Threats Tagged 'cwe-1188'

Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network.

CVE-2026-9262 is a vulnerability in Canon Inc.'s EOS Network Setting Tool for Windows where the default FTP configuration uses a non-secure protocol. This affects versions 1.5.0 and earlier. The vulnerability is classified under CWE-1188, indicating initialization of a resource with an insecure default. The CVSS 4.0 base score is 7.1, reflecting a high severity due to network attack vector, low attack complexity, no privileges required, and high impact on confidentiality.

Wss4jSecurityInterceptor initialized its BSP (WS-I Basic Security Profile) compliance flag so that inbound validation disabled WSS4J BSP enforcement on RequestData. Services that validate WS-Security on the network could therefore accept messages that violate BSP rules, weakening protocol-level checks. Affected versions: Spring Web Services 5.0.0 through 5.0.1; 4.1.0 through 4.1.3; 4.0.0 through 4.0.18; 3.1.0 through 3.1.8.

LMDeploy is a toolkit for compressing, deploying, and serving large language models. In versions 0.12.3 and prior, hardcoded "trust_remote_code=True" enables HF supply-chain RCE without user opt-in. At time of publication, there are no publicly available patches.

Shenzhen Kangda Xin Intelligent Network Technology Company's router, model DR300, version 2.1.2.121, contains hardcoded login credentials and has telnet enabled by default on WAN and LAN interfaces. These vulnerabilities allow attackers to read and write to memory, modify firmware stored in flash, inspect active connections, and view currently connected devices.

Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 contain hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable). These default credentials are installed silently alongside user-specified accounts, allowing remote attackers to gain full administrative access to the cluster. Clusters not using the BasicAuth bootstrap or those that have changed the template users' passwords are not affected. Future versions 9.

CVE-2026-9039 is a high-severity vulnerability in the XCharge C6 electric vehicle charger. It involves a configuration weakness where the remote management service accepts a default administrative credential and is accessible via the charging connector interface. This allows an authenticated session to be established over a channel intended only for vehicle-charger signaling. A malicious device physically connected to the charging interface could exploit this to gain full administrative access to the device.

CVE-2026-24197 is a medium severity vulnerability in the NVIDIA GeForce Display Driver for Linux affecting Multi-Instance GPU (MIG) partition management. The issue arises from insecure default initialization of memory subsystem routing resources, which can cause data corruption or system hangs during partition reconfiguration. Exploitation could result in denial of service but does not impact confidentiality or integrity. The vulnerability affects all driver versions prior to 595.71.05. No official patch or remediation guidance is currently available from the vendor. There are no known exploits in the wild at this time.

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, the SSE event server bound to 0.0.0.0:5553 on Linux/macOS by default because the platform-dependent host default in engine/flags.go:39-46 set host = "" for non-Windows, and utils.JoinHostPort("", ":5553") resolves to ":5553". This vulnerability is fixed in 1.17.7.

Algernon is a small self-contained pure-Go web server. Prior to 1.17.7, when Algernon is invoked with a single file path instead of a directory, singleFileMode is set to true and debugMode is forcibly enabled.debugMode activates the PrettyError renderer, which on any Lua or template error response dumps the absolute path of the file that errored, complete byte contents of that file, and exception or parser error text. This response is served with HTTP 200 OK to whoever sent the request that triggered the error. Any client able to reach the server and able to provoke a runtime error in the served script obtains the full server-side source of that script and of any sibling Lua data file consulted during the request. This vulnerability is fixed in 1.17.7.