Common Weakness Enumeration

CWE-453

Allowed

Insecure Default Variable Initialization

Abstraction: Variant · Status: Draft

The product, by default, initializes an internal variable with an insecure or less secure value than is possible.

34 vulnerabilities reference this CWE, most recent first.

GHSA-9GP8-HJXR-6F34

Vulnerability from github – Published: 2026-04-03 02:57 – Updated: 2026-04-24 21:04
VLAI
Summary
OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls
Details

Summary

Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls

Current Maintainer Triage

  • Status: open
  • Normalized severity: medium
  • Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on 2026-03-31; maintainers already accepted it and the fix is unreleased.

Affected Packages / Versions

  • Package: openclaw (npm)
  • Latest published npm version: 2026.3.31
  • Vulnerable version range: <=2026.3.28
  • Patched versions: >= 2026.3.31
  • First stable tag containing the fix: v2026.3.31

Fix Commit(s)

  • 4d912e04519b4bd53b248437c53748cdebce9a41 — 2026-03-31T21:25:36+09:00

OpenClaw thanks @AntAISecurityLab for reporting.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.3.28"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.3.31"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-41330"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-269",
      "CWE-453"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-03T02:57:00Z",
    "nvd_published_at": "2026-04-21T00:16:31Z",
    "severity": "MODERATE"
  },
  "details": "## Summary\nHost exec environment overrides miss proxy, TLS, Docker, and Git TLS controls\n\n## Current Maintainer Triage\n- Status: open\n- Normalized severity: medium\n- Assessment: Real in shipped v2026.3.28: host exec env policy still missed proxy, TLS, Docker, and Git TLS variables until 4d912e0451 on 2026-03-31; maintainers already accepted it and the fix is unreleased.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Latest published npm version: `2026.3.31`\n- Vulnerable version range: `\u003c=2026.3.28`\n- Patched versions: `\u003e= 2026.3.31`\n- First stable tag containing the fix: `v2026.3.31`\n\n## Fix Commit(s)\n- `4d912e04519b4bd53b248437c53748cdebce9a41` \u2014 2026-03-31T21:25:36+09:00\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
  "id": "GHSA-9gp8-hjxr-6f34",
  "modified": "2026-04-24T21:04:54Z",
  "published": "2026-04-03T02:57:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9gp8-hjxr-6f34"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41330"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/4d912e04519b4bd53b248437c53748cdebce9a41"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.31"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-environment-variable-override-via-host-exec-policy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw: Host exec environment overrides miss proxy, TLS, Docker, and Git TLS controls"
}

GHSA-C87V-83C9-MWGP

Vulnerability from github – Published: 2026-06-17 18:35 – Updated: 2026-06-17 18:35
VLAI
Details

In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-0082"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-17T13:19:26Z",
    "severity": "CRITICAL"
  },
  "details": "In tryStartActivity of NfcDispatcher.java, there is a possible automatic special app access permission assignment due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-c87v-83c9-mwgp",
  "modified": "2026-06-17T18:35:45Z",
  "published": "2026-06-17T18:35:45Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0082"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/docs/security/bulletin/android-17"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-CW58-3HPW-976J

Vulnerability from github – Published: 2023-10-12 18:30 – Updated: 2024-04-04 08:35
VLAI
Details

An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. A specially crafted network packet can lead to unauthorized access. An attacker can send a network request to trigger this vulnerability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-27516"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-453"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-10-12T16:15:11Z",
    "severity": "HIGH"
  },
  "details": "An authentication bypass vulnerability exists in the CiRpcAccepted() functionality of SoftEther VPN 4.41-9782-beta and 5.01.9674. A specially crafted network packet can lead to unauthorized access. An attacker can send a network request to trigger this vulnerability.",
  "id": "GHSA-cw58-3hpw-976j",
  "modified": "2024-04-04T08:35:52Z",
  "published": "2023-10-12T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27516"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2023-1754"
    },
    {
      "type": "WEB",
      "url": "https://www.softether.org/9-about/News/904-SEVPN202301"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-FXWF-4RQH-V8G3

Vulnerability from github – Published: 2021-01-20 21:22 – Updated: 2023-09-11 22:46
VLAI
Summary
CORS misconfiguration in socket.io
Details

