CWE弱点浏览

Common Weakness Enumeration（通用弱点枚举）- 软件和硬件安全弱点的社区开发列表

总弱点数

969

分类数

410

视图数

56

列表视图树型视图

CWE弱点树型结构

CWE-1023 Incomplete Comparison with Missing Factors Class

CWE-184 Incomplete List of Disallowed Inputs Base

CWE-692 Incomplete Denylist to Cross-Site Scripting Compound

CWE-187 Partial String Comparison Variant

CWE-478 Missing Default Case in Multiple Condition Expression Base

CWE-839 Numeric Range Comparison Without Minimum Check Base

CWE-1038 Insecure Automated Optimizations Class

CWE-1037 Processor Optimization Removal or Modification of Security-critical Code Base

CWE-733 Compiler Optimization Removal or Modification of Security-critical Code Base

CWE-14 Compiler Removal of Code to Clear Buffers Variant

CWE-1039 Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism Class

CWE-1059 Insufficient Technical Documentation Class

CWE-1053 Missing Documentation for Design Base

CWE-1110 Incomplete Design Documentation Base

CWE-1111 Incomplete I/O Documentation Base

CWE-1112 Incomplete Documentation of Program Execution Base

CWE-1118 Insufficient Documentation of Error Handling Techniques Base

CWE-1061 Insufficient Encapsulation Class

CWE-1054 Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer Base

CWE-1057 Data Access Operations Outside of Expected Data Manager Component Base

CWE-1062 Parent Class with References to Child Class Base

CWE-1083 Data Access from Outside Expected Data Manager Component Base

CWE-1090 Method Containing Access of a Member Element from Another Class Base

CWE-1100 Insufficient Isolation of System-Dependent Functions Base

CWE-1105 Insufficient Encapsulation of Machine-Dependent Functionality Base

CWE-188 Reliance on Data/Memory Layout Base

CWE-198 Use of Incorrect Byte Ordering Variant

CWE-766 Critical Data Element Declared Public Base

CWE-1076 Insufficient Adherence to Expected Conventions Class

CWE-1045 Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor Base

CWE-1070 Serializable Data Element Containing non-Serializable Item Elements Base

CWE-1078 Inappropriate Source Code Style or Formatting Class

CWE-1085 Invokable Control Element with Excessive Volume of Commented-out Code Base

CWE-1099 Inconsistent Naming Conventions for Identifiers Base

CWE-1106 Insufficient Use of Symbolic Constants Base

CWE-1107 Insufficient Isolation of Symbolic Constant Definitions Base

CWE-1109 Use of Same Variable for Multiple Purposes Base

CWE-1113 Inappropriate Comment Style Base

CWE-1114 Inappropriate Whitespace Style Base

CWE-1115 Source Code Element without Standard Prologue Base

CWE-1116 Inaccurate Comments Base

CWE-1117 Callable with Insufficient Behavioral Summary Base

CWE-546 Suspicious Comment Variant

CWE-547 Use of Hard-coded, Security-relevant Constants Base

CWE-1079 Parent Class without Virtual Destructor Method Base

CWE-1082 Class Instance Self Destruction Control Element Base

CWE-1087 Class with Virtual Method without a Virtual Destructor Base

CWE-1091 Use of Object without Invoking Destructor Method Base

CWE-1097 Persistent Storable Data Element without Associated Comparison Control Element Base

CWE-1098 Data Element containing Pointer Item without Proper Copy Control Element Base

CWE-1108 Excessive Reliance on Global Variables Base

CWE-586 Explicit Call to Finalize() Base

CWE-594 J2EE Framework: Saving Unserializable Objects to Disk Variant

CWE-1093 Excessively Complex Data Representation Class

CWE-1043 Data Element Aggregating an Excessively Large Number of Non-Primitive Elements Base

CWE-1055 Multiple Inheritance from Concrete Classes Base

CWE-1074 Class with Excessively Deep Inheritance Base

CWE-1086 Class with Excessive Number of Child Classes Base

CWE-1120 Excessive Code Complexity Class

CWE-1047 Modules with Circular Dependencies Base

CWE-1056 Invokable Control Element with Variadic Parameters Base

CWE-1060 Excessive Number of Inefficient Server-Side Data Accesses Base

CWE-1064 Invokable Control Element with Signature Containing an Excessive Number of Parameters Base

