Skip to main content

CWE-665

Improper Initialization

233 CVEs Avg CVSS 6.4 MITRE
12
CRITICAL
88
HIGH
114
MEDIUM
17
LOW
30
POC
3
KEV

Monthly

CVE-2026-54409 HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
CVSS 3.1
8.1
EPSS
0.2%
CVE-2026-12539 MEDIUM PATCH This Month

ICMP egress policy bypass in Docker Sandboxes (sbx) allows untrusted workloads - explicitly including AI agents - to defeat the documented ICMP block and reach arbitrary external hosts after a Docker daemon restart. The authorizer enforcing the ICMP egress restriction is applied only at network-creation time and is never re-applied when the daemon reconstructs network state from disk on restart, leaving the policy unenforced for the lifetime of the rebuilt network. No public exploit has been identified at time of analysis, but the bypass enables network reconnaissance and covert-channel data exfiltration directly contradicting the sbx threat model, which treats sandbox workloads as adversarial.

Information Disclosure Docker
NVD GitHub VulDB
CVSS 4.0
5.7
EPSS
0.1%
CVE-2026-54279 PyPI LOW PATCH GHSA Monitor

Cookie scope escalation in aiohttp's CookieJar persistence layer causes host-only cookies to lose their host-restricted status after a save/load cycle, allowing them to be transmitted to subdomains that the original server never authorized to receive them. Applications using pip/aiohttp <= 3.14.0 that invoke CookieJar.save() and CookieJar.load() for session persistence are affected. No public exploit code has been identified at time of analysis, but the impact is information disclosure: sensitive cookies - including session tokens or authentication credentials - may be sent to unintended subdomain endpoints, violating the HTTP cookie scoping model.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%
CVE-2025-35991 MEDIUM This Month

Improper initialization in the UEFI firmware for some Intel platforms within Ring 0: Bare Metal OS may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Intel Information Disclosure
NVD
CVSS 4.0
5.6
EPSS
0.0%
CVE-2026-0940 MEDIUM This Month

Improper BIOS initialization in certain ThinkPad models enables local privileged users to modify system data and execute arbitrary code with high integrity impact. The vulnerability requires elevated privileges and local access, posing a risk to organizations where administrative users may be compromised or untrusted. No patch is currently available.

NVD VulDB
CVSS 3.1
6.7
EPSS
0.0%
CVE-2025-66363 HIGH This Week

An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages. [CVSS 7.5 HIGH]

Samsung Exynos 2200 Firmware
NVD
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26958 Go PATCH Monitor

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point.

Golang MySQL Github
NVD GitHub
EPSS
0.1%
CVE-2025-48509 Monitor

Missing Checks in certain functions related to RMP initialization can allow a local admin privileged attacker to cause misidentification of I/O memory, potentially resulting in a loss of guest memory integrity

Information Disclosure
NVD
EPSS
0.0%
CVE-2025-25058 LOW Monitor

Ethernet 800-Serie versions up to 2.2.2.0 contains a vulnerability that allows attackers to an information disclosure (CVSS 3.3).

Linux ESXi Information Disclosure
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-23553 LOW PATCH Monitor

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. [CVSS 2.9 LOW]

Linux
NVD
CVSS 3.1
2.9
EPSS
0.0%
EPSS 0% CVSS 8.1
HIGH PATCH This Week

Authentication bypass in Ubiquiti UniFi Protect Application (versions prior to 7.1.83) allows a network-adjacent attacker to circumvent authentication controls on UniFi Protect Cameras via an improper initialization flaw. The bypass yields total compromise of camera confidentiality, integrity, and availability, though exploitation depends on certain unspecified conditions and carries high attack complexity. No public exploit is identified at time of analysis, and EPSS probability is low (0.24%), consistent with the CISA SSVC assessment of no known exploitation.

Authentication Bypass Ubiquiti Unifi Protect Application
NVD
EPSS 0% CVSS 5.7
MEDIUM PATCH This Month

ICMP egress policy bypass in Docker Sandboxes (sbx) allows untrusted workloads - explicitly including AI agents - to defeat the documented ICMP block and reach arbitrary external hosts after a Docker daemon restart. The authorizer enforcing the ICMP egress restriction is applied only at network-creation time and is never re-applied when the daemon reconstructs network state from disk on restart, leaving the policy unenforced for the lifetime of the rebuilt network. No public exploit has been identified at time of analysis, but the bypass enables network reconnaissance and covert-channel data exfiltration directly contradicting the sbx threat model, which treats sandbox workloads as adversarial.

Information Disclosure Docker
NVD GitHub VulDB
EPSS 0% CVSS 1.3
LOW PATCH Monitor

Cookie scope escalation in aiohttp's CookieJar persistence layer causes host-only cookies to lose their host-restricted status after a save/load cycle, allowing them to be transmitted to subdomains that the original server never authorized to receive them. Applications using pip/aiohttp <= 3.14.0 that invoke CookieJar.save() and CookieJar.load() for session persistence are affected. No public exploit code has been identified at time of analysis, but the impact is information disclosure: sensitive cookies - including session tokens or authentication credentials - may be sent to unintended subdomain endpoints, violating the HTTP cookie scoping model.

Information Disclosure
NVD GitHub VulDB
EPSS 0% CVSS 5.6
MEDIUM This Month

Improper initialization in the UEFI firmware for some Intel platforms within Ring 0: Bare Metal OS may allow an information disclosure. System software adversary with a privileged user combined with a high complexity attack may enable data exposure. This result may potentially occur via local access when attack requirements are present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (high), integrity (none) and availability (none) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (none) impacts.

Intel Information Disclosure
NVD
EPSS 0% CVSS 6.7
MEDIUM This Month

Improper BIOS initialization in certain ThinkPad models enables local privileged users to modify system data and execute arbitrary code with high integrity impact. The vulnerability requires elevated privileges and local access, posing a risk to organizations where administrative users may be compromised or untrusted. No patch is currently available.

NVD VulDB
EPSS 0% CVSS 7.5
HIGH This Week

An issue was discovered in LBS in Samsung Mobile Processor Exynos 2200. There was no check for memory initialization within DL NAS Transport messages. [CVSS 7.5 HIGH]

Samsung Exynos 2200 Firmware
NVD
EPSS 0%
PATCH Monitor

filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point.

Golang MySQL Github
NVD GitHub
EPSS 0%
Monitor

Missing Checks in certain functions related to RMP initialization can allow a local admin privileged attacker to cause misidentification of I/O memory, potentially resulting in a loss of guest memory integrity

Information Disclosure
NVD
EPSS 0% CVSS 3.3
LOW Monitor

Ethernet 800-Serie versions up to 2.2.2.0 contains a vulnerability that allows attackers to an information disclosure (CVSS 3.3).

Linux ESXi Information Disclosure
NVD
EPSS 0% CVSS 2.9
LOW PATCH Monitor

In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen's isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. [CVSS 2.9 LOW]

Linux
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy