logo

CWE Data Browser

Comprehensive listing of all CWE views, categories, and weaknesses

Views (52)

View Grid →
ID Name Type Status
CWE-604 Deprecated Entries Implicit Draft
CWE-629 Weaknesses in OWASP Top Ten (2007) Graph Obsolete
CWE-635 Weaknesses Originally Used by NVD from 2008 to 2016 Explicit Obsolete
CWE-658 Weaknesses in Software Written in C Implicit Draft
CWE-659 Weaknesses in Software Written in C++ Implicit Draft
CWE-660 Weaknesses in Software Written in Java Implicit Draft
CWE-661 Weaknesses in Software Written in PHP Implicit Draft
CWE-677 Weakness Base Elements Implicit Draft
CWE-678 Composites Implicit Draft
CWE-699 Software Development Graph Draft
CWE-700 Seven Pernicious Kingdoms Graph Incomplete
CWE-701 Weaknesses Introduced During Design Implicit Incomplete
CWE-702 Weaknesses Introduced During Implementation Implicit Incomplete
CWE-709 Named Chains Implicit Incomplete
CWE-711 Weaknesses in OWASP Top Ten (2004) Graph Obsolete
CWE-734 Weaknesses Addressed by the CERT C Secure Coding Standard (2008) Graph Obsolete
CWE-750 Weaknesses in the 2009 CWE/SANS Top 25 Most Dangerous Programming Errors Graph Obsolete
CWE-800 Weaknesses in the 2010 CWE/SANS Top 25 Most Dangerous Programming Errors Graph Obsolete
CWE-809 Weaknesses in OWASP Top Ten (2010) Graph Obsolete
CWE-844 Weaknesses Addressed by The CERT Oracle Secure Coding Standard for Java (2011) Graph Obsolete
CWE-868 Weaknesses Addressed by the SEI CERT C++ Coding Standard (2016 Version) Graph Obsolete
CWE-884 CWE Cross-section Explicit Incomplete
CWE-888 Software Fault Pattern (SFP) Clusters Graph Incomplete
CWE-900 Weaknesses in the 2011 CWE/SANS Top 25 Most Dangerous Software Errors Graph Obsolete
CWE-919 Weaknesses in Mobile Applications Implicit Incomplete
CWE-928 Weaknesses in OWASP Top Ten (2013) Graph Obsolete
CWE-1000 Research Concepts Graph Draft
CWE-1003 Weaknesses for Simplified Mapping of Published Vulnerabilities Graph Incomplete
CWE-1008 Architectural Concepts Graph Incomplete
CWE-1026 Weaknesses in OWASP Top Ten (2017) Graph Incomplete
CWE-1040 Quality Weaknesses with Indirect Security Impacts Implicit Incomplete
CWE-1081 Entries with Maintenance Notes Implicit Draft
CWE-1128 CISQ Quality Measures (2016) Graph Incomplete
CWE-1133 Weaknesses Addressed by the SEI CERT Oracle Coding Standard for Java Graph Stable
CWE-1154 Weaknesses Addressed by the SEI CERT C Coding Standard Graph Stable
CWE-1178 Weaknesses Addressed by the SEI CERT Perl Coding Standard Graph Stable
CWE-1194 Hardware Design Graph Draft
CWE-1200 Weaknesses in the 2019 CWE Top 25 Most Dangerous Software Errors Graph Stable
CWE-1305 CISQ Quality Measures (2020) Graph Incomplete
CWE-1337 Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses Graph Stable
CWE-1340 CISQ Data Protection Measures Graph Incomplete
CWE-1343 Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List Explicit Stable
CWE-1344 Weaknesses in OWASP Top Ten (2021) Graph Incomplete
CWE-1350 Weaknesses in the 2020 CWE Top 25 Most Dangerous Software Weaknesses Graph Stable
CWE-1358 Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS Graph Incomplete
CWE-1387 Weaknesses in the 2022 CWE Top 25 Most Dangerous Software Weaknesses Graph Draft
CWE-1400 Comprehensive Categorization for Software Assurance Trends Graph Draft
CWE-1424 Weaknesses Addressed by ISA/IEC 62443 Requirements Implicit Draft
CWE-1425 Weaknesses in the 2023 CWE Top 25 Most Dangerous Software Weaknesses Graph Draft
CWE-1430 Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses Graph Draft
CWE-1432 Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List Graph Stable
CWE-2000 Comprehensive CWE Dictionary Implicit Draft

Categories (375)

View Grid →
ID Name Status
CWE-2 7PK - Environment Draft
CWE-16 Configuration Obsolete
CWE-19 Data Processing Errors Draft
CWE-133 String Errors Draft
CWE-136 Type Errors Draft
CWE-137 Data Neutralization Issues Draft
CWE-189 Numeric Errors Draft
CWE-199 Information Management Errors Draft
CWE-227 7PK - API Abuse Draft
CWE-251 Often Misused: String Management Incomplete
CWE-254 7PK - Security Features Incomplete
CWE-255 Credentials Management Errors Draft
CWE-264 Permissions, Privileges, and Access Controls Obsolete
CWE-265 Privilege Issues Incomplete
CWE-275 Permission Issues Draft
CWE-310 Cryptographic Issues Draft
CWE-320 Key Management Errors Obsolete
CWE-355 User Interface Security Issues Draft
CWE-361 7PK - Time and State Incomplete
CWE-371 State Issues Draft
CWE-387 Signal Errors Incomplete
CWE-388 7PK - Errors Draft
CWE-389 Error Conditions, Return Values, Status Codes Incomplete
CWE-398 7PK - Code Quality Draft
CWE-399 Resource Management Errors Draft
CWE-411 Resource Locking Problems Draft
CWE-417 Communication Channel Errors Draft
CWE-429 Handler Errors Draft
CWE-438 Behavioral Problems Draft
CWE-452 Initialization and Cleanup Errors Draft
CWE-465 Pointer Issues Draft
CWE-485 7PK - Encapsulation Draft
CWE-557 Concurrency Issues Draft
CWE-569 Expression Issues Draft
CWE-712 OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS) Obsolete
CWE-713 OWASP Top Ten 2007 Category A2 - Injection Flaws Obsolete
CWE-714 OWASP Top Ten 2007 Category A3 - Malicious File Execution Obsolete
CWE-715 OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference Obsolete
CWE-716 OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF) Obsolete
CWE-717 OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling Obsolete
CWE-718 OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management Obsolete
CWE-719 OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage Obsolete
CWE-720 OWASP Top Ten 2007 Category A9 - Insecure Communications Obsolete
CWE-721 OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access Obsolete
CWE-722 OWASP Top Ten 2004 Category A1 - Unvalidated Input Obsolete
CWE-723 OWASP Top Ten 2004 Category A2 - Broken Access Control Obsolete
CWE-724 OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management Obsolete
CWE-725 OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws Obsolete
CWE-726 OWASP Top Ten 2004 Category A5 - Buffer Overflows Obsolete
CWE-727 OWASP Top Ten 2004 Category A6 - Injection Flaws Obsolete
CWE-728 OWASP Top Ten 2004 Category A7 - Improper Error Handling Obsolete
CWE-729 OWASP Top Ten 2004 Category A8 - Insecure Storage Obsolete
CWE-730 OWASP Top Ten 2004 Category A9 - Denial of Service Obsolete
CWE-731 OWASP Top Ten 2004 Category A10 - Insecure Configuration Management Obsolete
CWE-735 CERT C Secure Coding Standard (2008) Chapter 2 - Preprocessor (PRE) Obsolete
CWE-736 CERT C Secure Coding Standard (2008) Chapter 3 - Declarations and Initialization (DCL) Obsolete
CWE-737 CERT C Secure Coding Standard (2008) Chapter 4 - Expressions (EXP) Obsolete
CWE-738 CERT C Secure Coding Standard (2008) Chapter 5 - Integers (INT) Obsolete
CWE-739 CERT C Secure Coding Standard (2008) Chapter 6 - Floating Point (FLP) Obsolete
CWE-740 CERT C Secure Coding Standard (2008) Chapter 7 - Arrays (ARR) Obsolete
CWE-741 CERT C Secure Coding Standard (2008) Chapter 8 - Characters and Strings (STR) Obsolete
CWE-742 CERT C Secure Coding Standard (2008) Chapter 9 - Memory Management (MEM) Obsolete
CWE-743 CERT C Secure Coding Standard (2008) Chapter 10 - Input Output (FIO) Obsolete
CWE-744 CERT C Secure Coding Standard (2008) Chapter 11 - Environment (ENV) Obsolete
CWE-745 CERT C Secure Coding Standard (2008) Chapter 12 - Signals (SIG) Obsolete
CWE-746 CERT C Secure Coding Standard (2008) Chapter 13 - Error Handling (ERR) Obsolete
CWE-747 CERT C Secure Coding Standard (2008) Chapter 14 - Miscellaneous (MSC) Obsolete
CWE-748 CERT C Secure Coding Standard (2008) Appendix - POSIX (POS) Obsolete
CWE-751 2009 Top 25 - Insecure Interaction Between Components Obsolete
CWE-752 2009 Top 25 - Risky Resource Management Obsolete
CWE-753 2009 Top 25 - Porous Defenses Obsolete
CWE-801 2010 Top 25 - Insecure Interaction Between Components Obsolete
CWE-802 2010 Top 25 - Risky Resource Management Obsolete
CWE-803 2010 Top 25 - Porous Defenses Obsolete
CWE-808 2010 Top 25 - Weaknesses On the Cusp Obsolete
CWE-810 OWASP Top Ten 2010 Category A1 - Injection Obsolete
CWE-811 OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS) Obsolete
CWE-812 OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management Obsolete
CWE-813 OWASP Top Ten 2010 Category A4 - Insecure Direct Object References Obsolete
CWE-814 OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF) Obsolete
CWE-815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration Obsolete
CWE-816 OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage Obsolete
CWE-817 OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access Obsolete
CWE-818 OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection Obsolete
CWE-819 OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards Obsolete
CWE-840 Business Logic Errors Incomplete
CWE-845 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 2 - Input Validation and Data Sanitization (IDS) Obsolete
CWE-846 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 3 - Declarations and Initialization (DCL) Obsolete
CWE-847 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 4 - Expressions (EXP) Obsolete
CWE-848 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 5 - Numeric Types and Operations (NUM) Obsolete
CWE-849 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 6 - Object Orientation (OBJ) Obsolete
CWE-850 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 7 - Methods (MET) Obsolete
CWE-851 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 8 - Exceptional Behavior (ERR) Obsolete
CWE-852 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 9 - Visibility and Atomicity (VNA) Obsolete
CWE-853 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 10 - Locking (LCK) Obsolete
CWE-854 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 11 - Thread APIs (THI) Obsolete
CWE-855 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 12 - Thread Pools (TPS) Obsolete
CWE-856 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 13 - Thread-Safety Miscellaneous (TSM) Obsolete
CWE-857 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 14 - Input Output (FIO) Obsolete
CWE-858 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 15 - Serialization (SER) Obsolete
CWE-859 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 16 - Platform Security (SEC) Obsolete
CWE-860 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 17 - Runtime Environment (ENV) Obsolete
CWE-861 The CERT Oracle Secure Coding Standard for Java (2011) Chapter 18 - Miscellaneous (MSC) Obsolete
CWE-864 2011 Top 25 - Insecure Interaction Between Components Obsolete
CWE-865 2011 Top 25 - Risky Resource Management Obsolete
CWE-866 2011 Top 25 - Porous Defenses Obsolete
CWE-867 2011 Top 25 - Weaknesses On the Cusp Obsolete
CWE-869 CERT C++ Secure Coding Section 01 - Preprocessor (PRE) Incomplete
CWE-870 CERT C++ Secure Coding Section 02 - Declarations and Initialization (DCL) Incomplete
CWE-871 CERT C++ Secure Coding Section 03 - Expressions (EXP) Incomplete
CWE-872 CERT C++ Secure Coding Section 04 - Integers (INT) Incomplete
CWE-873 CERT C++ Secure Coding Section 05 - Floating Point Arithmetic (FLP) Incomplete
CWE-874 CERT C++ Secure Coding Section 06 - Arrays and the STL (ARR) Incomplete
CWE-875 CERT C++ Secure Coding Section 07 - Characters and Strings (STR) Incomplete
CWE-876 CERT C++ Secure Coding Section 08 - Memory Management (MEM) Incomplete