CWE-1075 Unconditional Control Flow Transfer outside of Switch Block Base

CWE-1080 Source Code File with Excessive Number of Lines of Code Base

CWE-1095 Loop Condition Value Update within the Loop Base

CWE-1119 Excessive Use of Unconditional Branching Base

CWE-1121 Excessive McCabe Cyclomatic Complexity Base

CWE-1122 Excessive Halstead Complexity Base

CWE-1123 Excessive Use of Self-Modifying Code Base

CWE-1124 Excessively Deep Nesting Base

CWE-1125 Excessive Attack Surface Base

CWE-114 Process Control Class

CWE-116 Improper Encoding or Escaping of Output Class

CWE-117 Improper Output Neutralization for Logs Base

CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax Variant

CWE-838 Inappropriate Encoding for Output Context Base

CWE-1164 Irrelevant Code Class

CWE-107 Struts: Unused Validation Form Variant

CWE-1071 Empty Code Block Base

CWE-1069 Empty Exception Block Variant

CWE-585 Empty Synchronized Block Variant

CWE-110 Struts: Validator Without Form Field Variant

CWE-561 Dead Code Base

CWE-563 Assignment to Variable without Use Base

CWE-1176 Inefficient CPU Computation Class

CWE-1042 Static Member Data Element outside of a Singleton Class Element Variant

CWE-1046 Creation of Immutable Text Using String Concatenation Base

CWE-1049 Excessive Data Query Operations in a Large Data Table Base

CWE-1063 Creation of Class Instance within a Static Code Block Base

CWE-1067 Excessive Execution of Sequential Searches of Data Resource Base

CWE-1177 Use of Prohibited Code Class

CWE-242 Use of Inherently Dangerous Function Base

CWE-676 Use of Potentially Dangerous Function Base

CWE-785 Use of Path Manipulation Function without Maximum-sized Buffer Variant

CWE-118 Incorrect Access of Indexable Resource ('Range Error') Class

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Class

CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Base

CWE-123 Write-what-where Condition Base

CWE-125 Out-of-bounds Read Base

CWE-126 Buffer Over-read Variant

CWE-127 Buffer Under-read Variant

CWE-130 Improper Handling of Length Parameter Inconsistency Base

CWE-466 Return of Pointer Value Outside of Expected Range Base

CWE-786 Access of Memory Location Before Start of Buffer Base

CWE-124 Buffer Underwrite ('Buffer Underflow') Base

CWE-787 Out-of-bounds Write Base

CWE-121 Stack-based Buffer Overflow Variant

CWE-122 Heap-based Buffer Overflow Variant

CWE-788 Access of Memory Location After End of Buffer Base

CWE-805 Buffer Access with Incorrect Length Value Base

CWE-806 Buffer Access Using Size of Source Buffer Variant

CWE-822 Untrusted Pointer Dereference Base

CWE-823 Use of Out-of-range Pointer Offset Base

CWE-824 Access of Uninitialized Pointer Base

CWE-825 Expired Pointer Dereference Base

CWE-415 Double Free Variant

CWE-416 Use After Free Variant

CWE-1187 DEPRECATED: Use of Uninitialized Resource Base

CWE-1229 Creation of Emergent Resource Class

CWE-514 Covert Channel Class

CWE-385 Covert Timing Channel Base

CWE-515 Covert Storage Channel Base

CWE-1263 Improper Physical Access Control Class

CWE-1243 Sensitive Non-Volatile Information Not Protected During Debug Base

CWE-1294 Insecure Security Identifier Mechanism Class

CWE-1259 Improper Restriction of Security Token Assignment Base

CWE-1270 Generation of Incorrect Security Tokens Base

CWE-1290 Incorrect Decoding of Security Identifiers Base

CWE-1292 Incorrect Conversion of Security Identifiers Base

CWE-1302 Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) Base

CWE-132 DEPRECATED: Miscalculated Null Termination Base

CWE-1324 DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface Base

CWE-1357 Reliance on Insufficiently Trustworthy Component Class

CWE-1104 Use of Unmaintained Third Party Components Base

CWE-1329 Reliance on Component That is Not Updateable Base

