CWE-665
Improper Initialization
Description
The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
Hierarchy (View 1000)
Related attack patterns (CAPEC)
CAPEC-26 · CAPEC-29
CVEs mapped to this weakness (114)
page 5 of 6| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-48509 | — | Low | 0.12 | — | 0.00 | Feb 10, 2026 | Missing Checks in certain functions related to RMP initialization can allow a local admin privileged attacker to cause misidentification of I/O memory, potentially resulting in a loss of guest memory integrity | |
| CVE-2026-26958 | Low | 0.04 | — | 0.00 | Feb 19, 2026 | filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If… | ||
| CVE-2012-0012 | 0.01 | — | 0.17 | Feb 14, 2012 | Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka "Null Byte Information Disclosure Vulnerability." | |||
| CVE-1999-0993 | 0.01 | — | 0.07 | Dec 13, 1999 | Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed. | |||
| CVE-2026-54777 | 0.00 | — | — | Jun 19, 2026 | ### Impact CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be… | |||
| CVE-2026-54279 | low | 0.00 | — | 0.00 | Jun 15, 2026 | ### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been… | ||
| CVE-2025-46553 | — | 0.00 | — | 0.00 | May 5, 2025 | @misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey… | ||
| CVE-2025-2149 | 0.00 | — | 0.00 | Mar 10, 2025 | A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs… | |||
| CVE-2024-12289 | 0.00 | — | 0.00 | Dec 12, 2024 | Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the… | |||
| CVE-2023-40349 | 0.00 | — | 0.01 | Aug 16, 2023 | Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs. | |||
| CVE-2023-22466 | 0.00 | — | 0.01 | Jan 4, 2023 | Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously… | |||
| CVE-2022-46164 | 0.00 | — | 0.49 | Dec 5, 2022 | NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1.… | |||
| CVE-2022-39384 | 0.00 | — | 0.00 | Nov 4, 2022 | OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted… | |||
| CVE-2022-39284 | 0.00 | — | 0.01 | Oct 6, 2022 | CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be… | |||
| CVE-2022-36061 | — | 0.00 | — | 0.01 | Sep 6, 2022 | Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon… | ||
| CVE-2022-36364 | — | 0.00 | — | 0.02 | Jul 28, 2022 | Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution… | ||
| CVE-2021-46320 | 0.00 | — | 0.01 | Feb 4, 2022 | In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be… | |||
| CVE-2022-21724 | — | 0.00 | — | 0.03 | Feb 2, 2022 | pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin… | ||
| CVE-2022-22815 | — | 0.00 | — | 0.03 | Jan 7, 2022 | path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path. | ||
| CVE-2021-41264 | 0.00 | — | 0.01 | Nov 12, 2021 | OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts`… |
- risk 0.12cvss —epss 0.00
Missing Checks in certain functions related to RMP initialization can allow a local admin privileged attacker to cause misidentification of I/O memory, potentially resulting in a loss of guest memory integrity
- risk 0.04cvss —epss 0.00
filippo.io/edwards25519 is a Go library implementing the edwards25519 elliptic curve with APIs for building cryptographic primitives. In versions 1.1.0 and earlier, MultiScalarMult produces invalid results or undefined behavior if the receiver is not the identity point. If…
- CVE-2012-0012Feb 14, 2012risk 0.01cvss —epss 0.17
Microsoft Internet Explorer 9 does not properly handle the creation and initialization of string objects, which allows remote attackers to read data from arbitrary process-memory locations via a crafted web site, aka "Null Byte Information Disclosure Vulnerability."
- CVE-1999-0993Dec 13, 1999risk 0.01cvss —epss 0.07
Modifications to ACLs (Access Control Lists) in Microsoft Exchange 5.5 do not take effect until the directory store cache is refreshed.
- CVE-2026-54777Jun 19, 2026risk 0.00cvss —epss —
### Impact CoreWCF NetNamedPipe transport accepts attach to a pre-existing named pipe instance, allowing local interception of NetNamedPipe traffic. NetNamedPipe creates a shared memory object based on the listening url, then generated a unique GUID for the named pipe it will be…
- risk 0.00cvss —epss 0.00
### Summary Host-only cookies that are saved with ``CookieJar.save()`` and then restored later with ``CookieJar.load()`` lose their host-only status. ### Impact Host-only cookies that have been loaded from disk may get sent to subdomains that previously should have been…
- CVE-2025-46553May 5, 2025risk 0.00cvss —epss 0.00
@misskey-dev/summaly is a tool for getting a summary of a web page. Starting in version 3.0.1 and prior to version 5.2.1, a logic error in the main `summaly` function causes the `allowRedirects` option to never be passed to any plugins, and as a result, isn't enforced. Misskey…
- CVE-2025-2149Mar 10, 2025risk 0.00cvss —epss 0.00
A vulnerability was found in PyTorch 2.6.0+cu124. It has been rated as problematic. Affected by this issue is the function nnq_Sigmoid of the component Quantized Sigmoid Module. The manipulation of the argument scale/zero_point leads to improper initialization. The attack needs…
- CVE-2024-12289Dec 12, 2024risk 0.00cvss —epss 0.00
Boundary Community Edition and Boundary Enterprise (“Boundary”) incorrectly handle HTTP requests during the initialization of the Boundary controller, which may cause the Boundary server to terminate prematurely. Boundary is only vulnerable to this flaw during the…
- CVE-2023-40349Aug 16, 2023risk 0.00cvss —epss 0.01
Jenkins Gogs Plugin 1.0.15 and earlier improperly initializes an option to secure its webhook endpoint, allowing unauthenticated attackers to trigger builds of jobs.
- CVE-2023-22466Jan 4, 2023risk 0.00cvss —epss 0.01
Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously…
- CVE-2022-46164Dec 5, 2022risk 0.00cvss —epss 0.49
NodeBB is an open source Node.js based forum software. Due to a plain object with a prototype being used in socket.io message handling a specially crafted payload can be used to impersonate other users and takeover accounts. This vulnerability has been patched in version 2.6.1.…
- CVE-2022-39384Nov 4, 2022risk 0.00cvss —epss 0.00
OpenZeppelin Contracts is a library for secure smart contract development. Before version 4.4.1 but after 3.2.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted…
- CVE-2022-39284Oct 6, 2022risk 0.00cvss —epss 0.01
CodeIgniter is a PHP full-stack web framework. In versions prior to 4.2.7 setting `$secure` or `$httponly` value to `true` in `Config\Cookie` is not reflected in `set_cookie()` or `Response::setCookie()`. As a result cookie values are erroneously exposed to scripts. It should be…
- CVE-2022-36061Sep 6, 2022risk 0.00cvss —epss 0.01
Elrond go is the go implementation for the Elrond Network protocol. In versions prior to 1.3.35, read only calls between contracts can generate smart contracts results. For example, if contract A calls in read only mode contract B and the called function will make changes upon…
- CVE-2022-36364Jul 28, 2022risk 0.00cvss —epss 0.02
Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided via `httpclient_impl` connection property; however, the driver does not verify if the class implements the expected interface before instantiating it, which can lead to code execution…
- CVE-2021-46320Feb 4, 2022risk 0.00cvss —epss 0.01
In OpenZeppelin <=v4.4.0, initializer functions that are invoked separate from contract creation (the most prominent example being minimal proxies) may be reentered if they make an untrusted non-view external call. Once an initializer has finished running it can never be…
- CVE-2022-21724Feb 2, 2022risk 0.00cvss —epss 0.03
pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin…
- CVE-2022-22815Jan 7, 2022risk 0.00cvss —epss 0.03
path_getbbox in path.c in Pillow before 9.0.0 improperly initializes ImagePath.Path.
- CVE-2021-41264Nov 12, 2021risk 0.00cvss —epss 0.01
OpenZeppelin Contracts is a library for smart contract development. In affected versions upgradeable contracts using `UUPSUpgradeable` may be vulnerable to an attack affecting uninitialized implementation contracts. A fix is included in version 4.3.2 of `@openzeppelin/contracts`…