CWE-877 CERT C++ Secure Coding Section 09 - Input Output (FIO) Incomplete
CWE-878 CERT C++ Secure Coding Section 10 - Environment (ENV) Incomplete
CWE-879 CERT C++ Secure Coding Section 11 - Signals (SIG) Incomplete
CWE-880 CERT C++ Secure Coding Section 12 - Exceptions and Error Handling (ERR) Incomplete
CWE-881 CERT C++ Secure Coding Section 13 - Object Oriented Programming (OOP) Incomplete
CWE-882 CERT C++ Secure Coding Section 14 - Concurrency (CON) Incomplete
CWE-883 CERT C++ Secure Coding Section 49 - Miscellaneous (MSC) Incomplete
CWE-885 SFP Primary Cluster: Risky Values Incomplete
CWE-886 SFP Primary Cluster: Unused entities Incomplete
CWE-887 SFP Primary Cluster: API Incomplete
CWE-889 SFP Primary Cluster: Exception Management Incomplete
CWE-890 SFP Primary Cluster: Memory Access Incomplete
CWE-891 SFP Primary Cluster: Memory Management Incomplete
CWE-892 SFP Primary Cluster: Resource Management Incomplete
CWE-893 SFP Primary Cluster: Path Resolution Incomplete
CWE-894 SFP Primary Cluster: Synchronization Incomplete
CWE-895 SFP Primary Cluster: Information Leak Incomplete
CWE-896 SFP Primary Cluster: Tainted Input Incomplete
CWE-897 SFP Primary Cluster: Entry Points Incomplete
CWE-898 SFP Primary Cluster: Authentication Incomplete
CWE-899 SFP Primary Cluster: Access Control Incomplete
CWE-901 SFP Primary Cluster: Privilege Incomplete
CWE-902 SFP Primary Cluster: Channel Incomplete
CWE-903 SFP Primary Cluster: Cryptography Incomplete
CWE-904 SFP Primary Cluster: Malware Incomplete
CWE-905 SFP Primary Cluster: Predictability Incomplete
CWE-906 SFP Primary Cluster: UI Incomplete
CWE-907 SFP Primary Cluster: Other Incomplete
CWE-929 OWASP Top Ten 2013 Category A1 - Injection Obsolete
CWE-930 OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management Obsolete
CWE-931 OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS) Obsolete
CWE-932 OWASP Top Ten 2013 Category A4 - Insecure Direct Object References Obsolete
CWE-933 OWASP Top Ten 2013 Category A5 - Security Misconfiguration Obsolete
CWE-934 OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure Obsolete
CWE-935 OWASP Top Ten 2013 Category A7 - Missing Function Level Access Control Obsolete
CWE-936 OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF) Obsolete
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities Obsolete
CWE-938 OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards Obsolete
CWE-944 SFP Secondary Cluster: Access Management Incomplete
CWE-945 SFP Secondary Cluster: Insecure Resource Access Incomplete
CWE-946 SFP Secondary Cluster: Insecure Resource Permissions Incomplete
CWE-947 SFP Secondary Cluster: Authentication Bypass Incomplete
CWE-948 SFP Secondary Cluster: Digital Certificate Incomplete
CWE-949 SFP Secondary Cluster: Faulty Endpoint Authentication Incomplete
CWE-950 SFP Secondary Cluster: Hardcoded Sensitive Data Incomplete
CWE-951 SFP Secondary Cluster: Insecure Authentication Policy Incomplete
CWE-952 SFP Secondary Cluster: Missing Authentication Incomplete
CWE-953 SFP Secondary Cluster: Missing Endpoint Authentication Incomplete
CWE-954 SFP Secondary Cluster: Multiple Binds to the Same Port Incomplete
CWE-955 SFP Secondary Cluster: Unrestricted Authentication Incomplete
CWE-956 SFP Secondary Cluster: Channel Attack Incomplete
CWE-957 SFP Secondary Cluster: Protocol Error Incomplete
CWE-958 SFP Secondary Cluster: Broken Cryptography Incomplete
CWE-959 SFP Secondary Cluster: Weak Cryptography Incomplete
CWE-960 SFP Secondary Cluster: Ambiguous Exception Type Incomplete
CWE-961 SFP Secondary Cluster: Incorrect Exception Behavior Incomplete
CWE-962 SFP Secondary Cluster: Unchecked Status Condition Incomplete
CWE-963 SFP Secondary Cluster: Exposed Data Incomplete
CWE-964 SFP Secondary Cluster: Exposure Temporary File Incomplete
CWE-965 SFP Secondary Cluster: Insecure Session Management Incomplete
CWE-966 SFP Secondary Cluster: Other Exposures Incomplete
CWE-967 SFP Secondary Cluster: State Disclosure Incomplete
CWE-968 SFP Secondary Cluster: Covert Channel Incomplete
CWE-969 SFP Secondary Cluster: Faulty Memory Release Incomplete
CWE-970 SFP Secondary Cluster: Faulty Buffer Access Incomplete
CWE-971 SFP Secondary Cluster: Faulty Pointer Use Incomplete
CWE-972 SFP Secondary Cluster: Faulty String Expansion Incomplete
CWE-973 SFP Secondary Cluster: Improper NULL Termination Incomplete
CWE-974 SFP Secondary Cluster: Incorrect Buffer Length Computation Incomplete
CWE-975 SFP Secondary Cluster: Architecture Incomplete
CWE-976 SFP Secondary Cluster: Compiler Incomplete
CWE-977 SFP Secondary Cluster: Design Incomplete
CWE-978 SFP Secondary Cluster: Implementation Incomplete
CWE-979 SFP Secondary Cluster: Failed Chroot Jail Incomplete
CWE-980 SFP Secondary Cluster: Link in Resource Name Resolution Incomplete
CWE-981 SFP Secondary Cluster: Path Traversal Incomplete
CWE-982 SFP Secondary Cluster: Failure to Release Resource Incomplete
CWE-983 SFP Secondary Cluster: Faulty Resource Use Incomplete
CWE-984 SFP Secondary Cluster: Life Cycle Incomplete
CWE-985 SFP Secondary Cluster: Unrestricted Consumption Incomplete
CWE-986 SFP Secondary Cluster: Missing Lock Incomplete
CWE-987 SFP Secondary Cluster: Multiple Locks/Unlocks Incomplete
CWE-988 SFP Secondary Cluster: Race Condition Window Incomplete
CWE-989 SFP Secondary Cluster: Unrestricted Lock Incomplete
CWE-990 SFP Secondary Cluster: Tainted Input to Command Incomplete
CWE-991 SFP Secondary Cluster: Tainted Input to Environment Incomplete
CWE-992 SFP Secondary Cluster: Faulty Input Transformation Incomplete
CWE-993 SFP Secondary Cluster: Incorrect Input Handling Incomplete
CWE-994 SFP Secondary Cluster: Tainted Input to Variable Incomplete
CWE-995 SFP Secondary Cluster: Feature Incomplete
CWE-996 SFP Secondary Cluster: Security Incomplete
CWE-997 SFP Secondary Cluster: Information Loss Incomplete
CWE-998 SFP Secondary Cluster: Glitch in Computation Incomplete
CWE-1001 SFP Secondary Cluster: Use of an Improper API Incomplete
CWE-1002 SFP Secondary Cluster: Unexpected Entry Points Incomplete
CWE-1005 7PK - Input Validation and Representation Draft
CWE-1006 Bad Coding Practices Draft
CWE-1009 Audit Draft
CWE-1010 Authenticate Actors Draft
CWE-1011 Authorize Actors Draft
CWE-1012 Cross Cutting Draft
CWE-1013 Encrypt Data Draft
CWE-1014 Identify Actors Draft
CWE-1015 Limit Access Draft
CWE-1016 Limit Exposure Draft
CWE-1017 Lock Computer Draft
CWE-1018 Manage User Sessions Draft
CWE-1019 Validate Inputs Draft
CWE-1020 Verify Message Integrity Draft
CWE-1027 OWASP Top Ten 2017 Category A1 - Injection Incomplete
CWE-1028 OWASP Top Ten 2017 Category A2 - Broken Authentication Incomplete
CWE-1029 OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure Incomplete
CWE-1030 OWASP Top Ten 2017 Category A4 - XML External Entities (XXE) Incomplete
CWE-1031 OWASP Top Ten 2017 Category A5 - Broken Access Control Incomplete
CWE-1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration Incomplete
CWE-1033 OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS) Incomplete
CWE-1034 OWASP Top Ten 2017 Category A8 - Insecure Deserialization Incomplete
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities Incomplete
CWE-1036 OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring Incomplete
CWE-1129 CISQ Quality Measures (2016) - Reliability Draft
CWE-1130 CISQ Quality Measures (2016) - Maintainability Draft
CWE-1131 CISQ Quality Measures (2016) - Security Draft
CWE-1132 CISQ Quality Measures (2016) - Performance Efficiency Draft
CWE-1134 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 00. Input Validation and Data Sanitization (IDS) Stable
CWE-1135 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 01. Declarations and Initialization (DCL) Stable
CWE-1136 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 02. Expressions (EXP) Stable
CWE-1137 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 03. Numeric Types and Operations (NUM) Stable
CWE-1138 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 04. Characters and Strings (STR) Stable
CWE-1139 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 05. Object Orientation (OBJ) Stable
CWE-1140 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 06. Methods (MET) Stable
CWE-1141 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 07. Exceptional Behavior (ERR) Stable
CWE-1142 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 08. Visibility and Atomicity (VNA) Stable
CWE-1143 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 09. Locking (LCK) Stable
CWE-1144 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 10. Thread APIs (THI) Stable
CWE-1145 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 11. Thread Pools (TPS) Stable
CWE-1146 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 12. Thread-Safety Miscellaneous (TSM) Stable
CWE-1147 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 13. Input Output (FIO) Stable
CWE-1148 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 14. Serialization (SER) Stable
CWE-1149 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 15. Platform Security (SEC) Stable
CWE-1150 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 16. Runtime Environment (ENV) Stable
CWE-1151 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 17. Java Native Interface (JNI) Stable
CWE-1152 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 49. Miscellaneous (MSC) Stable
CWE-1153 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 50. Android (DRD) Stable
CWE-1155 SEI CERT C Coding Standard - Guidelines 01. Preprocessor (PRE) Stable
CWE-1156 SEI CERT C Coding Standard - Guidelines 02. Declarations and Initialization (DCL) Stable
CWE-1157 SEI CERT C Coding Standard - Guidelines 03. Expressions (EXP) Stable
CWE-1158 SEI CERT C Coding Standard - Guidelines 04. Integers (INT) Stable
CWE-1159 SEI CERT C Coding Standard - Guidelines 05. Floating Point (FLP) Stable
CWE-1160 SEI CERT C Coding Standard - Guidelines 06. Arrays (ARR) Stable
CWE-1161 SEI CERT C Coding Standard - Guidelines 07. Characters and Strings (STR) Stable
CWE-1162 SEI CERT C Coding Standard - Guidelines 08. Memory Management (MEM) Stable
CWE-1163 SEI CERT C Coding Standard - Guidelines 09. Input Output (FIO) Stable
CWE-1165 SEI CERT C Coding Standard - Guidelines 10. Environment (ENV) Stable
CWE-1166 SEI CERT C Coding Standard - Guidelines 11. Signals (SIG) Stable
CWE-1167 SEI CERT C Coding Standard - Guidelines 12. Error Handling (ERR) Stable
CWE-1168 SEI CERT C Coding Standard - Guidelines 13. Application Programming Interfaces (API) Stable
CWE-1169 SEI CERT C Coding Standard - Guidelines 14. Concurrency (CON) Stable
CWE-1170 SEI CERT C Coding Standard - Guidelines 48. Miscellaneous (MSC) Stable
CWE-1171 SEI CERT C Coding Standard - Guidelines 50. POSIX (POS) Stable
CWE-1172 SEI CERT C Coding Standard - Guidelines 51. Microsoft Windows (WIN) Stable
CWE-1175 SEI CERT Oracle Secure Coding Standard for Java - Guidelines 18. Concurrency (CON) Stable
CWE-1179 SEI CERT Perl Coding Standard - Guidelines 01. Input Validation and Data Sanitization (IDS) Stable
CWE-1180 SEI CERT Perl Coding Standard - Guidelines 02. Declarations and Initialization (DCL) Stable
CWE-1181 SEI CERT Perl Coding Standard - Guidelines 03. Expressions (EXP) Stable
CWE-1182 SEI CERT Perl Coding Standard - Guidelines 04. Integers (INT) Stable
CWE-1183 SEI CERT Perl Coding Standard - Guidelines 05. Strings (STR) Stable
CWE-1184 SEI CERT Perl Coding Standard - Guidelines 06. Object-Oriented Programming (OOP) Stable
CWE-1185 SEI CERT Perl Coding Standard - Guidelines 07. File Input and Output (FIO) Stable
CWE-1186 SEI CERT Perl Coding Standard - Guidelines 50. Miscellaneous (MSC) Stable
CWE-1195 Manufacturing and Life Cycle Management Concerns Draft
CWE-1196 Security Flow Issues Draft
CWE-1197 Integration Issues Draft
CWE-1198 Privilege Separation and Access Control Issues Draft
CWE-1199 General Circuit and Logic Design Concerns Draft
CWE-1201 Core and Compute Issues Draft
CWE-1202 Memory and Storage Issues Draft
CWE-1203 Peripherals, On-chip Fabric, and Interface/IO Problems Draft
CWE-1205 Security Primitives and Cryptography Issues Draft
CWE-1206 Power, Clock, Thermal, and Reset Concerns Draft
CWE-1207 Debug and Test Problems Draft
CWE-1208 Cross-Cutting Problems Draft
CWE-1210 Audit / Logging Errors Draft
CWE-1211 Authentication Errors Draft
CWE-1212 Authorization Errors Draft
CWE-1213 Random Number Issues Draft
CWE-1214 Data Integrity Issues Draft
CWE-1215 Data Validation Issues Draft
CWE-1216 Lockout Mechanism Errors Draft
CWE-1217 User Session Errors Draft
CWE-1218 Memory Buffer Errors Draft
CWE-1219 File Handling Issues Draft
CWE-1225 Documentation Issues Draft
CWE-1226 Complexity Issues Draft
CWE-1227 Encapsulation Issues Draft
CWE-1228 API / Function Errors Draft
CWE-1237 SFP Primary Cluster: Faulty Resource Release Incomplete
CWE-1238 SFP Primary Cluster: Failure to Release Memory Incomplete
CWE-1306 CISQ Quality Measures - Reliability Incomplete
CWE-1307 CISQ Quality Measures - Maintainability Incomplete
CWE-1308 CISQ Quality Measures - Security Incomplete
CWE-1309 CISQ Quality Measures - Efficiency Incomplete
CWE-1345 OWASP Top Ten 2021 Category A01:2021 - Broken Access Control Incomplete
CWE-1346 OWASP Top Ten 2021 Category A02:2021 - Cryptographic Failures Incomplete
CWE-1347 OWASP Top Ten 2021 Category A03:2021 - Injection Incomplete
CWE-1348 OWASP Top Ten 2021 Category A04:2021 - Insecure Design Incomplete
CWE-1349 OWASP Top Ten 2021 Category A05:2021 - Security Misconfiguration Incomplete
CWE-1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components Incomplete
CWE-1353 OWASP Top Ten 2021 Category A07:2021 - Identification and Authentication Failures Incomplete
CWE-1354 OWASP Top Ten 2021 Category A08:2021 - Software and Data Integrity Failures Incomplete
CWE-1355 OWASP Top Ten 2021 Category A09:2021 - Security Logging and Monitoring Failures Incomplete
CWE-1356 OWASP Top Ten 2021 Category A10:2021 - Server-Side Request Forgery (SSRF) Incomplete
CWE-1359 ICS Communications Incomplete
CWE-1360 ICS Dependencies (& Architecture) Incomplete
CWE-1361 ICS Supply Chain Incomplete
CWE-1362 ICS Engineering (Constructions/Deployment) Incomplete
CWE-1363 ICS Operations (& Maintenance) Incomplete
CWE-1364 ICS Communications: Zone Boundary Failures Incomplete
CWE-1365 ICS Communications: Unreliability Incomplete
CWE-1366 ICS Communications: Frail Security in Protocols Incomplete
CWE-1367 ICS Dependencies (& Architecture): External Physical Systems Incomplete
CWE-1368 ICS Dependencies (& Architecture): External Digital Systems Incomplete
CWE-1369 ICS Supply Chain: IT/OT Convergence/Expansion Incomplete
CWE-1370 ICS Supply Chain: Common Mode Frailties Incomplete
CWE-1371 ICS Supply Chain: Poorly Documented or Undocumented Features Incomplete
CWE-1372 ICS Supply Chain: OT Counterfeit and Malicious Corruption Incomplete
CWE-1373 ICS Engineering (Construction/Deployment): Trust Model Problems Incomplete
CWE-1374 ICS Engineering (Construction/Deployment): Maker Breaker Blindness Incomplete
CWE-1375 ICS Engineering (Construction/Deployment): Gaps in Details/Data Incomplete
CWE-1376 ICS Engineering (Construction/Deployment): Security Gaps in Commissioning Incomplete
CWE-1377 ICS Engineering (Construction/Deployment): Inherent Predictability in Design Incomplete
CWE-1378 ICS Operations (& Maintenance): Gaps in obligations and training Incomplete
CWE-1379 ICS Operations (& Maintenance): Human factors in ICS environments Incomplete
CWE-1380 ICS Operations (& Maintenance): Post-analysis changes Incomplete
CWE-1381 ICS Operations (& Maintenance): Exploitable Standard Operational Procedures Incomplete
CWE-1382 ICS Operations (& Maintenance): Emerging Energy Technologies Incomplete
CWE-1383 ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements Incomplete
CWE-1388 Physical Access Issues and Concerns Draft
CWE-1396 Comprehensive Categorization: Access Control Incomplete
CWE-1397 Comprehensive Categorization: Comparison Incomplete
CWE-1398 Comprehensive Categorization: Component Interaction Incomplete
CWE-1399 Comprehensive Categorization: Memory Safety Incomplete
CWE-1401 Comprehensive Categorization: Concurrency Incomplete
CWE-1402 Comprehensive Categorization: Encryption Incomplete
CWE-1403 Comprehensive Categorization: Exposed Resource Incomplete
CWE-1404 Comprehensive Categorization: File Handling Incomplete
CWE-1405 Comprehensive Categorization: Improper Check or Handling of Exceptional Conditions Incomplete
CWE-1406 Comprehensive Categorization: Improper Input Validation Incomplete
CWE-1407 Comprehensive Categorization: Improper Neutralization Incomplete
CWE-1408 Comprehensive Categorization: Incorrect Calculation Incomplete
CWE-1409 Comprehensive Categorization: Injection Incomplete
CWE-1410 Comprehensive Categorization: Insufficient Control Flow Management Incomplete
CWE-1411 Comprehensive Categorization: Insufficient Verification of Data Authenticity Incomplete
CWE-1412 Comprehensive Categorization: Poor Coding Practices Incomplete
CWE-1413 Comprehensive Categorization: Protection Mechanism Failure Incomplete
CWE-1414 Comprehensive Categorization: Randomness Incomplete
CWE-1415 Comprehensive Categorization: Resource Control Incomplete
CWE-1416 Comprehensive Categorization: Resource Lifecycle Management Incomplete
CWE-1417 Comprehensive Categorization: Sensitive Information Exposure Incomplete
CWE-1418 Comprehensive Categorization: Violation of Secure Design Principles Incomplete
CWE-1433 2025 MIHW Supplement: Expert Insights Obsolete

Weaknesses (944)

View Grid →
ID Name Abstraction Status
CWE-5 J2EE Misconfiguration: Data Transmission Without Encryption Variant Draft
CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length Variant Incomplete
CWE-7 J2EE Misconfiguration: Missing Custom Error Page Variant Incomplete
CWE-8 J2EE Misconfiguration: Entity Bean Declared Remote Variant Incomplete
CWE-9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods Variant Draft
CWE-11 ASP.NET Misconfiguration: Creating Debug Binary Variant Draft
CWE-12 ASP.NET Misconfiguration: Missing Custom Error Page Variant Draft
CWE-13 ASP.NET Misconfiguration: Password in Configuration File Variant Draft
CWE-14 Compiler Removal of Code to Clear Buffers Variant Draft
CWE-15 External Control of System or Configuration Setting Base Incomplete
CWE-20 Improper Input Validation Class Stable
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Base Stable
CWE-23 Relative Path Traversal Base Draft
CWE-24 Path Traversal: '../filedir' Variant Incomplete
CWE-25 Path Traversal: '/../filedir' Variant Incomplete
CWE-26 Path Traversal: '/dir/../filename' Variant Draft
CWE-27 Path Traversal: 'dir/../../filename' Variant Draft
CWE-28 Path Traversal: '..\filedir' Variant Incomplete
CWE-29 Path Traversal: '\..\filename' Variant Incomplete
CWE-30 Path Traversal: '\dir\..\filename' Variant Draft
CWE-31 Path Traversal: 'dir\..\..\filename' Variant Draft
CWE-32 Path Traversal: '...' (Triple Dot) Variant Incomplete
CWE-33 Path Traversal: '....' (Multiple Dot) Variant Incomplete
CWE-34 Path Traversal: '....//' Variant Incomplete
CWE-35 Path Traversal: '.../...//' Variant Incomplete
CWE-36 Absolute Path Traversal Base Draft
CWE-37 Path Traversal: '/absolute/pathname/here' Variant Draft
CWE-38 Path Traversal: '\absolute\pathname\here' Variant Draft
CWE-39 Path Traversal: 'C:dirname' Variant Draft
CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share) Variant Draft
CWE-41 Improper Resolution of Path Equivalence Base Incomplete
CWE-42 Path Equivalence: 'filename.' (Trailing Dot) Variant Incomplete
CWE-43 Path Equivalence: 'filename....' (Multiple Trailing Dot) Variant Incomplete
CWE-44 Path Equivalence: 'file.name' (Internal Dot) Variant Incomplete
CWE-45 Path Equivalence: 'file...name' (Multiple Internal Dot) Variant Incomplete
CWE-46 Path Equivalence: 'filename ' (Trailing Space) Variant Incomplete
CWE-47 Path Equivalence: ' filename' (Leading Space) Variant Incomplete
CWE-48 Path Equivalence: 'file name' (Internal Whitespace) Variant Incomplete
CWE-49 Path Equivalence: 'filename/' (Trailing Slash) Variant Incomplete
CWE-50 Path Equivalence: '//multiple/leading/slash' Variant Incomplete
CWE-51 Path Equivalence: '/multiple//internal/slash' Variant Incomplete
CWE-52 Path Equivalence: '/multiple/trailing/slash//' Variant Incomplete
CWE-53 Path Equivalence: '\multiple\\internal\backslash' Variant Incomplete
CWE-54 Path Equivalence: 'filedir\' (Trailing Backslash) Variant Incomplete
CWE-55 Path Equivalence: '/./' (Single Dot Directory) Variant Incomplete
CWE-56 Path Equivalence: 'filedir*' (Wildcard) Variant Incomplete
CWE-57 Path Equivalence: 'fakedir/../realdir/filename' Variant Incomplete
CWE-58 Path Equivalence: Windows 8.3 Filename Variant Incomplete
CWE-59 Improper Link Resolution Before File Access ('Link Following') Base Draft
CWE-61 UNIX Symbolic Link (Symlink) Following Compound Incomplete
CWE-62 UNIX Hard Link Variant Incomplete
CWE-64 Windows Shortcut Following (.LNK) Variant Incomplete
CWE-65 Windows Hard Link Variant Incomplete
CWE-66 Improper Handling of File Names that Identify Virtual Resources Base Draft
CWE-67 Improper Handling of Windows Device Names Variant Incomplete
CWE-69 Improper Handling of Windows ::DATA Alternate Data Stream Variant Incomplete
CWE-72 Improper Handling of Apple HFS+ Alternate Data Stream Path Variant Incomplete
CWE-73 External Control of File Name or Path Base Draft
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Class Incomplete
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Class Draft
CWE-76 Improper Neutralization of Equivalent Special Elements Base Draft
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Class Draft
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Base Stable
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Base Stable
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Variant Incomplete
CWE-81 Improper Neutralization of Script in an Error Message Web Page Variant Incomplete
CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page Variant Incomplete
CWE-83 Improper Neutralization of Script in Attributes in a Web Page Variant Draft
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page Variant Draft
CWE-85 Doubled Character XSS Manipulations Variant Draft
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages Variant Draft
CWE-87 Improper Neutralization of Alternate XSS Syntax Variant Draft
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Base Draft
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Base Stable
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Base Draft
CWE-91 XML Injection (aka Blind XPath Injection) Base Draft
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Base Draft
CWE-94 Improper Control of Generation of Code ('Code Injection') Base Draft
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Variant Incomplete
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') Base Draft
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page Variant Draft
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Variant Draft
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') Class Draft
CWE-102 Struts: Duplicate Validation Forms Variant Incomplete
CWE-103 Struts: Incomplete validate() Method Definition Variant Draft
CWE-104 Struts: Form Bean Does Not Extend Validation Class Variant Draft
CWE-105 Struts: Form Field Without Validator Variant Draft
CWE-106 Struts: Plug-in Framework not in Use Variant Draft
CWE-107 Struts: Unused Validation Form Variant Draft
CWE-108 Struts: Unvalidated Action Form Variant Incomplete
CWE-109 Struts: Validator Turned Off Variant Draft
CWE-110 Struts: Validator Without Form Field Variant Draft
CWE-111 Direct Use of Unsafe JNI Variant Draft
CWE-112 Missing XML Validation Base Draft
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Variant Incomplete
CWE-114 Process Control Class Incomplete
CWE-115 Misinterpretation of Input Base Incomplete
CWE-116 Improper Encoding or Escaping of Output Class Draft
CWE-117 Improper Output Neutralization for Logs Base Draft
CWE-118 Incorrect Access of Indexable Resource ('Range Error') Class Incomplete
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Class Stable
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Base Incomplete
CWE-121 Stack-based Buffer Overflow Variant Draft
CWE-122 Heap-based Buffer Overflow Variant Draft
CWE-123 Write-what-where Condition Base Draft
CWE-124 Buffer Underwrite ('Buffer Underflow') Base Incomplete
CWE-125 Out-of-bounds Read Base Draft
CWE-126 Buffer Over-read Variant Draft
CWE-127 Buffer Under-read Variant Draft
CWE-128 Wrap-around Error Base Incomplete
CWE-129 Improper Validation of Array Index Variant Draft
CWE-130 Improper Handling of Length Parameter Inconsistency Base Incomplete
CWE-131 Incorrect Calculation of Buffer Size Base Draft
CWE-134 Use of Externally-Controlled Format String Base Draft
CWE-135 Incorrect Calculation of Multi-Byte String Length Base Draft
CWE-138 Improper Neutralization of Special Elements Class Draft
CWE-140 Improper Neutralization of Delimiters Base Draft
CWE-141 Improper Neutralization of Parameter/Argument Delimiters Variant Draft
CWE-142 Improper Neutralization of Value Delimiters Variant Draft
CWE-143 Improper Neutralization of Record Delimiters Variant Draft
CWE-144 Improper Neutralization of Line Delimiters Variant Draft
CWE-145 Improper Neutralization of Section Delimiters Variant Incomplete
CWE-146 Improper Neutralization of Expression/Command Delimiters Variant Incomplete
CWE-147 Improper Neutralization of Input Terminators Variant Draft
CWE-148 Improper Neutralization of Input Leaders Variant Draft
CWE-149 Improper Neutralization of Quoting Syntax Variant Draft
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Variant Incomplete
CWE-151 Improper Neutralization of Comment Delimiters Variant Draft
CWE-152 Improper Neutralization of Macro Symbols Variant Draft
CWE-153 Improper Neutralization of Substitution Characters Variant Draft
CWE-154 Improper Neutralization of Variable Name Delimiters Variant Incomplete
CWE-155 Improper Neutralization of Wildcards or Matching Symbols Variant Draft
CWE-156 Improper Neutralization of Whitespace Variant Draft
CWE-157 Failure to Sanitize Paired Delimiters Variant Draft
CWE-158 Improper Neutralization of Null Byte or NUL Character Variant Incomplete
CWE-159 Improper Handling of Invalid Use of Special Elements Class Draft
CWE-160 Improper Neutralization of Leading Special Elements Variant Incomplete
CWE-161 Improper Neutralization of Multiple Leading Special Elements Variant Incomplete
CWE-162 Improper Neutralization of Trailing Special Elements Variant Incomplete
CWE-163 Improper Neutralization of Multiple Trailing Special Elements Variant Incomplete
CWE-164 Improper Neutralization of Internal Special Elements Variant Incomplete
CWE-165 Improper Neutralization of Multiple Internal Special Elements Variant Incomplete
CWE-166 Improper Handling of Missing Special Element Base Draft
CWE-167 Improper Handling of Additional Special Element Base Draft
CWE-168 Improper Handling of Inconsistent Special Elements Base Draft
CWE-170 Improper Null Termination Base Incomplete
CWE-172 Encoding Error Class Draft
CWE-173 Improper Handling of Alternate Encoding Variant Draft
CWE-174 Double Decoding of the Same Data Variant Draft
CWE-175 Improper Handling of Mixed Encoding Variant Draft
CWE-176 Improper Handling of Unicode Encoding Variant Draft
CWE-177 Improper Handling of URL Encoding (Hex Encoding) Variant Draft
CWE-178 Improper Handling of Case Sensitivity Base Incomplete
CWE-179 Incorrect Behavior Order: Early Validation Base Incomplete
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize Variant Draft
CWE-181 Incorrect Behavior Order: Validate Before Filter Variant Draft
CWE-182 Collapse of Data into Unsafe Value Base Draft
CWE-183 Permissive List of Allowed Inputs Base Draft
CWE-184 Incomplete List of Disallowed Inputs Base Draft
CWE-185 Incorrect Regular Expression Class Draft
CWE-186 Overly Restrictive Regular Expression Base Draft
CWE-187 Partial String Comparison Variant Incomplete
CWE-188 Reliance on Data/Memory Layout Base Draft
CWE-190 Integer Overflow or Wraparound Base Stable
CWE-191 Integer Underflow (Wrap or Wraparound) Base Draft
CWE-192 Integer Coercion Error Variant Incomplete
CWE-193 Off-by-one Error Base Draft
CWE-194 Unexpected Sign Extension Variant Incomplete
CWE-195 Signed to Unsigned Conversion Error Variant Draft
CWE-196 Unsigned to Signed Conversion Error Variant Draft
CWE-197 Numeric Truncation Error Base Incomplete
CWE-198 Use of Incorrect Byte Ordering Variant Draft
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Class Draft
CWE-201 Insertion of Sensitive Information Into Sent Data Base Draft
CWE-202 Exposure of Sensitive Information Through Data Queries Base Draft
CWE-203 Observable Discrepancy Base Incomplete
CWE-204 Observable Response Discrepancy Base Incomplete
CWE-205 Observable Behavioral Discrepancy Base Incomplete
CWE-206 Observable Internal Behavioral Discrepancy Variant Incomplete
CWE-207 Observable Behavioral Discrepancy With Equivalent Products Variant Draft
CWE-208 Observable Timing Discrepancy Base Incomplete
CWE-209 Generation of Error Message Containing Sensitive Information Base Draft
CWE-210 Self-generated Error Message Containing Sensitive Information Base Draft
CWE-211 Externally-Generated Error Message Containing Sensitive Information Base Incomplete
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Base Incomplete
CWE-213 Exposure of Sensitive Information Due to Incompatible Policies Base Draft
CWE-214 Invocation of Process Using Visible Sensitive Information Base Incomplete
CWE-215 Insertion of Sensitive Information Into Debugging Code Base Draft
CWE-219 Storage of File with Sensitive Data Under Web Root Variant Draft
CWE-220 Storage of File With Sensitive Data Under FTP Root Variant Draft
CWE-221 Information Loss or Omission Class Incomplete
CWE-222 Truncation of Security-relevant Information Base Draft
CWE-223 Omission of Security-relevant Information Base Draft
CWE-224 Obscured Security-relevant Information by Alternate Name Base Incomplete
CWE-226 Sensitive Information in Resource Not Removed Before Reuse Base Draft
CWE-228 Improper Handling of Syntactically Invalid Structure Class Incomplete
CWE-229 Improper Handling of Values Base Incomplete
CWE-230 Improper Handling of Missing Values Variant Draft
CWE-231 Improper Handling of Extra Values Variant Draft
CWE-232 Improper Handling of Undefined Values Variant Draft
CWE-233 Improper Handling of Parameters Base Incomplete
CWE-234 Failure to Handle Missing Parameter Variant Incomplete
CWE-235 Improper Handling of Extra Parameters Variant Draft
CWE-236 Improper Handling of Undefined Parameters Variant Draft
CWE-237 Improper Handling of Structural Elements Base Incomplete
CWE-238 Improper Handling of Incomplete Structural Elements Variant Draft
CWE-239 Failure to Handle Incomplete Element Variant Draft
CWE-240 Improper Handling of Inconsistent Structural Elements Base Draft
CWE-241 Improper Handling of Unexpected Data Type Base Draft
CWE-242 Use of Inherently Dangerous Function Base Draft
CWE-243 Creation of chroot Jail Without Changing Working Directory Variant Draft
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') Variant Draft
CWE-245 J2EE Bad Practices: Direct Management of Connections Variant Draft
CWE-246 J2EE Bad Practices: Direct Use of Sockets Variant Draft
CWE-248 Uncaught Exception Base Draft
CWE-250 Execution with Unnecessary Privileges Base Draft
CWE-252 Unchecked Return Value Base Draft
CWE-253 Incorrect Check of Function Return Value Base Incomplete
CWE-256 Plaintext Storage of a Password Base Incomplete
CWE-257 Storing Passwords in a Recoverable Format Base Incomplete
CWE-258 Empty Password in Configuration File Variant Incomplete
CWE-259 Use of Hard-coded Password Variant Draft
CWE-260 Password in Configuration File Base Incomplete
CWE-261 Weak Encoding for Password Base Incomplete
CWE-262 Not Using Password Aging Base Draft
CWE-263 Password Aging with Long Expiration Base Draft
CWE-266 Incorrect Privilege Assignment Base Draft
CWE-267 Privilege Defined With Unsafe Actions Base Incomplete
CWE-268 Privilege Chaining Base Draft
CWE-269 Improper Privilege Management Class Draft
CWE-270 Privilege Context Switching Error Base Draft
CWE-271 Privilege Dropping / Lowering Errors Class Incomplete
CWE-272 Least Privilege Violation Base Incomplete
CWE-273 Improper Check for Dropped Privileges Base Incomplete
CWE-274 Improper Handling of Insufficient Privileges Base Draft
CWE-276 Incorrect Default Permissions Base Draft
CWE-277 Insecure Inherited Permissions Variant Draft
CWE-278 Insecure Preserved Inherited Permissions Variant Incomplete
CWE-279 Incorrect Execution-Assigned Permissions Variant Draft
CWE-280 Improper Handling of Insufficient Permissions or Privileges Base Draft
CWE-281 Improper Preservation of Permissions Base Draft
CWE-282 Improper Ownership Management Class Draft
CWE-283 Unverified Ownership Base Draft
CWE-284 Improper Access Control Pillar Incomplete
CWE-285 Improper Authorization Class Draft
CWE-286 Incorrect User Management Class Incomplete
CWE-287 Improper Authentication Class Draft
CWE-288 Authentication Bypass Using an Alternate Path or Channel Base Incomplete
CWE-289 Authentication Bypass by Alternate Name Base Incomplete
CWE-290 Authentication Bypass by Spoofing Base Incomplete
CWE-291 Reliance on IP Address for Authentication Variant Incomplete
CWE-293 Using Referer Field for Authentication Variant Draft
CWE-294 Authentication Bypass by Capture-replay Base Incomplete
CWE-295 Improper Certificate Validation Base Draft
CWE-296 Improper Following of a Certificate's Chain of Trust Base Draft
CWE-297 Improper Validation of Certificate with Host Mismatch Variant Incomplete
CWE-298 Improper Validation of Certificate Expiration Variant Draft
CWE-299 Improper Check for Certificate Revocation Base Draft
CWE-300 Channel Accessible by Non-Endpoint Class Draft
CWE-301 Reflection Attack in an Authentication Protocol Base Draft
CWE-302 Authentication Bypass by Assumed-Immutable Data Base Incomplete
CWE-303 Incorrect Implementation of Authentication Algorithm Base Draft
CWE-304 Missing Critical Step in Authentication Base Draft
CWE-305 Authentication Bypass by Primary Weakness Base Draft
CWE-306 Missing Authentication for Critical Function Base Draft
CWE-307 Improper Restriction of Excessive Authentication Attempts Base Draft
CWE-308 Use of Single-factor Authentication Base Draft
CWE-309 Use of Password System for Primary Authentication Base Draft
CWE-311 Missing Encryption of Sensitive Data Class Draft
CWE-312 Cleartext Storage of Sensitive Information Base Draft
CWE-313 Cleartext Storage in a File or on Disk Variant Draft
CWE-314 Cleartext Storage in the Registry Variant Draft
CWE-315 Cleartext Storage of Sensitive Information in a Cookie Variant Draft
CWE-316 Cleartext Storage of Sensitive Information in Memory Variant Draft
CWE-317 Cleartext Storage of Sensitive Information in GUI Variant Draft
CWE-318 Cleartext Storage of Sensitive Information in Executable Variant Draft
CWE-319 Cleartext Transmission of Sensitive Information Base Draft
CWE-321 Use of Hard-coded Cryptographic Key Variant Draft
CWE-322 Key Exchange without Entity Authentication Base Draft
CWE-323 Reusing a Nonce, Key Pair in Encryption Base Incomplete
CWE-324 Use of a Key Past its Expiration Date Base Draft
CWE-325 Missing Cryptographic Step Base Draft
CWE-326 Inadequate Encryption Strength Class Draft
CWE-327 Use of a Broken or Risky Cryptographic Algorithm Class Draft
CWE-328 Use of Weak Hash Base Draft
CWE-329 Generation of Predictable IV with CBC Mode Variant Draft
CWE-330 Use of Insufficiently Random Values Class Stable
CWE-331 Insufficient Entropy Base Draft
CWE-332 Insufficient Entropy in PRNG Variant Draft
CWE-333 Improper Handling of Insufficient Entropy in TRNG Variant Draft
CWE-334 Small Space of Random Values Base Draft
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) Base Draft
CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG) Variant Draft
CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG) Variant Draft
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Base Draft
CWE-339 Small Seed Space in PRNG Variant Draft
CWE-340 Generation of Predictable Numbers or Identifiers Class Incomplete
CWE-341 Predictable from Observable State Base Draft
CWE-342 Predictable Exact Value from Previous Values Base Draft
CWE-343 Predictable Value Range from Previous Values Base Draft
CWE-344 Use of Invariant Value in Dynamically Changing Context Base Draft
CWE-345 Insufficient Verification of Data Authenticity Class Draft
CWE-346 Origin Validation Error Class Draft
CWE-347 Improper Verification of Cryptographic Signature Base Draft
CWE-348 Use of Less Trusted Source Base Draft
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data Base Draft
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action Variant Draft
CWE-351 Insufficient Type Distinction Base Draft
CWE-352 Cross-Site Request Forgery (CSRF) Compound Stable
CWE-353 Missing Support for Integrity Check Base Draft
CWE-354 Improper Validation of Integrity Check Value Base Draft
CWE-356 Product UI does not Warn User of Unsafe Actions Base Incomplete
CWE-357 Insufficient UI Warning of Dangerous Operations Base Draft
CWE-358 Improperly Implemented Security Check for Standard Base Draft
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor Base Incomplete
CWE-360 Trust of System Event Data Base Incomplete
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Class Draft
CWE-363 Race Condition Enabling Link Following Base Draft
CWE-364 Signal Handler Race Condition Base Incomplete
CWE-366 Race Condition within a Thread Base Draft
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Base Incomplete
CWE-368 Context Switching Race Condition Base Draft
CWE-369 Divide By Zero Base Draft
CWE-370 Missing Check for Certificate Revocation after Initial Check Variant Draft
CWE-372 Incomplete Internal State Distinction Base Draft
CWE-374 Passing Mutable Objects to an Untrusted Method Base Draft
CWE-375 Returning a Mutable Object to an Untrusted Caller Base Draft
CWE-377 Insecure Temporary File Class Incomplete
CWE-378 Creation of Temporary File With Insecure Permissions Base Draft
CWE-379 Creation of Temporary File in Directory with Insecure Permissions Base Incomplete
CWE-382 J2EE Bad Practices: Use of System.exit() Variant Draft
CWE-383 J2EE Bad Practices: Direct Use of Threads Variant Draft
CWE-384 Session Fixation Compound Incomplete
CWE-385 Covert Timing Channel Base Incomplete
CWE-386 Symbolic Name not Mapping to Correct Object Base Draft
CWE-390 Detection of Error Condition Without Action Base Draft
CWE-391 Unchecked Error Condition Base Incomplete
CWE-392 Missing Report of Error Condition Base Draft
CWE-393 Return of Wrong Status Code Base Draft
CWE-394 Unexpected Status Code or Return Value Base Draft
CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference Base Draft
CWE-396 Declaration of Catch for Generic Exception Base Draft
CWE-397 Declaration of Throws for Generic Exception Base Draft
CWE-400 Uncontrolled Resource Consumption Class Draft
CWE-401 Missing Release of Memory after Effective Lifetime Variant Draft
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') Class Draft
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') Base Draft
CWE-404 Improper Resource Shutdown or Release Class Draft
CWE-405 Asymmetric Resource Consumption (Amplification) Class Incomplete
CWE-406 Insufficient Control of Network Message Volume (Network Amplification) Class Incomplete
CWE-407 Inefficient Algorithmic Complexity Class Incomplete
CWE-408 Incorrect Behavior Order: Early Amplification Base Draft
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Base Incomplete
CWE-410 Insufficient Resource Pool Class Incomplete
CWE-412 Unrestricted Externally Accessible Lock Base Incomplete
CWE-413 Improper Resource Locking Base Draft
CWE-414 Missing Lock Check Base Draft
CWE-415 Double Free Variant Draft
CWE-416 Use After Free Variant Stable
CWE-419 Unprotected Primary Channel Base Draft
CWE-420 Unprotected Alternate Channel Base Draft
CWE-421 Race Condition During Access to Alternate Channel Base Draft
CWE-422 Unprotected Windows Messaging Channel ('Shatter') Variant Draft
CWE-424 Improper Protection of Alternate Path Class Draft
CWE-425 Direct Request ('Forced Browsing') Base Incomplete
CWE-426 Untrusted Search Path Base Stable
CWE-427 Uncontrolled Search Path Element Base Draft
CWE-428 Unquoted Search Path or Element Base Draft
CWE-430 Deployment of Wrong Handler Base Incomplete
CWE-431 Missing Handler Base Draft
CWE-432 Dangerous Signal Handler not Disabled During Sensitive Operations Base Draft
CWE-433 Unparsed Raw Web Content Delivery Variant Incomplete
CWE-434 Unrestricted Upload of File with Dangerous Type Base Draft
CWE-435 Improper Interaction Between Multiple Correctly-Behaving Entities Pillar Draft
CWE-436 Interpretation Conflict Class Incomplete
CWE-437 Incomplete Model of Endpoint Features Base Incomplete
CWE-439 Behavioral Change in New Version or Environment Base Draft
CWE-440 Expected Behavior Violation Base Draft
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') Class Draft
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Base Incomplete
CWE-446 UI Discrepancy for Security Feature Class Incomplete
CWE-447 Unimplemented or Unsupported Feature in UI Base Draft
CWE-448 Obsolete Feature in UI Base Draft
CWE-449 The UI Performs the Wrong Action Base Incomplete
CWE-450 Multiple Interpretations of UI Input Base Draft
CWE-451 User Interface (UI) Misrepresentation of Critical Information Class Draft
CWE-453 Insecure Default Variable Initialization Variant Draft
CWE-454 External Initialization of Trusted Variables or Data Stores Base Draft
CWE-455 Non-exit on Failed Initialization Base Draft
CWE-456 Missing Initialization of a Variable Variant Draft
CWE-457 Use of Uninitialized Variable Variant Draft
CWE-459 Incomplete Cleanup Base Draft
CWE-460 Improper Cleanup on Thrown Exception Base Draft
CWE-462 Duplicate Key in Associative List (Alist) Variant Incomplete
CWE-463 Deletion of Data Structure Sentinel Base Incomplete
CWE-464 Addition of Data Structure Sentinel Base Incomplete
CWE-466 Return of Pointer Value Outside of Expected Range Base Draft
CWE-467 Use of sizeof() on a Pointer Type Variant Draft
CWE-468 Incorrect Pointer Scaling Base Incomplete
CWE-469 Use of Pointer Subtraction to Determine Size Base Draft
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Base Draft
CWE-471 Modification of Assumed-Immutable Data (MAID) Base Draft
CWE-472 External Control of Assumed-Immutable Web Parameter Base Draft
CWE-473 PHP External Variable Modification Variant Draft
CWE-474 Use of Function with Inconsistent Implementations Base Draft
CWE-475 Undefined Behavior for Input to API Base Incomplete
CWE-476 NULL Pointer Dereference Base Stable
CWE-477 Use of Obsolete Function Base Draft
CWE-478 Missing Default Case in Multiple Condition Expression Base Draft
CWE-479 Signal Handler Use of a Non-reentrant Function Variant Draft
CWE-480 Use of Incorrect Operator Base Draft
CWE-481 Assigning instead of Comparing Variant Draft
CWE-482 Comparing instead of Assigning Variant Draft
CWE-483 Incorrect Block Delimitation Base Draft
CWE-484 Omitted Break Statement in Switch Base Draft
CWE-486 Comparison of Classes by Name Variant Draft
CWE-487 Reliance on Package-level Scope Base Incomplete
CWE-488 Exposure of Data Element to Wrong Session Base Draft
CWE-489 Active Debug Code Base Draft
CWE-491 Public cloneable() Method Without Final ('Object Hijack') Variant Draft
CWE-492 Use of Inner Class Containing Sensitive Data Variant Draft
CWE-493 Critical Public Variable Without Final Modifier Variant Draft
CWE-494 Download of Code Without Integrity Check Base Draft
CWE-495 Private Data Structure Returned From A Public Method Variant Draft
CWE-496 Public Data Assigned to Private Array-Typed Field Variant Incomplete
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Base Incomplete
CWE-498 Cloneable Class Containing Sensitive Information Variant Draft
CWE-499 Serializable Class Containing Sensitive Data Variant Draft
CWE-500 Public Static Field Not Marked Final Variant Draft
CWE-501 Trust Boundary Violation Base Draft
CWE-502 Deserialization of Untrusted Data Base Draft
CWE-506 Embedded Malicious Code Class Incomplete
CWE-507 Trojan Horse Base Incomplete
CWE-508 Non-Replicating Malicious Code Base Incomplete
CWE-509 Replicating Malicious Code (Virus or Worm) Base Incomplete
CWE-510 Trapdoor Base Incomplete
CWE-511 Logic/Time Bomb Base Incomplete
CWE-512 Spyware Base Incomplete
CWE-514 Covert Channel Class Incomplete
CWE-515 Covert Storage Channel Base Incomplete
CWE-520 .NET Misconfiguration: Use of Impersonation Variant Incomplete
CWE-521 Weak Password Requirements Base Draft
CWE-522 Insufficiently Protected Credentials Class Incomplete
CWE-523 Unprotected Transport of Credentials Base Incomplete
CWE-524 Use of Cache Containing Sensitive Information Base Incomplete
CWE-525 Use of Web Browser Cache Containing Sensitive Information Variant Incomplete
CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable Variant Incomplete
CWE-527 Exposure of Version-Control Repository to an Unauthorized Control Sphere Variant Incomplete
CWE-528 Exposure of Core Dump File to an Unauthorized Control Sphere Variant Draft
CWE-529 Exposure of Access Control List Files to an Unauthorized Control Sphere Variant Incomplete
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere Variant Incomplete
CWE-531 Inclusion of Sensitive Information in Test Code Variant Incomplete
CWE-532 Insertion of Sensitive Information into Log File Base Incomplete
