket Connection — Mongoose Web Server 7.5 High2026-03-06
CVE-2018-25169 AMPPS 2.7 Denial of Service via Malformed Socket Connection — AMPPS 7.5 High2026-03-06
CVE-2026-26122 Microsoft ACI Confidential Containers Information Disclosure Vulnerability — Microsoft ACI Confidential Containers 6.5 Medium2026-03-05
CVE-2026-28775 Unauthenticated RCE via SNMP Default Writable Community String — SFX2100 Series SuperFlex SatelliteReceiver 9.8AICriticalAI2026-03-04
CVE-2026-2617 Beetel 777VR1 Telnet Service/SSH Service insecure default initialization of resource — 777VR1 6.3 Medium2026-02-17
CVE-2026-1675 Advanced Country Blocker <= 2.3.1 - Unauthenticated Authorization Bypass via Insecure Default Secret Key — Advanced Country Blocker 5.3 Medium2026-02-07
CVE-2026-25499 terraform-provider-proxmox has insecure sudo recommendation in the documentation — terraform-provider-proxmox 7.5AIHighAI2026-02-04
CVE-2025-62877 Harvest may expose OS default ssh login password via SUSE Virtualization Interactive Installer — harvester 9.8 Critical2026-01-08
CVE-2025-14758 Initialization of a Resource with an Insecure Default in YAOOK — YAOOK 6.5 Medium2025-12-16
CVE-2025-64781 Japan Total System多款产品 安全漏洞 — GroupSession Free edition 4.8AIMediumAI2025-12-12
CVE-2025-66416 DNS Rebinding Protection Disabled by Default in Model Context Protocol Python SDK for Servers Running on Localhost — python-sdk 7.1 -2025-12-02
CVE-2025-66414 DNS Rebinding Protection Disabled by Default in Model Context Protocol TypeScript SDK for Servers Running on Localhost — typescript-sdk 7.5AIHighAI2025-12-02
CVE-2025-52622 HCL BigFix SaaS Remediate is affected by a security vulnerability — BigFix SaaS Remediate 5.4 Medium2025-12-02
CVE-2025-13357 Vault Terraform Provider Applied Incorrect Defaults for LDAP Auth Method — Tooling 7.4 High2025-11-21
CVE-2025-35021 Abilis CPX Fallback Shell Connection Relay — CPX 6.5 Medium2025-11-04
CVE-2025-62802 DNN CKEditor Provider allows unauthenticated upload out-of-the-box — Dnn.Platform 4.3 Medium2025-10-28
CVE-2025-41245 VMSA-2025-0015: VMware Aria Operations and VMware Tools updates address multiple vulnerabilities (CVE-2025-41244,CVE-2025-41245, CVE-2025-41246) — VMware Aria Operations 4.9 Medium2025-09-29

Vulnerabilities classified as CWE-1188 (不安全的默认资源初始化) represent 93 CVEs. The CWE taxonomy describes the weakness; review individual CVEs for product-specific impact.