The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "socket.io"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-28481"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-346",
      "CWE-453"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2021-01-20T05:39:24Z",
    "nvd_published_at": "2021-01-19T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "The package socket.io before 2.4.0 are vulnerable to Insecure Defaults due to CORS Misconfiguration. All domains are whitelisted by default.",
  "id": "GHSA-fxwf-4rqh-v8g3",
  "modified": "2023-09-11T22:46:42Z",
  "published": "2021-01-20T21:22:37Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-28481"
    },
    {
      "type": "WEB",
      "url": "https://github.com/socketio/socket.io/issues/3671"
    },
    {
      "type": "WEB",
      "url": "https://github.com/socketio/socket.io/commit/f78a575f66ab693c3ea96ea88429ddb1a44c86c7"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1056358"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1056357"
    },
    {
      "type": "WEB",
      "url": "https://snyk.io/vuln/SNYK-JS-SOCKETIO-1024859"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "CORS misconfiguration in socket.io"
}

GHSA-G78M-XPJ3-3HWR

Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the facebook field for a user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47195"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-19T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `facebook` field for a user.",
  "id": "GHSA-g78m-xpj3-3hwr",
  "modified": "2025-11-04T21:30:28Z",
  "published": "2023-01-19T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47195"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GFR8-QFH4-R5RC

Vulnerability from github – Published: 2023-01-19 18:30 – Updated: 2025-11-04 21:30
VLAI
Details

An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the twitter field for a user.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-47194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-453",
      "CWE-79"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-01-19T18:15:00Z",
    "severity": "MODERATE"
  },
  "details": "An insecure default vulnerability exists in the Post Creation functionality of Ghost Foundation Ghost 5.9.4. Default installations of Ghost allow non-administrator users to inject arbitrary Javascript in posts, which allow privilege escalation to administrator via XSS. To trigger this vulnerability, an attacker can send an HTTP request to inject Javascript in a post to trick an administrator into visiting the post.A stored XSS vulnerability exists in the `twitter` field for a user.",
  "id": "GHSA-gfr8-qfh4-r5rc",
  "modified": "2025-11-04T21:30:28Z",
  "published": "2023-01-19T18:30:21Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-47194"
    },
    {
      "type": "WEB",
      "url": "https://talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    },
    {
      "type": "WEB",
      "url": "https://www.talosintelligence.com/vulnerability_reports/TALOS-2022-1686"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-GRW3-HJJM-5CJM

Vulnerability from github – Published: 2022-05-14 02:38 – Updated: 2023-09-22 22:27
VLAI
Summary
DotNetNuke Default Machine Key Exposure
Details

DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "DotNetNuke.Core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.8.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2008-6540"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-22T22:27:09Z",
    "nvd_published_at": "2009-03-30T01:30:00Z",
    "severity": "MODERATE"
  },
  "details": "DotNetNuke before 4.8.2, during installation or upgrade, does not warn the administrator when the default (1) ValidationKey and (2) DecryptionKey values cannot be modified in the web.config file, which allows remote attackers to bypass intended access restrictions by using the default keys.",
  "id": "GHSA-grw3-hjjm-5cjm",
  "modified": "2023-09-22T22:27:09Z",
  "published": "2022-05-14T02:38:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-6540"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/41399"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/dnnsoftware/Dnn.Platform"
    },
    {
      "type": "WEB",
      "url": "http://osvdb.org/43720"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/29488"
    },
    {
      "type": "WEB",
      "url": "http://www.dotnetnuke.com/News/SecurityBulletins/SecurityBulletinno12/tabid/1148/Default.aspx"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/489957/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/28391"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "DotNetNuke Default Machine Key Exposure"
}

GHSA-J37R-C8V9-736Q

Vulnerability from github – Published: 2022-12-08 18:30 – Updated: 2022-12-12 18:30
VLAI
Details

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2022-3262"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1188",
      "CWE-453"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2022-12-08T16:15:00Z",
    "severity": "HIGH"
  },
  "details": "A flaw was found in Openshift. A pod with a DNSPolicy of \"ClusterFirst\" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability.",
  "id": "GHSA-j37r-c8v9-736q",
  "modified": "2022-12-12T18:30:29Z",
  "published": "2022-12-08T18:30:49Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3262"
    },
    {
      "type": "WEB",
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2128858"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-J752-CJCJ-W847

Vulnerability from github – Published: 2025-04-15 14:17 – Updated: 2025-04-23 15:09
VLAI
Summary
Dpanel's hard-coded JWT secret leads to remote code execution
Details

Summary

The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.