CWE-1277 Firmware Not Updateable Base

CWE-1310 Missing Ability to Patch ROM Code Base

CWE-138 Improper Neutralization of Special Elements Class

CWE-140 Improper Neutralization of Delimiters Base

CWE-141 Improper Neutralization of Parameter/Argument Delimiters Variant

CWE-142 Improper Neutralization of Value Delimiters Variant

CWE-143 Improper Neutralization of Record Delimiters Variant

CWE-144 Improper Neutralization of Line Delimiters Variant

CWE-145 Improper Neutralization of Section Delimiters Variant

CWE-146 Improper Neutralization of Expression/Command Delimiters Variant

CWE-147 Improper Neutralization of Input Terminators Variant

CWE-626 Null Byte Interaction Error (Poison Null Byte) Variant

CWE-148 Improper Neutralization of Input Leaders Variant

CWE-149 Improper Neutralization of Quoting Syntax Variant

CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Variant

CWE-151 Improper Neutralization of Comment Delimiters Variant

CWE-152 Improper Neutralization of Macro Symbols Variant

CWE-153 Improper Neutralization of Substitution Characters Variant

CWE-154 Improper Neutralization of Variable Name Delimiters Variant

CWE-155 Improper Neutralization of Wildcards or Matching Symbols Variant

CWE-56 Path Equivalence: 'filedir*' (Wildcard) Variant

CWE-156 Improper Neutralization of Whitespace Variant

CWE-157 Failure to Sanitize Paired Delimiters Variant

CWE-158 Improper Neutralization of Null Byte or NUL Character Variant

CWE-159 Improper Handling of Invalid Use of Special Elements Class

CWE-166 Improper Handling of Missing Special Element Base

CWE-167 Improper Handling of Additional Special Element Base

CWE-168 Improper Handling of Inconsistent Special Elements Base

CWE-160 Improper Neutralization of Leading Special Elements Variant

CWE-161 Improper Neutralization of Multiple Leading Special Elements Variant

CWE-50 Path Equivalence: '//multiple/leading/slash' Variant

CWE-37 Path Traversal: '/absolute/pathname/here' Variant

CWE-162 Improper Neutralization of Trailing Special Elements Variant

CWE-163 Improper Neutralization of Multiple Trailing Special Elements Variant

CWE-43 Path Equivalence: 'filename....' (Multiple Trailing Dot) Variant

CWE-52 Path Equivalence: '/multiple/trailing/slash//' Variant

CWE-42 Path Equivalence: 'filename.' (Trailing Dot) Variant

CWE-46 Path Equivalence: 'filename ' (Trailing Space) Variant

CWE-49 Path Equivalence: 'filename/' (Trailing Slash) Variant

CWE-54 Path Equivalence: 'filedir\' (Trailing Backslash) Variant

CWE-164 Improper Neutralization of Internal Special Elements Variant

CWE-165 Improper Neutralization of Multiple Internal Special Elements Variant

CWE-45 Path Equivalence: 'file...name' (Multiple Internal Dot) Variant

CWE-53 Path Equivalence: '\multiple\\internal\backslash' Variant

CWE-464 Addition of Data Structure Sentinel Base

CWE-790 Improper Filtering of Special Elements Class

CWE-791 Incomplete Filtering of Special Elements Base

CWE-792 Incomplete Filtering of One or More Instances of Special Elements Variant

CWE-793 Only Filtering One Instance of a Special Element Variant

CWE-794 Incomplete Filtering of Multiple Instances of Special Elements Variant

CWE-795 Only Filtering Special Elements at a Specified Location Base

CWE-796 Only Filtering Special Elements Relative to a Marker Variant

CWE-797 Only Filtering Special Elements at an Absolute Position Variant

CWE-1384 Improper Handling of Physical or Environmental Conditions Class

CWE-1247 Improper Protection Against Voltage and Clock Glitches Base

CWE-1261 Improper Handling of Single Event Upsets Base

CWE-1332 Improper Handling of Faults that Lead to Instruction Skips Base

CWE-1351 Improper Handling of Hardware Behavior in Exceptionally Cold Environments Base

CWE-1390 Weak Authentication Class

CWE-1391 Use of Weak Credentials Class

CWE-1392 Use of Default Credentials Base

CWE-1393 Use of Default Password Base

CWE-1394 Use of Default Cryptographic Key Base

CWE-521 Weak Password Requirements Base

CWE-258 Empty Password in Configuration File Variant

CWE-798 Use of Hard-coded Credentials Base

CWE-259 Use of Hard-coded Password Variant

CWE-321 Use of Hard-coded Cryptographic Key Variant

CWE-262 Not Using Password Aging Base

CWE-263 Password Aging with Long Expiration Base

CWE-289 Authentication Bypass by Alternate Name Base

CWE-290 Authentication Bypass by Spoofing Base

CWE-291 Reliance on IP Address for Authentication Variant

CWE-293 Using Referer Field for Authentication Variant

CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action Variant

CWE-294 Authentication Bypass by Capture-replay Base

CWE-301 Reflection Attack in an Authentication Protocol Base

CWE-302 Authentication Bypass by Assumed-Immutable Data Base

CWE-303 Incorrect Implementation of Authentication Algorithm Base

CWE-304 Missing Critical Step in Authentication Base

CWE-305 Authentication Bypass by Primary Weakness Base

CWE-307 Improper Restriction of Excessive Authentication Attempts Base

CWE-308 Use of Single-factor Authentication Base

CWE-309 Use of Password System for Primary Authentication Base

CWE-522 Insufficiently Protected Credentials Class

CWE-256 Plaintext Storage of a Password Base

CWE-257 Storing Passwords in a Recoverable Format Base

CWE-260 Password in Configuration File Base

CWE-13 ASP.NET Misconfiguration: Password in Configuration File Variant

CWE-555 J2EE Misconfiguration: Plaintext Password in Configuration File Variant

CWE-261 Weak Encoding for Password Base

CWE-523 Unprotected Transport of Credentials Base

CWE-549 Missing Password Field Masking Base

CWE-593 Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created Variant

CWE-603 Use of Client-Side Authentication Base

CWE-620 Unverified Password Change Base

CWE-640 Weak Password Recovery Mechanism for Forgotten Password Base

CWE-804 Guessable CAPTCHA Base

CWE-836 Use of Password Hash Instead of Password for Authentication Base

CWE-1395 Dependency on Vulnerable Third-Party Component Class

CWE-1419 Incorrect Initialization of Resource Class

CWE-1051 Initialization with Hard-Coded Network Resource Configuration Data Base

CWE-1052 Excessive Use of Hard-Coded Literals in Initialization Base

CWE-1188 Initialization of a Resource with an Insecure Default Base

CWE-453 Insecure Default Variable Initialization Variant

CWE-1221 Incorrect Register Defaults or Module Parameters Base

CWE-454 External Initialization of Trusted Variables or Data Stores Base

CWE-172 Encoding Error Class

CWE-173 Improper Handling of Alternate Encoding Variant

CWE-174 Double Decoding of the Same Data Variant

CWE-175 Improper Handling of Mixed Encoding Variant

CWE-176 Improper Handling of Unicode Encoding Variant

CWE-177 Improper Handling of URL Encoding (Hex Encoding) Variant

CWE-185 Incorrect Regular Expression Class

CWE-186 Overly Restrictive Regular Expression Base

CWE-625 Permissive Regular Expression Base

CWE-777 Regular Expression without Anchors Variant

CWE-20 Improper Input Validation Class

CWE-102 Struts: Duplicate Validation Forms Variant

CWE-103 Struts: Incomplete validate() Method Definition Variant

CWE-104 Struts: Form Bean Does Not Extend Validation Class Variant

CWE-105 Struts: Form Field Without Validator Variant

CWE-106 Struts: Plug-in Framework not in Use Variant

CWE-108 Struts: Unvalidated Action Form Variant

CWE-109 Struts: Validator Turned Off Variant

CWE-111 Direct Use of Unsafe JNI Variant

CWE-112 Missing XML Validation Base

CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Variant

CWE-1173 Improper Use of Validation Framework Base

CWE-1174 ASP.NET Misconfiguration: Improper Model Validation Variant

CWE-554 ASP.NET Misconfiguration: Not Using Input Validation Framework Variant

CWE-1284 Improper Validation of Specified Quantity in Input Base

CWE-606 Unchecked Input for Loop Condition Base

CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input Base

CWE-129 Improper Validation of Array Index Variant

CWE-781 Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code Variant

CWE-1286 Improper Validation of Syntactic Correctness of Input Base

CWE-1287 Improper Validation of Specified Type of Input Base

CWE-1288 Improper Validation of Consistency within Input Base

CWE-1289 Improper Validation of Unsafe Equivalence in Input Base

CWE-134 Use of Externally-Controlled Format String Base

CWE-15 External Control of System or Configuration Setting Base

CWE-170 Improper Null Termination Base

CWE-179 Incorrect Behavior Order: Early Validation Base

CWE-180 Incorrect Behavior Order: Validate Before Canonicalize Variant

CWE-181 Incorrect Behavior Order: Validate Before Filter Variant

CWE-190 Integer Overflow or Wraparound Base

CWE-680 Integer Overflow to Buffer Overflow Compound

CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Base

CWE-622 Improper Validation of Function Hook Arguments Variant

CWE-73 External Control of File Name or Path Base

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Class

CWE-1258 Exposure of Sensitive System Information Due to Uncleared Debug Information Base

CWE-1273 Device Unlock Credential Sharing Base

CWE-1295 Debug Messages Revealing Unnecessary Information Base

CWE-1431 Driving Intermediate Cryptographic State/Results to Hardware Module Outputs Base

