Home/CWE/External Initialization of Trusted Variables or Data Stores
Weakness

External Initialization of Trusted Variables or Data Stores

CWE-454 · Base · Draft

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

Extended description

A product system should be reluctant to trust variables that have been initialized outside of its trust boundary, especially if they are initialized by users. The variables may have been initialized incorrectly. If an attacker can initialize the variable, then they can influence what the vulnerable system will do.

Weakness Relationships

Where this weakness sits in the CWE hierarchy. Walk up to broader classes or down to more specific variants.
Parent of this (broader)
ChildOfCWE-1419 · Incorrect Initialization of Resource
Related
CanAlsoBeCWE-456 · Missing Initialization of a Variable

CVEs With This Weakness

2
CVEs tagged with this weakness.
CVECVE-2026-26148
CVECVE-2025-36244
External lookups - second-class, for what we don’t hold ourselves
MITRE CWE
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin