CWE-1188
AllowedInitialization of a Resource with an Insecure Default
Abstraction: Base · Status: Incomplete
The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
402 vulnerabilities reference this CWE, most recent first.
GHSA-37VX-V53J-77PR
Vulnerability from github – Published: 2023-05-19 06:30 – Updated: 2024-04-04 04:15Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 all versions allows a remote unauthenticated attacker to bypass authentication and illegally log into the affected module by connecting to it via telnet which is hidden function and is enabled by default when shipped from the factory. As a result, a remote attacker with unauthorized login can reset the module, and if certain conditions are met, he/she can disclose or tamper with the module's configuration or rewrite the firmware.
{
"affected": [],
"aliases": [
"CVE-2023-1618"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-489"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-05-19T05:15:20Z",
"severity": "HIGH"
},
"details": "Active Debug Code vulnerability in Mitsubishi Electric Corporation MELSEC WS Series WS0-GETH00200 all versions allows a remote unauthenticated attacker to bypass authentication and illegally log into the affected module by connecting to it via telnet which is hidden function and is enabled by default when shipped from the factory. As a result, a remote attacker with unauthorized login can reset the module, and if certain conditions are met, he/she can disclose or tamper with the module\u0027s configuration or rewrite the firmware.",
"id": "GHSA-37vx-v53j-77pr",
"modified": "2024-04-04T04:15:00Z",
"published": "2023-05-19T06:30:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-1618"
},
{
"type": "WEB",
"url": "https://jvn.jp/vu/JVNVU96063959"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-23-138-02"
},
{
"type": "WEB",
"url": "https://www.mitsubishielectric.com/en/psirt/vulnerability/pdf/2023-002_en.pdf"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-382J-8MXH-C7X2
Vulnerability from github – Published: 2026-06-25 18:35 – Updated: 2026-06-25 18:35Summary
MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes.
A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process.
Impact
Applications are affected when they deserialize untrusted payloads into types containing DateTime values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.
MessagePackSecurity.UntrustedData and MaximumObjectGraphDepth do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.
An attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.
Affected components
- Package:
MessagePack - API:
MessagePackReader.ReadDateTime - Data types:
DateTimeand formatter paths that callReadDateTime - Finding IDs:
MESSAGEPACKCSHARP-020, related stack allocation findingMESSAGEPACKCSHARP-CROW-MEM-001
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePackto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.
Workarounds
Patching is recommended.
Until a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain DateTime or DateTimeOffset values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.
There is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.
Resources
MESSAGEPACKCSHARP-020:ReadDateTimestack allocation from attacker-controlled extension lengthMESSAGEPACKCSHARP-CROW-MEM-001: related attacker-controlled stack allocation finding inMessagePackReader- CWE-770: Allocation of Resources Without Limits or Throttling
CVE split rationale
This vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "MessagePack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-48502"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-125",
"CWE-190",
"CWE-407",
"CWE-409",
"CWE-470",
"CWE-502",
"CWE-674",
"CWE-789"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-25T18:35:48Z",
"nvd_published_at": "2026-06-22T22:16:47Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`MessagePackReader.ReadDateTime()` can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed `tokenSize` includes the extension body length from the wire and is used in a `stackalloc` operation before the extension length is validated as one of the valid timestamp sizes.\n\nA very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable `StackOverflowException`, terminating the host process.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads into types containing `DateTime` values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features.\n\n`MessagePackSecurity.UntrustedData` and `MaximumObjectGraphDepth` do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion.\n\nAn attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown.\n\n## Affected components\n\n- Package: `MessagePack`\n- API: `MessagePackReader.ReadDateTime`\n- Data types: `DateTime` and formatter paths that call `ReadDateTime`\n- Finding IDs: `MESSAGEPACKCSHARP-020`, related stack allocation finding `MESSAGEPACKCSHARP-CROW-MEM-001`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain `DateTime` or `DateTimeOffset` values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp.\n\nThere is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-020`: `ReadDateTime` stack allocation from attacker-controlled extension length\n- `MESSAGEPACKCSHARP-CROW-MEM-001`: related attacker-controlled stack allocation finding in `MessagePackReader`\n- CWE-770: Allocation of Resources Without Limits or Throttling\n\n## CVE split rationale\n\nThis vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.",
"id": "GHSA-382j-8mxh-c7x2",
"modified": "2026-06-25T18:35:48Z",
"published": "2026-06-25T18:35:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48502"
},
{
"type": "PACKAGE",
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows"
}
GHSA-3F6J-24PW-57FM
Vulnerability from github – Published: 2026-04-24 18:31 – Updated: 2026-04-24 18:31BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.
