569 matches found
CVE-2026-59720 Hoppscotch: Insecure Default Configuration Allows Public Exposure of Private Collection Data via Mock Server
Hoppscotch is an open source API development ecosystem. Prior to 2026.6.0, mock server creation in mock-server.service.ts does not persist the isPublic input field while schema.prisma defaults isPublic to true, causing mock servers linked to private collections to be publicly accessible without...
PYSEC-2026-278 Improper Certificate Validation in apache airflow mongo hook
When ssl was enabled for Mongo Hook, default settings included "allowinsecure" which caused that certificates were not validated. This was unexpected and undocumented. Users are recommended to upgrade to version 4.0.0, which fixes this issue...
EUVD-2026-38387
MessagePack-CSharp: ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies...
CVE-2026-9733
CVE-2026-9733 affects Mojolicious::Plugin::Web::Auth::OAuth2 (Perl) versions up to 0.17. The insecure default state parameter arises from a SHA-1 based generator that uses epoch time (revealed via HTTP Date) and Perl rand, enabling CSRF session hijacking. A patch exists (Mojolicious-Plugin-Web-Au...
CVE-2026-55599
phpseclib is a PHP secure communications library. From 0.1.1 until 1.0.30, 2.0.55, and 3.0.54, when an application validates an untrusted X.509 certificate with phpseclib, X509::validateSignature reads a URL out of that certificate's Authority Information Access AIA extension and connects to it...
CVE-2026-50519
Initialization of a resource with an insecure default in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to disclose information over a network...
CVE-2026-20265 Insecure Default Domain Allowlist in Splunk AI Toolkit
In Splunk AI Toolkit versions below 5.7.4, a low-privileged user that does not hold the "admin" or "power" Splunk roles could cause the Splunk AI Toolkit to make outbound requests over HTTP to a server that an attacker controls, which could allow for data exfiltration. The vulnerability exists...
CVE-2026-0082
In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation...
CVE-2026-54359
MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...
EUVD-2026-36551
MISP contains an insecure default configuration in which the Security.checksecfetchsiteheader control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...
PT-2026-48971
MISP contains an insecure default configuration in which the Security.check sec fetch site header control is disabled. When this setting is disabled, state-changing requests such as POST, PUT, or AJAX requests are not restricted based on the browser-provided Sec-Fetch-Site header. A remote...
CVE-2026-45482
Improper limitation of a pathname to a restricted directory 'path traversal' in GitHub Copilot and Visual Studio Code allows an unauthorized attacker to bypass a security feature locally...
Security Bulletin: IBM Datapower Operations Dashboard is vulnerable to Insecure Default Initialization of Resource CVE-2025-66414
Summary MCP TypeScript SDK is used by the IBM Datapower Operations Dashboard to implement the Model Context Protocol MCP using Node.js Vulnerability Details CVEID:CVE-2025-66414 DESCRIPTION: MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. Prior to...
CVE-2026-32965
Initialization of a resource with an insecure default vulnerability exists in SD-330AC and AMC Manager provided by silex technology, Inc. When the affected device is connected to the network with the initial factory-default configuration, the device can be configured with the null string password...
CVE-2026-9039 Initialization of a resource with an insecure default in XCharge C6
A configuration weakness in the device’s remote management service allows an authenticated session to be established over a communication channel intended solely for vehicle-charger signaling. The service is accessible on interfaces exposed through the charging connector, and it accepts a default...
CVE-2026-44468 Incorrect Default Permissions in CODESYS Development System
The affected product creates a directory with insecure default permissions during administrative installation. This allows a low-privileged local attacker to modify a temporary file defining the components to be installed, enabling local privilege escalation by forcing the deployment of arbitrary...
Insecure Default Initialization of Resource
Overview thorsten/phpmyfaq is a FAQ system for PHP and MySQL, PostgreSQL and other databases Affected versions of this package are vulnerable to Insecure Default Initialization of Resource via the hasValidToken function. An attacker can gain unauthorized access to create and modify FAQ entries,...
Exploit for Insecure Default Initialization of Resource in Praison Praisonai
CVE-2026-44338 PraisonAI Authentication Bypass Lab Local Dock...
CVE-2025-48516
Insecure default configuration state of DDR5 memory module by AGESA Bootloader Firmware could allow an attacker with local user privilege to abuse the unprotected PMIC interface to create a permanent denial of service condition or affect the integrity of the memory module...
EUVD-2025-209875
Insecure default configuration state of DDR5 memory module by AGESA Bootloader Firmware could allow an attacker with local user privilege to abuse the unprotected PMIC interface to create a permanent denial of service condition or affect the integrity of the memory module...