CWE-535 Exposure of Information Through Shell Error Message Variant Incomplete
CWE-536 Servlet Runtime Error Message Containing Sensitive Information Variant Incomplete
CWE-537 Java Runtime Error Message Containing Sensitive Information Variant Incomplete
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory Base Draft
CWE-539 Use of Persistent Cookies Containing Sensitive Information Variant Incomplete
CWE-540 Inclusion of Sensitive Information in Source Code Base Incomplete
CWE-541 Inclusion of Sensitive Information in an Include File Variant Incomplete
CWE-543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context Variant Incomplete
CWE-544 Missing Standardized Error Handling Mechanism Base Draft
CWE-546 Suspicious Comment Variant Draft
CWE-547 Use of Hard-coded, Security-relevant Constants Base Draft
CWE-548 Exposure of Information Through Directory Listing Variant Draft
CWE-549 Missing Password Field Masking Base Draft
CWE-550 Server-generated Error Message Containing Sensitive Information Variant Incomplete
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization Base Incomplete
CWE-552 Files or Directories Accessible to External Parties Base Draft
CWE-553 Command Shell in Externally Accessible Directory Variant Incomplete
CWE-554 ASP.NET Misconfiguration: Not Using Input Validation Framework Variant Draft
CWE-555 J2EE Misconfiguration: Plaintext Password in Configuration File Variant Draft
CWE-556 ASP.NET Misconfiguration: Use of Identity Impersonation Variant Incomplete
CWE-558 Use of getlogin() in Multithreaded Application Variant Draft
CWE-560 Use of umask() with chmod-style Argument Variant Draft
CWE-561 Dead Code Base Draft
CWE-562 Return of Stack Variable Address Base Draft
CWE-563 Assignment to Variable without Use Base Draft
CWE-564 SQL Injection: Hibernate Variant Incomplete
CWE-565 Reliance on Cookies without Validation and Integrity Checking Base Incomplete
CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key Variant Incomplete
CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context Base Draft
CWE-568 finalize() Method Without super.finalize() Variant Draft
CWE-570 Expression is Always False Base Draft
CWE-571 Expression is Always True Base Draft
CWE-572 Call to Thread run() instead of start() Variant Draft
CWE-573 Improper Following of Specification by Caller Class Draft
CWE-574 EJB Bad Practices: Use of Synchronization Primitives Variant Draft
CWE-575 EJB Bad Practices: Use of AWT Swing Variant Draft
CWE-576 EJB Bad Practices: Use of Java I/O Variant Draft
CWE-577 EJB Bad Practices: Use of Sockets Variant Draft
CWE-578 EJB Bad Practices: Use of Class Loader Variant Draft
CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session Variant Draft
CWE-580 clone() Method Without super.clone() Variant Draft
CWE-581 Object Model Violation: Just One of Equals and Hashcode Defined Variant Draft
CWE-582 Array Declared Public, Final, and Static Variant Draft
CWE-583 finalize() Method Declared Public Variant Incomplete
CWE-584 Return Inside Finally Block Base Draft
CWE-585 Empty Synchronized Block Variant Draft
CWE-586 Explicit Call to Finalize() Base Draft
CWE-587 Assignment of a Fixed Address to a Pointer Variant Draft
CWE-588 Attempt to Access Child of a Non-structure Pointer Variant Incomplete
CWE-589 Call to Non-ubiquitous API Variant Incomplete
CWE-590 Free of Memory not on the Heap Variant Incomplete
CWE-591 Sensitive Data Storage in Improperly Locked Memory Variant Draft
CWE-593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created Variant Draft
CWE-594 J2EE Framework: Saving Unserializable Objects to Disk Variant Incomplete
CWE-595 Comparison of Object References Instead of Object Contents Variant Incomplete
CWE-597 Use of Wrong Operator in String Comparison Variant Draft
CWE-598 Use of GET Request Method With Sensitive Query Strings Variant Draft
CWE-599 Missing Validation of OpenSSL Certificate Variant Incomplete
CWE-600 Uncaught Exception in Servlet Variant Draft
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Base Draft
CWE-602 Client-Side Enforcement of Server-Side Security Class Draft
CWE-603 Use of Client-Side Authentication Base Draft
CWE-605 Multiple Binds to the Same Port Variant Draft
CWE-606 Unchecked Input for Loop Condition Base Draft
CWE-607 Public Static Final Field References Mutable Object Variant Draft
CWE-608 Struts: Non-private Field in ActionForm Class Variant Draft
CWE-609 Double-Checked Locking Base Draft
CWE-610 Externally Controlled Reference to a Resource in Another Sphere Class Draft
CWE-611 Improper Restriction of XML External Entity Reference Base Draft
CWE-612 Improper Authorization of Index Containing Sensitive Information Base Draft
CWE-613 Insufficient Session Expiration Base Incomplete
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Variant Draft
CWE-615 Inclusion of Sensitive Information in Source Code Comments Variant Incomplete
CWE-616 Incomplete Identification of Uploaded File Variables (PHP) Variant Incomplete
CWE-617 Reachable Assertion Base Draft
CWE-618 Exposed Unsafe ActiveX Method Variant Incomplete
CWE-619 Dangling Database Cursor ('Cursor Injection') Base Incomplete
CWE-620 Unverified Password Change Base Draft
CWE-621 Variable Extraction Error Variant Incomplete
CWE-622 Improper Validation of Function Hook Arguments Variant Draft
CWE-623 Unsafe ActiveX Control Marked Safe For Scripting Variant Draft
CWE-624 Executable Regular Expression Error Base Incomplete
CWE-625 Permissive Regular Expression Base Draft
CWE-626 Null Byte Interaction Error (Poison Null Byte) Variant Draft
CWE-627 Dynamic Variable Evaluation Variant Incomplete
CWE-628 Function Call with Incorrectly Specified Arguments Base Draft
CWE-636 Not Failing Securely ('Failing Open') Class Draft
CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') Class Draft
CWE-638 Not Using Complete Mediation Class Draft
CWE-639 Authorization Bypass Through User-Controlled Key Base Incomplete
CWE-640 Weak Password Recovery Mechanism for Forgotten Password Base Incomplete
CWE-641 Improper Restriction of Names for Files and Other Resources Base Incomplete
CWE-642 External Control of Critical State Data Class Draft
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') Base Incomplete
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax Variant Incomplete
CWE-645 Overly Restrictive Account Lockout Mechanism Base Incomplete
CWE-646 Reliance on File Name or Extension of Externally-Supplied File Variant Incomplete
CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions Variant Incomplete
CWE-648 Incorrect Use of Privileged APIs Base Incomplete
CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking Base Incomplete
CWE-650 Trusting HTTP Permission Methods on the Server Side Variant Incomplete
CWE-651 Exposure of WSDL File Containing Sensitive Information Variant Incomplete
CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') Base Incomplete
CWE-653 Improper Isolation or Compartmentalization Class Draft
CWE-654 Reliance on a Single Factor in a Security Decision Base Draft
CWE-655 Insufficient Psychological Acceptability Class Draft
CWE-656 Reliance on Security Through Obscurity Class Draft
CWE-657 Violation of Secure Design Principles Class Draft
CWE-662 Improper Synchronization Class Draft
CWE-663 Use of a Non-reentrant Function in a Concurrent Context Base Draft
CWE-664 Improper Control of a Resource Through its Lifetime Pillar Draft
CWE-665 Improper Initialization Class Draft
CWE-666 Operation on Resource in Wrong Phase of Lifetime Class Draft
CWE-667 Improper Locking Class Draft
CWE-668 Exposure of Resource to Wrong Sphere Class Draft
CWE-669 Incorrect Resource Transfer Between Spheres Class Draft
CWE-670 Always-Incorrect Control Flow Implementation Class Draft
CWE-671 Lack of Administrator Control over Security Class Draft
CWE-672 Operation on a Resource after Expiration or Release Class Draft
CWE-673 External Influence of Sphere Definition Class Draft
CWE-674 Uncontrolled Recursion Class Draft
CWE-675 Multiple Operations on Resource in Single-Operation Context Class Draft
CWE-676 Use of Potentially Dangerous Function Base Draft
CWE-680 Integer Overflow to Buffer Overflow Compound Draft
CWE-681 Incorrect Conversion between Numeric Types Base Draft
CWE-682 Incorrect Calculation Pillar Draft
CWE-683 Function Call With Incorrect Order of Arguments Variant Draft
CWE-684 Incorrect Provision of Specified Functionality Class Draft
CWE-685 Function Call With Incorrect Number of Arguments Variant Draft
CWE-686 Function Call With Incorrect Argument Type Variant Draft
CWE-687 Function Call With Incorrectly Specified Argument Value Variant Draft
CWE-688 Function Call With Incorrect Variable or Reference as Argument Variant Draft
CWE-689 Permission Race Condition During Resource Copy Compound Draft
CWE-690 Unchecked Return Value to NULL Pointer Dereference Compound Draft
CWE-691 Insufficient Control Flow Management Pillar Draft
CWE-692 Incomplete Denylist to Cross-Site Scripting Compound Draft
CWE-693 Protection Mechanism Failure Pillar Draft
CWE-694 Use of Multiple Resources with Duplicate Identifier Base Incomplete
CWE-695 Use of Low-Level Functionality Base Incomplete
CWE-696 Incorrect Behavior Order Class Incomplete
CWE-697 Incorrect Comparison Pillar Incomplete
CWE-698 Execution After Redirect (EAR) Base Incomplete
CWE-703 Improper Check or Handling of Exceptional Conditions Pillar Incomplete
CWE-704 Incorrect Type Conversion or Cast Class Incomplete
CWE-705 Incorrect Control Flow Scoping Class Incomplete
CWE-706 Use of Incorrectly-Resolved Name or Reference Class Incomplete
CWE-707 Improper Neutralization Pillar Incomplete
CWE-708 Incorrect Ownership Assignment Base Incomplete
CWE-710 Improper Adherence to Coding Standards Pillar Incomplete
CWE-732 Incorrect Permission Assignment for Critical Resource Class Draft
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code Base Incomplete
CWE-749 Exposed Dangerous Method or Function Base Incomplete
CWE-754 Improper Check for Unusual or Exceptional Conditions Class Incomplete
CWE-755 Improper Handling of Exceptional Conditions Class Incomplete
CWE-756 Missing Custom Error Page Base Incomplete
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Base Incomplete
CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior Class Incomplete
CWE-759 Use of a One-Way Hash without a Salt Variant Incomplete
CWE-760 Use of a One-Way Hash with a Predictable Salt Variant Incomplete
CWE-761 Free of Pointer not at Start of Buffer Variant Incomplete
CWE-762 Mismatched Memory Management Routines Variant Incomplete
CWE-763 Release of Invalid Pointer or Reference Base Incomplete
CWE-764 Multiple Locks of a Critical Resource Base Incomplete
CWE-765 Multiple Unlocks of a Critical Resource Base Incomplete
CWE-766 Critical Data Element Declared Public Base Incomplete
CWE-767 Access to Critical Private Variable via Public Method Base Incomplete
CWE-768 Incorrect Short Circuit Evaluation Variant Incomplete
CWE-770 Allocation of Resources Without Limits or Throttling Base Incomplete
CWE-771 Missing Reference to Active Allocated Resource Base Incomplete
CWE-772 Missing Release of Resource after Effective Lifetime Base Draft
CWE-773 Missing Reference to Active File Descriptor or Handle Variant Incomplete
CWE-774 Allocation of File Descriptors or Handles Without Limits or Throttling Variant Incomplete
CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime Variant Incomplete
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Base Draft
CWE-777 Regular Expression without Anchors Variant Incomplete
CWE-778 Insufficient Logging Base Draft
CWE-779 Logging of Excessive Data Base Draft
CWE-780 Use of RSA Algorithm without OAEP Variant Incomplete
CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code Variant Draft
CWE-782 Exposed IOCTL with Insufficient Access Control Variant Draft
CWE-783 Operator Precedence Logic Error Base Draft
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision Variant Draft
CWE-785 Use of Path Manipulation Function without Maximum-sized Buffer Variant Incomplete
CWE-786 Access of Memory Location Before Start of Buffer Base Incomplete
CWE-787 Out-of-bounds Write Base Draft
CWE-788 Access of Memory Location After End of Buffer Base Incomplete
CWE-789 Memory Allocation with Excessive Size Value Variant Draft
CWE-790 Improper Filtering of Special Elements Class Incomplete
CWE-791 Incomplete Filtering of Special Elements Base Incomplete
CWE-792 Incomplete Filtering of One or More Instances of Special Elements Variant Incomplete
CWE-793 Only Filtering One Instance of a Special Element Variant Incomplete
CWE-794 Incomplete Filtering of Multiple Instances of Special Elements Variant Incomplete
CWE-795 Only Filtering Special Elements at a Specified Location Base Incomplete
CWE-796 Only Filtering Special Elements Relative to a Marker Variant Incomplete
CWE-797 Only Filtering Special Elements at an Absolute Position Variant Incomplete
CWE-798 Use of Hard-coded Credentials Base Draft
CWE-799 Improper Control of Interaction Frequency Class Incomplete
CWE-804 Guessable CAPTCHA Base Incomplete
CWE-805 Buffer Access with Incorrect Length Value Base Incomplete
CWE-806 Buffer Access Using Size of Source Buffer Variant Incomplete
CWE-807 Reliance on Untrusted Inputs in a Security Decision Base Incomplete
CWE-820 Missing Synchronization Base Incomplete
CWE-821 Incorrect Synchronization Base Incomplete
CWE-822 Untrusted Pointer Dereference Base Incomplete
CWE-823 Use of Out-of-range Pointer Offset Base Incomplete
CWE-824 Access of Uninitialized Pointer Base Incomplete
CWE-825 Expired Pointer Dereference Base Incomplete
CWE-826 Premature Release of Resource During Expected Lifetime Base Incomplete
CWE-827 Improper Control of Document Type Definition Variant Incomplete
CWE-828 Signal Handler with Functionality that is not Asynchronous-Safe Variant Incomplete
CWE-829 Inclusion of Functionality from Untrusted Control Sphere Base Incomplete
CWE-830 Inclusion of Web Functionality from an Untrusted Source Variant Incomplete
CWE-831 Signal Handler Function Associated with Multiple Signals Variant Incomplete
CWE-832 Unlock of a Resource that is not Locked Base Incomplete
CWE-833 Deadlock Base Incomplete
CWE-834 Excessive Iteration Class Incomplete
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Base Incomplete
CWE-836 Use of Password Hash Instead of Password for Authentication Base Incomplete
CWE-837 Improper Enforcement of a Single, Unique Action Base Incomplete
CWE-838 Inappropriate Encoding for Output Context Base Incomplete
CWE-839 Numeric Range Comparison Without Minimum Check Base Incomplete
CWE-841 Improper Enforcement of Behavioral Workflow Base Incomplete
CWE-842 Placement of User into Incorrect Group Base Incomplete
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') Base Incomplete
CWE-862 Missing Authorization Class Incomplete
CWE-863 Incorrect Authorization Class Incomplete
CWE-908 Use of Uninitialized Resource Base Incomplete
CWE-909 Missing Initialization of Resource Class Incomplete
CWE-910 Use of Expired File Descriptor Base Incomplete
CWE-911 Improper Update of Reference Count Base Incomplete
CWE-912 Hidden Functionality Class Incomplete
CWE-913 Improper Control of Dynamically-Managed Code Resources Class Incomplete
CWE-914 Improper Control of Dynamically-Identified Variables Base Incomplete
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Base Incomplete
CWE-916 Use of Password Hash With Insufficient Computational Effort Base Incomplete
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Base Incomplete
CWE-918 Server-Side Request Forgery (SSRF) Base Incomplete
CWE-920 Improper Restriction of Power Consumption Base Incomplete
CWE-921 Storage of Sensitive Data in a Mechanism without Access Control Base Incomplete
CWE-922 Insecure Storage of Sensitive Information Class Incomplete
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Class Incomplete
CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel Base Incomplete
CWE-925 Improper Verification of Intent by Broadcast Receiver Variant Incomplete
CWE-926 Improper Export of Android Application Components Variant Incomplete
CWE-927 Use of Implicit Intent for Sensitive Communication Variant Incomplete
CWE-939 Improper Authorization in Handler for Custom URL Scheme Base Incomplete
CWE-940 Improper Verification of Source of a Communication Channel Base Incomplete
CWE-941 Incorrectly Specified Destination in a Communication Channel Base Incomplete
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains Variant Incomplete
CWE-943 Improper Neutralization of Special Elements in Data Query Logic Class Incomplete
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag Variant Incomplete
CWE-1007 Insufficient Visual Distinction of Homoglyphs Presented to User Base Incomplete
CWE-1021 Improper Restriction of Rendered UI Layers or Frames Base Incomplete
CWE-1022 Use of Web Link to Untrusted Target with window.opener Access Variant Incomplete
CWE-1023 Incomplete Comparison with Missing Factors Class Incomplete
CWE-1024 Comparison of Incompatible Types Base Incomplete
CWE-1025 Comparison Using Wrong Factors Base Incomplete
CWE-1037 Processor Optimization Removal or Modification of Security-critical Code Base Incomplete
CWE-1038 Insecure Automated Optimizations Class Draft
CWE-1039 Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism Class Incomplete
CWE-1041 Use of Redundant Code Base Incomplete
CWE-1042 Static Member Data Element outside of a Singleton Class Element Variant Incomplete
CWE-1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements Base Incomplete
CWE-1044 Architecture with Number of Horizontal Layers Outside of Expected Range Base Incomplete
CWE-1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor Base Incomplete
CWE-1046 Creation of Immutable Text Using String Concatenation Base Incomplete
CWE-1047 Modules with Circular Dependencies Base Incomplete
CWE-1048 Invokable Control Element with Large Number of Outward Calls Base Incomplete
CWE-1049 Excessive Data Query Operations in a Large Data Table Base Incomplete
CWE-1050 Excessive Platform Resource Consumption within a Loop Base Incomplete
CWE-1051 Initialization with Hard-Coded Network Resource Configuration Data Base Incomplete
CWE-1052 Excessive Use of Hard-Coded Literals in Initialization Base Incomplete
CWE-1053 Missing Documentation for Design Base Incomplete
CWE-1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer Base Incomplete
CWE-1055 Multiple Inheritance from Concrete Classes Base Incomplete
CWE-1056 Invokable Control Element with Variadic Parameters Base Incomplete
CWE-1057 Data Access Operations Outside of Expected Data Manager Component Base Incomplete
CWE-1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element Base Incomplete
CWE-1059 Insufficient Technical Documentation Class Incomplete
CWE-1060 Excessive Number of Inefficient Server-Side Data Accesses Base Incomplete
CWE-1061 Insufficient Encapsulation Class Incomplete
CWE-1062 Parent Class with References to Child Class Base Incomplete
CWE-1063 Creation of Class Instance within a Static Code Block Base Incomplete
CWE-1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters Base Incomplete
CWE-1065 Runtime Resource Management Control Element in a Component Built to Run on Application Servers Base Incomplete
CWE-1066 Missing Serialization Control Element Base Incomplete
CWE-1067 Excessive Execution of Sequential Searches of Data Resource Base Incomplete
CWE-1068 Inconsistency Between Implementation and Documented Design Base Incomplete
CWE-1069 Empty Exception Block Variant Incomplete
CWE-1070 Serializable Data Element Containing non-Serializable Item Elements Base Incomplete
CWE-1071 Empty Code Block Base Incomplete
CWE-1072 Data Resource Access without Use of Connection Pooling Base Incomplete
CWE-1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses Base Incomplete
CWE-1074 Class with Excessively Deep Inheritance Base Incomplete
CWE-1075 Unconditional Control Flow Transfer outside of Switch Block Base Incomplete
CWE-1076 Insufficient Adherence to Expected Conventions Class Incomplete
CWE-1077 Floating Point Comparison with Incorrect Operator Variant Incomplete
CWE-1078 Inappropriate Source Code Style or Formatting Class Incomplete
CWE-1079 Parent Class without Virtual Destructor Method Base Incomplete
CWE-1080 Source Code File with Excessive Number of Lines of Code Base Incomplete
CWE-1082 Class Instance Self Destruction Control Element Base Incomplete
CWE-1083 Data Access from Outside Expected Data Manager Component Base Incomplete
CWE-1084 Invokable Control Element with Excessive File or Data Access Operations Base Incomplete
CWE-1085 Invokable Control Element with Excessive Volume of Commented-out Code Base Incomplete
CWE-1086 Class with Excessive Number of Child Classes Base Incomplete
CWE-1087 Class with Virtual Method without a Virtual Destructor Base Incomplete
CWE-1088 Synchronous Access of Remote Resource without Timeout Base Incomplete
CWE-1089 Large Data Table with Excessive Number of Indices Base Incomplete
CWE-1090 Method Containing Access of a Member Element from Another Class Base Incomplete
CWE-1091 Use of Object without Invoking Destructor Method Base Incomplete
CWE-1092 Use of Same Invokable Control Element in Multiple Architectural Layers Base Incomplete
CWE-1093 Excessively Complex Data Representation Class Incomplete
CWE-1094 Excessive Index Range Scan for a Data Resource Base Incomplete
CWE-1095 Loop Condition Value Update within the Loop Base Incomplete
CWE-1096 Singleton Class Instance Creation without Proper Locking or Synchronization Variant Incomplete
CWE-1097 Persistent Storable Data Element without Associated Comparison Control Element Base Incomplete
CWE-1098 Data Element containing Pointer Item without Proper Copy Control Element Base Incomplete
CWE-1099 Inconsistent Naming Conventions for Identifiers Base Incomplete
CWE-1100 Insufficient Isolation of System-Dependent Functions Base Incomplete
CWE-1101 Reliance on Runtime Component in Generated Code Base Incomplete
CWE-1102 Reliance on Machine-Dependent Data Representation Base Incomplete
CWE-1103 Use of Platform-Dependent Third Party Components Base Incomplete
CWE-1104 Use of Unmaintained Third Party Components Base Incomplete
CWE-1105 Insufficient Encapsulation of Machine-Dependent Functionality Base Incomplete
CWE-1106 Insufficient Use of Symbolic Constants Base Incomplete
CWE-1107 Insufficient Isolation of Symbolic Constant Definitions Base Incomplete
CWE-1108 Excessive Reliance on Global Variables Base Incomplete
CWE-1109 Use of Same Variable for Multiple Purposes Base Incomplete
CWE-1110 Incomplete Design Documentation Base Incomplete
CWE-1111 Incomplete I/O Documentation Base Incomplete
CWE-1112 Incomplete Documentation of Program Execution Base Incomplete
CWE-1113 Inappropriate Comment Style Base Incomplete
CWE-1114 Inappropriate Whitespace Style Base Incomplete
CWE-1115 Source Code Element without Standard Prologue Base Incomplete
CWE-1116 Inaccurate Comments Base Incomplete
CWE-1117 Callable with Insufficient Behavioral Summary Base Incomplete
CWE-1118 Insufficient Documentation of Error Handling Techniques Base Incomplete
CWE-1119 Excessive Use of Unconditional Branching Base Incomplete
CWE-1120 Excessive Code Complexity Class Incomplete
CWE-1121 Excessive McCabe Cyclomatic Complexity Base Incomplete
CWE-1122 Excessive Halstead Complexity Base Incomplete
CWE-1123 Excessive Use of Self-Modifying Code Base Incomplete
CWE-1124 Excessively Deep Nesting Base Incomplete
CWE-1125 Excessive Attack Surface Base Incomplete
CWE-1126 Declaration of Variable with Unnecessarily Wide Scope Base Incomplete
CWE-1127 Compilation with Insufficient Warnings or Errors Base Incomplete
CWE-1164 Irrelevant Code Class Incomplete
CWE-1173 Improper Use of Validation Framework Base Draft
CWE-1174 ASP.NET Misconfiguration: Improper Model Validation Variant Draft
CWE-1176 Inefficient CPU Computation Class Incomplete
CWE-1177 Use of Prohibited Code Class Incomplete
CWE-1188 Initialization of a Resource with an Insecure Default Base Incomplete
CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC) Base Stable
CWE-1190 DMA Device Enabled Too Early in Boot Phase Base Draft
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control Base Stable
CWE-1192 Improper Identifier for IP Block used in System-On-Chip (SOC) Base Draft
CWE-1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control Base Draft
CWE-1204 Generation of Weak Initialization Vector (IV) Base Incomplete
CWE-1209 Failure to Disable Reserved Bits Base Incomplete
CWE-1220 Insufficient Granularity of Access Control Base Incomplete
CWE-1221 Incorrect Register Defaults or Module Parameters Base Incomplete
CWE-1222 Insufficient Granularity of Address Regions Protected by Register Locks Variant Incomplete
CWE-1223 Race Condition for Write-Once Attributes Base Incomplete
CWE-1224 Improper Restriction of Write-Once Bit Fields Base Incomplete
CWE-1229 Creation of Emergent Resource Class Incomplete
CWE-1230 Exposure of Sensitive Information Through Metadata Base Incomplete
CWE-1231 Improper Prevention of Lock Bit Modification Base Stable
CWE-1232 Improper Lock Behavior After Power State Transition Base Incomplete
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection Base Stable
CWE-1234 Hardware Internal or Debug Modes Allow Override of Locks Base Incomplete
CWE-1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations Base Incomplete
CWE-1236 Improper Neutralization of Formula Elements in a CSV File Base Incomplete
CWE-1239 Improper Zeroization of Hardware Register Variant Draft
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation Base Draft
CWE-1241 Use of Predictable Algorithm in Random Number Generator Base Draft
CWE-1242 Inclusion of Undocumented Features or Chicken Bits Base Incomplete
CWE-1243 Sensitive Non-Volatile Information Not Protected During Debug Base Incomplete
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State Base Stable
CWE-1245 Improper Finite State Machines (FSMs) in Hardware Logic Base Incomplete
CWE-1246 Improper Write Handling in Limited-write Non-Volatile Memories Base Incomplete
CWE-1247 Improper Protection Against Voltage and Clock Glitches Base Stable
CWE-1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications Base Incomplete
CWE-1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System Base Incomplete
CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State Base Incomplete
CWE-1251 Mirrored Regions with Different Values Base Incomplete
CWE-1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations Base Incomplete
CWE-1253 Incorrect Selection of Fuse Values Base Draft
CWE-1254 Incorrect Comparison Logic Granularity Base Draft
CWE-1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks Variant Draft
CWE-1256 Improper Restriction of Software Interfaces to Hardware Features Base Stable
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions Base Incomplete
CWE-1258 Exposure of Sensitive System Information Due to Uncleared Debug Information Base Draft
CWE-1259 Improper Restriction of Security Token Assignment Base Incomplete
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges Base Stable
CWE-1261 Improper Handling of Single Event Upsets Base Draft
CWE-1262 Improper Access Control for Register Interface Base Stable
CWE-1263 Improper Physical Access Control Class Incomplete
CWE-1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels Base Incomplete
CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls Base Draft
CWE-1266 Improper Scrubbing of Sensitive Data from Decommissioned Device Base Incomplete
CWE-1267 Policy Uses Obsolete Encoding Base Draft
CWE-1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents Base Draft
CWE-1269 Product Released in Non-Release Configuration Base Incomplete
CWE-1270 Generation of Incorrect Security Tokens Base Incomplete
CWE-1271 Uninitialized Value on Reset for Registers Holding Security Settings Base Incomplete
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition Base Stable
CWE-1273 Device Unlock Credential Sharing Base Incomplete
CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code Base Stable
CWE-1275 Sensitive Cookie with Improper SameSite Attribute Variant Incomplete
CWE-1276 Hardware Child Block Incorrectly Connected to Parent System Base Incomplete
CWE-1277 Firmware Not Updateable Base Draft
CWE-1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques Base Incomplete
CWE-1279 Cryptographic Operations are run Before Supporting Units are Ready Base Incomplete
CWE-1280 Access Control Check Implemented After Asset is Accessed Base Incomplete
CWE-1281 Sequence of Processor Instructions Leads to Unexpected Behavior Base Incomplete
CWE-1282 Assumed-Immutable Data is Stored in Writable Memory Base Incomplete
CWE-1283 Mutable Attestation or Measurement Reporting Data Base Incomplete
CWE-1284 Improper Validation of Specified Quantity in Input Base Incomplete
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input Base Incomplete
CWE-1286 Improper Validation of Syntactic Correctness of Input Base Incomplete
CWE-1287 Improper Validation of Specified Type of Input Base Incomplete
CWE-1288 Improper Validation of Consistency within Input Base Incomplete
CWE-1289 Improper Validation of Unsafe Equivalence in Input Base Incomplete
CWE-1290 Incorrect Decoding of Security Identifiers Base Incomplete
CWE-1291 Public Key Re-Use for Signing both Debug and Production Code Base Draft
CWE-1292 Incorrect Conversion of Security Identifiers Base Draft
CWE-1293 Missing Source Correlation of Multiple Independent Data Base Draft
CWE-1294 Insecure Security Identifier Mechanism Class Incomplete
CWE-1295 Debug Messages Revealing Unnecessary Information Base Incomplete
CWE-1296 Incorrect Chaining or Granularity of Debug Components Base Incomplete
CWE-1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors Base Incomplete
CWE-1298 Hardware Logic Contains Race Conditions Base Draft
CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface Base Draft
CWE-1300 Improper Protection of Physical Side Channels Base Stable
CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component Base Incomplete
CWE-1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) Base Incomplete
CWE-1303 Non-Transparent Sharing of Microarchitectural Resources Base Draft
CWE-1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation Base Draft
CWE-1310 Missing Ability to Patch ROM Code Base Draft
CWE-1311 Improper Translation of Security Attributes by Fabric Bridge Base Draft
CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall Base Draft
CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime Base Draft
CWE-1314 Missing Write Protection for Parametric Data Values Base Draft
CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point Base Incomplete
CWE-1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges Base Draft
CWE-1317 Improper Access Control in Fabric Bridge Base Draft
CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses Base Incomplete
CWE-1319 Improper Protection against Electromagnetic Fault Injection (EM-FI) Base Incomplete
CWE-1320 Improper Protection for Outbound Error Messages and Alert Signals Base Draft
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Variant Incomplete
CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context Base Incomplete
CWE-1323 Improper Management of Sensitive Trace Data Base Draft
CWE-1325 Improperly Controlled Sequential Memory Allocation Base Incomplete
CWE-1326 Missing Immutable Root of Trust in Hardware Base Draft
CWE-1327 Binding to an Unrestricted IP Address Base Incomplete
CWE-1328 Security Version Number Mutable to Older Versions Base Draft
CWE-1329 Reliance on Component That is Not Updateable Base Incomplete
CWE-1330 Remanent Data Readable after Memory Erase Variant Draft
CWE-1331 Improper Isolation of Shared Resources in Network On Chip (NoC) Base Stable
CWE-1332 Improper Handling of Faults that Lead to Instruction Skips Base Stable
CWE-1333 Inefficient Regular Expression Complexity Base Draft
CWE-1334 Unauthorized Error Injection Can Degrade Hardware Redundancy Base Draft
CWE-1335 Incorrect Bitwise Shift of Integer Base Draft
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Base Incomplete
CWE-1338 Improper Protections Against Hardware Overheating Base Draft
CWE-1339 Insufficient Precision or Accuracy of a Real Number Base Draft
CWE-1341 Multiple Releases of Same Resource or Handle Base Incomplete
CWE-1342 Information Exposure through Microarchitectural State after Transient Execution Base Incomplete
CWE-1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments Base Incomplete
CWE-1357 Reliance on Insufficiently Trustworthy Component Class Incomplete
CWE-1384 Improper Handling of Physical or Environmental Conditions Class Incomplete
CWE-1385 Missing Origin Validation in WebSockets Variant Incomplete
CWE-1386 Insecure Operation on Windows Junction / Mount Point Base Incomplete
CWE-1389 Incorrect Parsing of Numbers with Different Radices Base Incomplete
CWE-1390 Weak Authentication Class Incomplete
CWE-1391 Use of Weak Credentials Class Incomplete
CWE-1392 Use of Default Credentials Base Incomplete
CWE-1393 Use of Default Password Base Incomplete
CWE-1394 Use of Default Cryptographic Key Base Incomplete
CWE-1395 Dependency on Vulnerable Third-Party Component Class Incomplete
CWE-1419 Incorrect Initialization of Resource Class Incomplete
CWE-1420 Exposure of Sensitive Information during Transient Execution Base Incomplete
CWE-1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution Base Incomplete
CWE-1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution Base Incomplete
CWE-1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution Base Incomplete
CWE-1426 Improper Validation of Generative AI Output Base Incomplete
CWE-1427 Improper Neutralization of Input Used for LLM Prompting Base Incomplete
CWE-1428 Reliance on HTTP instead of HTTPS Base Incomplete
CWE-1429 Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface Base Incomplete
CWE-1431 Driving Intermediate Cryptographic State/Results to Hardware Module Outputs Base Incomplete
CWE-1434 Insecure Setting of Generative AI/ML Model Inference Parameters Base Draft