{
"affected": [],
"aliases": [
"CVE-2026-39920"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-24T16:16:36Z",
"severity": "CRITICAL"
},
"details": "BridgeHead FileStore versions prior to 24A (released in early 2024) expose the Apache Axis2 administration module on network-accessible endpoints with default credentials that allows unauthenticated remote attackers to execute arbitrary OS commands. Attackers can authenticate to the admin console using default credentials, upload a malicious Java archive as a web service, and execute arbitrary commands on the host via SOAP requests to the deployed service.",
"id": "GHSA-3f6j-24pw-57fm",
"modified": "2026-04-24T18:31:12Z",
"published": "2026-04-24T18:31:12Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39920"
},
{
"type": "WEB",
"url": "https://axis.apache.org/axis2/java/core/docs/webadminguide.html"
},
{
"type": "WEB",
"url": "https://gist.github.com/VAMorales/9e6a13d7529c079a363930dff48be3ba"
},
{
"type": "WEB",
"url": "https://issues.apache.org/jira/browse/AXIS2-4279"
},
{
"type": "WEB",
"url": "https://www.bridgeheadsoftware.com/rapid-data-protection-product-updates"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/bridgehead-filestore-24a-apache-axis2-default-credentials-rce"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-3GHV-W9FM-536C
Vulnerability from github – Published: 2022-05-13 01:33 – Updated: 2022-05-13 01:33IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116.
{
"affected": [],
"aliases": [
"CVE-2018-1524"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2018-08-03T15:29:00Z",
"severity": "HIGH"
},
"details": "IBM Maximo Asset Management 7.6 through 7.6.3 installs with a default administrator account that a remote intruder could use to gain administrator access to the system. This vulnerability is due to an incomplete fix for CVE-2015-4966. IBM X-Force ID: 142116.",
"id": "GHSA-3ghv-w9fm-536c",
"modified": "2022-05-13T01:33:10Z",
"published": "2022-05-13T01:33:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-1524"
},
{
"type": "WEB",
"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/142116"
},
{
"type": "WEB",
"url": "https://www.ibm.com/support/docview.wss?uid=swg22017452"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3J78-GC32-CR37
Vulnerability from github – Published: 2022-05-24 22:28 – Updated: 2022-10-25 12:00Dell EMC Integrated System for Microsoft Azure Stack Hub, versions 1906 – 2011, contain an undocumented default iDRAC account. A remote unauthenticated attacker, with the knowledge of the default credentials, could potentially exploit this to log in to the system to gain root privileges.
{
"affected": [],
"aliases": [
"CVE-2021-21505"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-522"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-05-06T13:15:00Z",
"severity": "CRITICAL"
},
"details": "Dell EMC Integrated System for Microsoft Azure Stack Hub, versions 1906 \u2013 2011, contain an undocumented default iDRAC account. A remote unauthenticated attacker, with the knowledge of the default credentials, could potentially exploit this to log in to the system to gain root privileges.",
"id": "GHSA-3j78-gc32-cr37",
"modified": "2022-10-25T12:00:15Z",
"published": "2022-05-24T22:28:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21505"
},
{
"type": "WEB",
"url": "https://www.dell.com/support/kbdoc/en-us/000186008/dsa-2021-020-dell-emc-integrated-system-for-microsoft-azure-stack-hub-security-update-for-an-idrac-undocumented-account-vulnerability"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3M6Q-H5GJ-7MRW
Vulnerability from github – Published: 2026-04-22 20:37 – Updated: 2026-04-22 20:37Summary
The built-in SSH server currently advertises a number of key exchange, MAC, and host key algorithms that are considered weak or broken. The defaults should be tightened so a fresh installation passes a baseline SSH security audit out of the box.
