Skip to main content

CWE-453

Insecure Default Variable Initialization

11 CVEs Avg CVSS 7.3 MITRE
2
CRITICAL
6
HIGH
2
MEDIUM
1
LOW
2
POC
0
KEV

Monthly

CVE-2026-0082 CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). No public exploit identified at time of analysis; tagged as Privilege Escalation by the Android reporter.

Privilege Escalation
NVD VulDB
CVSS 4.0
10.0
EPSS
0.2%
CVE-2026-41330 npm LOW PATCH Monitor

OpenClaw before version 2026.3.31 fails to sanitize environment variables in its host exec policy, allowing authenticated local attackers to override proxy, TLS, Docker, and Git TLS security controls. An attacker with local access and limited privileges can bypass intended security restrictions by injecting malicious environment variables, potentially disabling certificate verification or redirecting traffic through unauthorized proxies. No public exploit code has been identified, and the vulnerability requires process interaction (AT:P) to trigger.

Authentication Bypass Docker
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-48563 HIGH This Week

In onNullBinding of RemoteFillService.java, there is a possible background activity launch due to an insecure default value. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android Google
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2025-47945 CRITICAL POC PATCH Act Now

Donetick an open-source app for managing tasks and chores. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Donetick
NVD GitHub
CVSS 3.1
9.1
EPSS
0.3%
CVE-2024-49120 HIGH This Week

Windows Remote Desktop Services Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Microsoft Windows Server 2012 Windows Server 2016 Windows Server 2019 +3
NVD
CVSS 3.1
8.1
EPSS
1.1%
CVE-2024-41255 Go HIGH This Week

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Filestash
NVD GitHub
CVSS 3.1
7.5
EPSS
0.3%
CVE-2024-39916 MEDIUM PATCH This Month

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Fogproject
NVD GitHub
CVSS 3.1
6.4
EPSS
0.3%
CVE-2024-21411 HIGH This Week

Skype for Consumer Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Skype
NVD
CVSS 3.1
8.8
EPSS
2.6%
CVE-2023-27516 HIGH POC PATCH This Week

An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Vpn
NVD
CVSS 3.1
7.8
EPSS
0.5%
CVE-2022-46831 MEDIUM This Month

In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD
CVSS 3.1
4.9
EPSS
0.4%
EPSS 0% CVSS 10.0
CRITICAL Act Now

Local privilege escalation in Google Android's NFC subsystem allows unprivileged local apps to gain special app access permissions without user interaction, due to an insecure default value in NfcDispatcher.tryStartActivity. Affected Android builds are covered by the Android Security Bulletin (android-17 reference). No public exploit identified at time of analysis; tagged as Privilege Escalation by the Android reporter.

Privilege Escalation
NVD VulDB
EPSS 0% CVSS 2.0
LOW PATCH Monitor

OpenClaw before version 2026.3.31 fails to sanitize environment variables in its host exec policy, allowing authenticated local attackers to override proxy, TLS, Docker, and Git TLS security controls. An attacker with local access and limited privileges can bypass intended security restrictions by injecting malicious environment variables, potentially disabling certificate verification or redirecting traffic through unauthorized proxies. No public exploit code has been identified, and the vulnerability requires process interaction (AT:P) to trigger.

Authentication Bypass Docker
NVD GitHub VulDB
EPSS 0% CVSS 7.8
HIGH This Week

In onNullBinding of RemoteFillService.java, there is a possible background activity launch due to an insecure default value. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. No vendor patch available.

Privilege Escalation Android Google
NVD
EPSS 0% CVSS 9.1
CRITICAL POC PATCH Act Now

Donetick an open-source app for managing tasks and chores. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Donetick
NVD GitHub
EPSS 1% CVSS 8.1
HIGH This Week

Windows Remote Desktop Services Remote Code Execution Vulnerability. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

RCE Microsoft Windows Server 2012 +5
NVD
EPSS 0% CVSS 7.5
HIGH This Week

filestash v0.4 is configured to skip TLS certificate verification when using the FTPS protocol, possibly allowing attackers to execute a man-in-the-middle attack via the Init function of index.go. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required. No vendor patch available.

Information Disclosure Filestash
NVD GitHub
EPSS 0% CVSS 6.4
MEDIUM PATCH This Month

FOG is a free open-source cloning/imaging/rescue suite/inventory management system. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity.

Information Disclosure Fogproject
NVD GitHub
EPSS 3% CVSS 8.8
HIGH This Week

Skype for Consumer Remote Code Execution Vulnerability. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

RCE Skype
NVD
EPSS 1% CVSS 7.8
HIGH POC PATCH This Week

An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Authentication Bypass Vpn
NVD
EPSS 0% CVSS 4.9
MEDIUM This Month

In JetBrains TeamCity between 2022.10 and 2022.10.1 connecting to AWS using the "Default Credential Provider Chain" allowed TeamCity project administrators to access AWS resources normally limited to. Rated medium severity (CVSS 4.9), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Information Disclosure Teamcity
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy