CWE-1188 299 件の CVE MITRE の定義 ↗

CWE-1188: Initialization of a Resource with an Insecure Default

概要

CWE-1188(Initialization of a Resource with an Insecure Default)は各種脆弱性データベースや評価で用いられる弱点タイプを説明します。定義・背景・対応する CVE は以下の各セクションを参照してください。

セキュリティへの影響
セキュリティ影響:製品や文脈に依存します。CVE 記録、深刻度、MITRE の説明を参照して優先度を判断してください。

説明

The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

適用プラットフォーム

種別 名称 クラス 普遍性 OS / CPE
language Not Language-Specific Undetermined

このデータベースの関連 CVE

これらの CVE は本データベースでこの弱点に対応付けられており、追跡と検索のために保持されています。

CVE 公開 概要
CVE-2026-56285 2026-06-29 Nitter's /video media proxy endpoint fails to validate target URLs against Twitter/X domains and uses a hardcoded default HMAC key, allowing unauthenticated attackers to compute valid HMACs for arbitr…
CVE-2026-46386 2026-06-26 OpenProject is open-source, web-based project management software. Prior to , the official openproject/openproject Docker image ships ENV SECRET_KEY_BASE=OVERWRITE_ME as the default Rails master key. …
CVE-2026-55454 2026-06-24 Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 2.1, the bundled Caddy reverse-proxy's admin API — which has no authentication by default — is bound on 0.0.0.0:2…
CVE-2026-54158 2026-06-24 SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the attribute-view (database) cell renderer genAVValueHTML interpolates cell content raw in four of its branches: text, u…
CVE-2026-54067 2026-06-24 SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, CSS snippet body containing </style> breaks out of its surrounding <style> tag when renderSnippet() interpolates it via i…
CVE-2026-54066 2026-06-24 SiYuan is an open-source personal knowledge management system. Prior to 3.7.0, the patch for CVE-2026-41894 ("Path Traversal via Double URL Encoding") sanitized the /export/ route but the identical ro…
CVE-2026-48509 2026-06-22 MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, the parameterless MessagePackInputFormatter() constructor uses default serializer options, which resolve to MessagePa…
CVE-2026-48502 2026-06-22 MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension leng…
CVE-2026-50519 2026-06-19 Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.
CVE-2026-20265 2026-06-17 In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a serve…
CVE-2026-0134 2026-06-16 In PostWipeData of recovery_ui.cpp, there is a possible data persistence issue after a factory reset due to a logic error in the code. This could lead to local information disclosure with no additiona…
CVE-2026-9262 2026-06-15 Use of a non-secure protocol as the default FTP configuration in Canon EOS Network Setting Tool Version 1.5.0 or earlier
CVE-2026-54359 2026-06-12 MISP contains an insecure default configuration in which the Security.check_sec_fetch_site_header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX…
CVE-2026-44892 2026-06-12 Netty is a network application framework for development of protocol servers and clients. Prior to version 4.2.15.Final, the default configuration of the `Http3ConnectionHandler` in the Netty HTTP/3 c…
CVE-2026-40994 2026-06-11 Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security …
CVE-2026-46517 2026-06-09 LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. A…
CVE-2026-36616 2026-06-03 Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 contains hardcoded WiFi driver credentials including a RADIUS shared secret, WPS test key, and default PSK embedded in the production firmware …
CVE-2026-36612 2026-06-03 Mercusys AC12G (EU) V1 with firmware AC12G(EU)_V1_200909 enables WPS 2.0 by default with a weak lockout policy (60-second lockout after 10 attempts).
CVE-2026-44825 2026-06-01 Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access …
CVE-2026-9039 2026-05-28 A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The ser…

旧名称

  • Insecure Default Initialization of Resource (2023-10-26)

コンテンツ投稿

名称
CWE Content Team
組織
MITRE
日付
2019-03-25
バージョン
3.3

コンテンツの変更履歴

日付 名称 バージョン 重要度 コメント
2020-02-24 CWE Content Team 4.0 updated Relationships
2021-07-20 CWE Content Team 4.5 updated Related_Attack_Patterns
2023-01-31 CWE Content Team 4.10 updated Description
2023-04-27 CWE Content Team 4.11 updated Relationships
2023-06-29 CWE Content Team 4.12 updated Mapping_Notes
2023-10-26 CWE Content Team 4.13 updated Demonstrative_Examples, Name, Observed_Examples, Relationships
2025-12-11 CWE Content Team 4.19 updated Applicable_Platforms, Common_Consequences, Description, Detection_Factors, Modes_of_Introduction, References, Relationships, Time_of_Introduction

貢献

タイプ 名称 日付 コメント
Content Anonymous External Contributor 2023-10-13 Suggested name change for clarity
cvelogic Threat Intelligence