CWE-201 Insertion of Sensitive Information Into Sent Data Base

CWE-598 Use of GET Request Method With Sensitive Query Strings Variant

CWE-203 Observable Discrepancy Base

CWE-1300 Improper Protection of Physical Side Channels Base

CWE-1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks Variant

CWE-1303 Non-Transparent Sharing of Microarchitectural Resources Base

CWE-204 Observable Response Discrepancy Base

CWE-205 Observable Behavioral Discrepancy Base

CWE-206 Observable Internal Behavioral Discrepancy Variant

CWE-207 Observable Behavioral Discrepancy With Equivalent Products Variant

CWE-208 Observable Timing Discrepancy Base

CWE-1254 Incorrect Comparison Logic Granularity Base

CWE-209 Generation of Error Message Containing Sensitive Information Base

CWE-210 Self-generated Error Message Containing Sensitive Information Base

CWE-211 Externally-Generated Error Message Containing Sensitive Information Base

CWE-535 Exposure of Information Through Shell Error Message Variant

CWE-536 Servlet Runtime Error Message Containing Sensitive Information Variant

CWE-537 Java Runtime Error Message Containing Sensitive Information Variant

CWE-550 Server-generated Error Message Containing Sensitive Information Variant

CWE-213 Exposure of Sensitive Information Due to Incompatible Policies Base

CWE-215 Insertion of Sensitive Information Into Debugging Code Base

CWE-359 Exposure of Private Personal Information to an Unauthorized Actor Base

CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Base

CWE-214 Invocation of Process Using Visible Sensitive Information Base

CWE-548 Exposure of Information Through Directory Listing Variant

CWE-532 Insertion of Sensitive Information into Log File Base

CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory Base

CWE-540 Inclusion of Sensitive Information in Source Code Base

CWE-531 Inclusion of Sensitive Information in Test Code Variant

CWE-541 Inclusion of Sensitive Information in an Include File Variant

CWE-615 Inclusion of Sensitive Information in Source Code Comments Variant

CWE-651 Exposure of WSDL File Containing Sensitive Information Variant

CWE-216 DEPRECATED: Containment Errors (Container Errors) Class

CWE-217 DEPRECATED: Failure to Protect Stored Data from Modification Base

CWE-218 DEPRECATED: Failure to provide confidentiality for stored data Base

CWE-221 Information Loss or Omission Class

CWE-222 Truncation of Security-relevant Information Base

CWE-223 Omission of Security-relevant Information Base

CWE-1429 Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface Base

CWE-778 Insufficient Logging Base

CWE-224 Obscured Security-relevant Information by Alternate Name Base

CWE-356 Product UI does not Warn User of Unsafe Actions Base

CWE-396 Declaration of Catch for Generic Exception Base

CWE-397 Declaration of Throws for Generic Exception Base

CWE-451 User Interface (UI) Misrepresentation of Critical Information Class

CWE-1007 Insufficient Visual Distinction of Homoglyphs Presented to User Base

CWE-1021 Improper Restriction of Rendered UI Layers or Frames Base

CWE-225 DEPRECATED: General Information Management Problems Base

CWE-228 Improper Handling of Syntactically Invalid Structure Class

CWE-229 Improper Handling of Values Base

CWE-230 Improper Handling of Missing Values Variant

CWE-231 Improper Handling of Extra Values Variant

CWE-232 Improper Handling of Undefined Values Variant

CWE-233 Improper Handling of Parameters Base

CWE-234 Failure to Handle Missing Parameter Variant

CWE-235 Improper Handling of Extra Parameters Variant

CWE-236 Improper Handling of Undefined Parameters Variant

CWE-237 Improper Handling of Structural Elements Base

CWE-238 Improper Handling of Incomplete Structural Elements Variant

CWE-239 Failure to Handle Incomplete Element Variant

CWE-240 Improper Handling of Inconsistent Structural Elements Base

CWE-241 Improper Handling of Unexpected Data Type Base