Details
Running ssh-audit against a default deployment flags the following as fail:
- Key exchange
ecdh-sha2-nistp256ecdh-sha2-nistp384ecdh-sha2-nistp521- MAC
hmac-sha1- Host key
ssh-rsa
Reproduction
docker run -it --rm positronsecurity/ssh-audit -p 2222 gitea.local
Impact
Default deployments expose algorithms that are known-weak or deprecated upstream. The current workaround requires manually setting several GITEA__server__SSH_SERVER_* variables, which most users will never do.
Workaround
[server]
SSH_SERVER_KEY_EXCHANGES = curve25519-sha256, diffie-hellman-group14-sha256
SSH_SERVER_CIPHERS = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com
SSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256
There is no exposed option to restrict host key algorithms, so ssh-rsa remains advertised.
Acceptance criteria
- [ ] Default
SSH_SERVER_KEY_EXCHANGES,SSH_SERVER_CIPHERS, andSSH_SERVER_MACSupdated to the secure list above. - [ ] New
SSH_SERVER_HOST_KEY_ALGORITHMSoption added, with a default that excludesssh-rsa. - [ ] Documentation updated to reflect the new defaults.
- [ ]
ssh-auditagainst a fresh install reports no[fail]entries.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "code.gitea.io/gitea"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.25.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-22T20:37:21Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "## Summary\n\nThe built-in SSH server currently advertises a number of key exchange, MAC, and host key algorithms that are considered weak or broken. The defaults should be tightened so a fresh installation passes a baseline SSH security audit out of the box.\n\n## Details\n\nRunning `ssh-audit` against a default deployment flags the following as `fail`:\n\n- **Key exchange**\n - `ecdh-sha2-nistp256`\n - `ecdh-sha2-nistp384`\n - `ecdh-sha2-nistp521`\n- **MAC**\n - `hmac-sha1`\n- **Host key**\n - `ssh-rsa`\n\n## Reproduction\n\n```sh\ndocker run -it --rm positronsecurity/ssh-audit -p 2222 gitea.local\n```\n\n## Impact\n\nDefault deployments expose algorithms that are known-weak or deprecated upstream. The current workaround requires manually setting several `GITEA__server__SSH_SERVER_*` variables, which most users will never do.\n\n### Workaround\n\n```ini\n[server]\nSSH_SERVER_KEY_EXCHANGES = curve25519-sha256, diffie-hellman-group14-sha256\nSSH_SERVER_CIPHERS = chacha20-poly1305@openssh.com, aes128-ctr, aes192-ctr, aes256-ctr, aes128-gcm@openssh.com, aes256-gcm@openssh.com\nSSH_SERVER_MACS = hmac-sha2-256-etm@openssh.com, hmac-sha2-256\n```\n\nThere is no exposed option to restrict host key algorithms, so `ssh-rsa` remains advertised.\n\n## Acceptance criteria\n\n- [ ] Default `SSH_SERVER_KEY_EXCHANGES`, `SSH_SERVER_CIPHERS`, and `SSH_SERVER_MACS` updated to the secure list above.\n- [ ] New `SSH_SERVER_HOST_KEY_ALGORITHMS` option added, with a default that excludes `ssh-rsa`.\n- [ ] Documentation updated to reflect the new defaults.\n- [ ] `ssh-audit` against a fresh install reports no `[fail]` entries.",
"id": "GHSA-3m6q-h5gj-7mrw",
"modified": "2026-04-22T20:37:21Z",
"published": "2026-04-22T20:37:21Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-3m6q-h5gj-7mrw"
},
{
"type": "PACKAGE",
"url": "https://github.com/go-gitea/gitea"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Gitea has insecure default SSH settings"
}
GHSA-3P4C-M632-JV39
Vulnerability from github – Published: 2025-12-30 18:30 – Updated: 2026-01-02 18:30Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration
{
"affected": [],
"aliases": [
"CVE-2025-56332"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-12-30T18:15:46Z",
"severity": "CRITICAL"
},
"details": "Authentication Bypass in fosrl/pangolin v1.6.2 and before allows attackers to access Pangolin resource via Insecure Default Configuration",
"id": "GHSA-3p4c-m632-jv39",
"modified": "2026-01-02T18:30:22Z",
"published": "2025-12-30T18:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-56332"
},
{
"type": "WEB",
"url": "https://gist.github.com/mrdgef/ef6fa41d69c0457874414c163d7d7d75"
},
{
"type": "WEB",
"url": "https://github.com/fosrl/pangolin"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R2P-7499-27Q3
Vulnerability from github – Published: 2026-05-13 21:32 – Updated: 2026-05-13 21:32When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.
{
"affected": [],
"aliases": [
"CVE-2026-33376"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-13T20:16:20Z",
"severity": "HIGH"
},
"details": "When using an IPv6 allow-list for the Auth Proxy feature, it defaults to /32 addresses. Addresses specifying a mask explicitly are not affected; to mitigate easily, add the desired mask (usually /128) to the addresses. Only auth proxy is affected; Okta, SAML, LDAP, etc are unaffected here.",
"id": "GHSA-3r2p-7499-27q3",
"modified": "2026-05-13T21:32:06Z",
"published": "2026-05-13T21:32:06Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33376"
},
{
"type": "WEB",
"url": "https://grafana.com/security/security-advisories/cve-2026-33376"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-3R8P-3X67-72V8
Vulnerability from github – Published: 2023-12-05 18:30 – Updated: 2025-10-22 00:32Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.
{
"affected": [],
"aliases": [
"CVE-2023-6448"
],
"database_specific": {
"cwe_ids": [
"CWE-1188",
"CWE-798"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-12-05T18:15:12Z",
"severity": "CRITICAL"
},
"details": "Unitronics Vision Series PLCs and HMIs use default administrative passwords. An unauthenticated attacker with network access to a PLC or HMI can take administrative control of the system.",
"id": "GHSA-3r8p-3x67-72v8",
"modified": "2025-10-22T00:32:57Z",
"published": "2023-12-05T18:30:23Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6448"
},
{
"type": "WEB",
"url": "https://downloads.unitronicsplc.com/Sites/plc/Technical_Library/Unitronics-Cybersecurity-Advisory-2023-001-CVE-2023-6448.pdf"
},
{
"type": "WEB",
"url": "https://downloads.unitronicsplc.com/Sites/plc/Visilogic/Version_Changes-Bug_Reports/VisiLogic%209.9.00%20Version%20changes.pdf"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-6448"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/alerts/2023/11/28/exploitation-unitronics-plcs-used-water-and-wastewater-systems"
},
{
"type": "WEB",
"url": "https://www.unitronicsplc.com/cyber_security_vision-samba"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-3R9Q-7HFF-7FM4
Vulnerability from github – Published: 2026-04-09 21:31 – Updated: 2026-04-28 18:30OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.
{
"affected": [],
"aliases": [
"CVE-2026-28205"
],
"database_specific": {
"cwe_ids": [
"CWE-1188"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-09T19:16:23Z",
"severity": "CRITICAL"
},
"details": "OpenPLC_V3 is vulnerable to an Initialization of a Resource with an Insecure Default vulnerability which could allow an attacker to gain access to the system by bypassing authentication via an API.",
"id": "GHSA-3r9q-7hff-7fm4",
"modified": "2026-04-28T18:30:26Z",
"published": "2026-04-09T21:31:29Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28205"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-345-10"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-665: Exploitation of Thunderbolt Protection Flaws
An adversary leverages a firmware weakness within the Thunderbolt protocol, on a computing device to manipulate Thunderbolt controller firmware in order to exploit vulnerabilities in the implementation of authorization and verification schemes within Thunderbolt protection mechanisms. Upon gaining physical access to a target device, the adversary conducts high-level firmware manipulation of the victim Thunderbolt controller SPI (Serial Peripheral Interface) flash, through the use of a SPI Programing device and an external Thunderbolt device, typically as the target device is booting up. If successful, this allows the adversary to modify memory, subvert authentication mechanisms, spoof identities and content, and extract data and memory from the target device. Currently 7 major vulnerabilities exist within Thunderbolt protocol with 9 attack vectors as noted in the Execution Flow.