Details

The Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.

PoC

The core code snippet is shown below:

import jwt

def generate_jwt(appname):

    payload = {
        "SECRET_KEY":"SECRET_VALUE",
    }
    print("appname:", appname)
    print("payload:", str(payload))
    token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm="HS256")
    return token

appname = "SECRET_KEY"
token = generate_jwt(appname)
print("url token:", token)

Impact

Attackers who successfully exploit this vulnerability can write arbitrary files to the host machine's file system, and all users with Dpanel versions less than 1.6.1 are affected.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/donknap/dpanel"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-30206"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-321",
      "CWE-453",
      "CWE-547"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-15T14:17:25Z",
    "nvd_published_at": "2025-04-15T20:15:39Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nThe Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine.\n\n### Details\nThe Dpanel service, when initiated using its default configuration, includes a hardcoded JWT secret embedded directly within its source code. This security flaw allows attackers to analyze the source code, discover the embedded secret, and craft legitimate JWT tokens. By forging these tokens, an attacker can successfully bypass authentication mechanisms, impersonate privileged users, and gain unauthorized administrative access. Consequently, this enables full control over the host machine, potentially leading to severe consequences such as sensitive data exposure, unauthorized command execution, privilege escalation, or further lateral movement within the network environment. It is recommended to replace the hardcoded secret with a securely generated value and load it from secure configuration storage to mitigate this vulnerability.\n\n\n### PoC\nThe core code snippet is shown below:\n```python\nimport jwt\n\ndef generate_jwt(appname):\n\n    payload = {\n        \"SECRET_KEY\"\uff1a\"SECRET_VALUE\",\n    }\n    print(\"appname:\", appname)\n    print(\"payload:\", str(payload))\n    token = jwt.encode(payload, SECRET_KEY.format(APP_NAME=appname), algorithm=\"HS256\")\n    return token\n\nappname = \"SECRET_KEY\"\ntoken = generate_jwt(appname)\nprint(\"url token:\", token)\n```\n\n### Impact\nAttackers who successfully exploit this vulnerability can write arbitrary files to the host machine\u0027s file system, and all users with Dpanel versions less than 1.6.1 are affected.",
  "id": "GHSA-j752-cjcj-w847",
  "modified": "2025-04-23T15:09:48Z",
  "published": "2025-04-15T14:17:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/donknap/dpanel/security/advisories/GHSA-j752-cjcj-w847"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30206"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/donknap/dpanel"
    },
    {
      "type": "WEB",
      "url": "https://pkg.go.dev/vuln/GO-2025-3612"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Dpanel\u0027s hard-coded JWT secret leads to remote code execution"
}

GHSA-PH86-JHC5-HXFW

Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-04 21:31
VLAI
Details

In onNullBinding of RemoteFillService.java, there is a possible background activity launch due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-48563"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-453"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-09-04T19:15:43Z",
    "severity": "HIGH"
  },
  "details": "In onNullBinding of RemoteFillService.java, there is a possible background activity launch due to an insecure default value. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.",
  "id": "GHSA-ph86-jhc5-hxfw",
  "modified": "2025-09-04T21:31:39Z",
  "published": "2025-09-04T21:31:38Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48563"
    },
    {
      "type": "WEB",
      "url": "https://android.googlesource.com/platform/frameworks/base/+/a6a570a6f4972c1dfea13c5fe3558805c1658991"
    },
    {
      "type": "WEB",
      "url": "https://source.android.com/security/bulletin/2025-09-01"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
System Configuration

Disable or change default settings when they can be used to abuse the system. Since those default settings are shipped with the product they are likely to be known by a potential attacker who is familiar with the product. For instance, default credentials should be changed or the associated accounts should be disabled.

No CAPEC attack patterns related to this CWE.