CWE-247 DEPRECATED: Reliance on DNS Lookups in a Security Decision Base

CWE-249 DEPRECATED: Often Misused: Path Manipulation Variant

CWE-269 Improper Privilege Management Class

CWE-250 Execution with Unnecessary Privileges Base

CWE-266 Incorrect Privilege Assignment Base

CWE-1022 Use of Web Link to Untrusted Target with window.opener Access Variant

CWE-520 .NET Misconfiguration: Use of Impersonation Variant

CWE-556 ASP.NET Misconfiguration: Use of Identity Impersonation Variant

CWE-9 J2EE Misconfiguration: Weak Access Permissions for EJB Methods Variant

CWE-267 Privilege Defined With Unsafe Actions Base

CWE-623 Unsafe ActiveX Control Marked Safe For Scripting Variant

CWE-268 Privilege Chaining Base

CWE-270 Privilege Context Switching Error Base

CWE-271 Privilege Dropping / Lowering Errors Class

CWE-272 Least Privilege Violation Base

CWE-273 Improper Check for Dropped Privileges Base

CWE-274 Improper Handling of Insufficient Privileges Base

CWE-648 Incorrect Use of Privileged APIs Base

CWE-282 Improper Ownership Management Class

CWE-283 Unverified Ownership Base

CWE-708 Incorrect Ownership Assignment Base

CWE-284 Improper Access Control Pillar

CWE-1191 On-Chip Debug and Test Interface With Improper Access Control Base

CWE-1220 Insufficient Granularity of Access Control Base

CWE-1222 Insufficient Granularity of Address Regions Protected by Register Locks Variant

CWE-1224 Improper Restriction of Write-Once Bit Fields Base

CWE-1231 Improper Prevention of Lock Bit Modification Base

CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection Base

CWE-1252 CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations Base

CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions Base

CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges Base

CWE-1262 Improper Access Control for Register Interface Base

CWE-1267 Policy Uses Obsolete Encoding Base

CWE-1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents Base

CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code Base

CWE-1276 Hardware Child Block Incorrectly Connected to Parent System Base

CWE-1280 Access Control Check Implemented After Asset is Accessed Base

CWE-1283 Mutable Attestation or Measurement Reporting Data Base

CWE-1296 Incorrect Chaining or Granularity of Debug Components Base

CWE-1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation Base

CWE-1311 Improper Translation of Security Attributes by Fabric Bridge Base

CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall Base

CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime Base

CWE-1315 Improper Setting of Bus Controlling Capability in Fabric End-point Base

CWE-1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges Base

CWE-1317 Improper Access Control in Fabric Bridge Base

CWE-1320 Improper Protection for Outbound Error Messages and Alert Signals Base

CWE-1323 Improper Management of Sensitive Trace Data Base

CWE-1334 Unauthorized Error Injection Can Degrade Hardware Redundancy Base

CWE-285 Improper Authorization Class

CWE-1230 Exposure of Sensitive Information Through Metadata Base

CWE-202 Exposure of Sensitive Information Through Data Queries Base

CWE-612 Improper Authorization of Index Containing Sensitive Information Base

CWE-1256 Improper Restriction of Software Interfaces to Hardware Features Base

CWE-1297 Unprotected Confidential Information on Device is Accessible by OSAT Vendors Base

CWE-1328 Security Version Number Mutable to Older Versions Base

CWE-552 Files or Directories Accessible to External Parties Base

CWE-219 Storage of File with Sensitive Data Under Web Root Variant

CWE-433 Unparsed Raw Web Content Delivery Variant

CWE-220 Storage of File With Sensitive Data Under FTP Root Variant

CWE-527 Exposure of Version-Control Repository to an Unauthorized Control Sphere Variant

CWE-528 Exposure of Core Dump File to an Unauthorized Control Sphere Variant

CWE-529 Exposure of Access Control List Files to an Unauthorized Control Sphere Variant

CWE-530 Exposure of Backup File to an Unauthorized Control Sphere Variant

CWE-539 Use of Persistent Cookies Containing Sensitive Information Variant

CWE-553 Command Shell in Externally Accessible Directory Variant

CWE-732 Incorrect Permission Assignment for Critical Resource Class

CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag Variant

CWE-276 Incorrect Default Permissions Base

CWE-277 Insecure Inherited Permissions Variant

CWE-278 Insecure Preserved Inherited Permissions Variant

CWE-279 Incorrect Execution-Assigned Permissions Variant

CWE-281 Improper Preservation of Permissions Base

CWE-862 Missing Authorization Class

CWE-1314 Missing Write Protection for Parametric Data Values Base

CWE-425 Direct Request ('Forced Browsing') Base

CWE-638 Not Using Complete Mediation Class

CWE-424 Improper Protection of Alternate Path Class

CWE-939 Improper Authorization in Handler for Custom URL Scheme Base

CWE-863 Incorrect Authorization Class

CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State Base

CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization Base

CWE-639 Authorization Bypass Through User-Controlled Key Base

CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key Variant

CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions Variant

CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains Variant

CWE-926 Improper Export of Android Application Components Variant

CWE-927 Use of Implicit Intent for Sensitive Communication Variant

CWE-286 Incorrect User Management Class

CWE-842 Placement of User into Incorrect Group Base

CWE-287 Improper Authentication Class

CWE-295 Improper Certificate Validation Base

CWE-296 Improper Following of a Certificate's Chain of Trust Base

CWE-297 Improper Validation of Certificate with Host Mismatch Variant

CWE-298 Improper Validation of Certificate Expiration Variant

CWE-299 Improper Check for Certificate Revocation Base

CWE-370 Missing Check for Certificate Revocation after Initial Check Variant

CWE-599 Missing Validation of OpenSSL Certificate Variant

CWE-306 Missing Authentication for Critical Function Base

CWE-288 Authentication Bypass Using an Alternate Path or Channel Base

CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface Base

CWE-322 Key Exchange without Entity Authentication Base

CWE-645 Overly Restrictive Account Lockout Mechanism Base

CWE-346 Origin Validation Error Class

CWE-1385 Missing Origin Validation in WebSockets Variant

CWE-940 Improper Verification of Source of a Communication Channel Base

CWE-925 Improper Verification of Intent by Broadcast Receiver Variant

CWE-749 Exposed Dangerous Method or Function Base

CWE-618 Exposed Unsafe ActiveX Method Variant

CWE-782 Exposed IOCTL with Insufficient Access Control Variant

CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Class

CWE-1275 Sensitive Cookie with Improper SameSite Attribute Variant

CWE-300 Channel Accessible by Non-Endpoint Class

CWE-419 Unprotected Primary Channel Base

CWE-420 Unprotected Alternate Channel Base

CWE-421 Race Condition During Access to Alternate Channel Base

CWE-422 Unprotected Windows Messaging Channel ('Shatter') Variant

CWE-941 Incorrectly Specified Destination in a Communication Channel Base

CWE-292 DEPRECATED: Trusting Self-reported DNS Name Variant

CWE-311 Missing Encryption of Sensitive Data Class

CWE-312 Cleartext Storage of Sensitive Information Base

CWE-313 Cleartext Storage in a File or on Disk Variant

CWE-314 Cleartext Storage in the Registry Variant

CWE-315 Cleartext Storage of Sensitive Information in a Cookie Variant

CWE-316 Cleartext Storage of Sensitive Information in Memory Variant

CWE-317 Cleartext Storage of Sensitive Information in GUI Variant

CWE-318 Cleartext Storage of Sensitive Information in Executable Variant

CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable Variant

CWE-319 Cleartext Transmission of Sensitive Information Base

CWE-1428 Reliance on HTTP instead of HTTPS Base

CWE-5 J2EE Misconfiguration: Data Transmission Without Encryption Variant

CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Variant

CWE-326 Inadequate Encryption Strength Class

CWE-328 Use of Weak Hash Base

CWE-916 Use of Password Hash With Insufficient Computational Effort Base

CWE-759 Use of a One-Way Hash without a Salt Variant

CWE-760 Use of a One-Way Hash with a Predictable Salt Variant

CWE-327 Use of a Broken or Risky Cryptographic Algorithm Class

CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation Base

CWE-780 Use of RSA Algorithm without OAEP Variant

CWE-330 Use of Insufficiently Random Values Class

CWE-1204 Generation of Weak Initialization Vector (IV) Base

CWE-329 Generation of Predictable IV with CBC Mode Variant

CWE-1241 Use of Predictable Algorithm in Random Number Generator Base

CWE-331 Insufficient Entropy Base

CWE-332 Insufficient Entropy in PRNG Variant

CWE-333 Improper Handling of Insufficient Entropy in TRNG Variant

CWE-334 Small Space of Random Values Base

CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length Variant

CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) Base

CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG) Variant

CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG) Variant

CWE-339 Small Seed Space in PRNG Variant

CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Base

CWE-340 Generation of Predictable Numbers or Identifiers Class

CWE-341 Predictable from Observable State Base

CWE-342 Predictable Exact Value from Previous Values Base

CWE-343 Predictable Value Range from Previous Values Base

CWE-344 Use of Invariant Value in Dynamically Changing Context Base

CWE-323 Reusing a Nonce, Key Pair in Encryption Base

CWE-587 Assignment of a Fixed Address to a Pointer Variant

CWE-345 Insufficient Verification of Data Authenticity Class

CWE-1293 Missing Source Correlation of Multiple Independent Data Base

CWE-347 Improper Verification of Cryptographic Signature Base

CWE-348 Use of Less Trusted Source Base

CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data Base

CWE-351 Insufficient Type Distinction Base

CWE-352 Cross-Site Request Forgery (CSRF) Compound

CWE-353 Missing Support for Integrity Check Base

CWE-354 Improper Validation of Integrity Check Value Base

CWE-360 Trust of System Event Data Base

CWE-494 Download of Code Without Integrity Check Base

CWE-616 Incomplete Identification of Uploaded File Variables (PHP) Variant

CWE-646 Reliance on File Name or Extension of Externally-Supplied File Variant

CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking Base

CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel Base

CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Class

CWE-1223 Race Condition for Write-Once Attributes Base

CWE-1298 Hardware Logic Contains Race Conditions Base

CWE-364 Signal Handler Race Condition Base

CWE-432 Dangerous Signal Handler not Disabled During Sensitive Operations Base

CWE-828 Signal Handler with Functionality that is not Asynchronous-Safe Variant

CWE-479 Signal Handler Use of a Non-reentrant Function Variant

CWE-831 Signal Handler Function Associated with Multiple Signals Variant

CWE-366 Race Condition within a Thread Base

CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Base

CWE-363 Race Condition Enabling Link Following Base

CWE-368 Context Switching Race Condition Base

CWE-689 Permission Race Condition During Resource Copy Compound

CWE-365 DEPRECATED: Race Condition in Switch Base

CWE-373 DEPRECATED: State Synchronization Error Base

CWE-377 Insecure Temporary File Class

CWE-378 Creation of Temporary File With Insecure Permissions Base

CWE-379 Creation of Temporary File in Directory with Insecure Permissions Base

CWE-400 Uncontrolled Resource Consumption Class

CWE-1235 Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations Base

CWE-1246 Improper Write Handling in Limited-write Non-Volatile Memories Base

CWE-405 Asymmetric Resource Consumption (Amplification) Class

CWE-1050 Excessive Platform Resource Consumption within a Loop Base

CWE-1072 Data Resource Access without Use of Connection Pooling Base

CWE-1073 Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses Base

CWE-1084 Invokable Control Element with Excessive File or Data Access Operations Base

CWE-1089 Large Data Table with Excessive Number of Indices Base

CWE-1094 Excessive Index Range Scan for a Data Resource Base

CWE-406 Insufficient Control of Network Message Volume (Network Amplification) Class

CWE-407 Inefficient Algorithmic Complexity Class

CWE-1333 Inefficient Regular Expression Complexity Base

CWE-408 Incorrect Behavior Order: Early Amplification Base

CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Base

CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Base

CWE-770 Allocation of Resources Without Limits or Throttling Base

CWE-1325 Improperly Controlled Sequential Memory Allocation Base

CWE-774 Allocation of File Descriptors or Handles Without Limits or Throttling Variant

CWE-789 Memory Allocation with Excessive Size Value Variant

CWE-771 Missing Reference to Active Allocated Resource Base

CWE-773 Missing Reference to Active File Descriptor or Handle Variant

CWE-779 Logging of Excessive Data Base

CWE-920 Improper Restriction of Power Consumption Base

CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') Class

CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') Base

CWE-619 Dangling Database Cursor ('Cursor Injection') Base

CWE-404 Improper Resource Shutdown or Release Class

CWE-1266 Improper Scrubbing of Sensitive Data from Decommissioned Device Base

CWE-401 Missing Release of Memory after Effective Lifetime Variant

CWE-459 Incomplete Cleanup Base

CWE-226 Sensitive Information in Resource Not Removed Before Reuse Base

CWE-1239 Improper Zeroization of Hardware Register Variant

CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition Base

CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component Base

CWE-1330 Remanent Data Readable after Memory Erase Variant

CWE-1342 Information Exposure through Microarchitectural State after Transient Execution Base

CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') Variant

CWE-460 Improper Cleanup on Thrown Exception Base

CWE-568 finalize() Method Without super.finalize() Variant

CWE-761 Free of Pointer not at Start of Buffer Variant

CWE-762 Mismatched Memory Management Routines Variant

CWE-590 Free of Memory not on the Heap Variant

CWE-763 Release of Invalid Pointer or Reference Base

CWE-772 Missing Release of Resource after Effective Lifetime Base

CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime Variant

CWE-410 Insufficient Resource Pool Class

CWE-423 DEPRECATED: Proxied Trusted Channel Base

CWE-435 Improper Interaction Between Multiple Correctly-Behaving Entities Pillar

CWE-436 Interpretation Conflict Class

CWE-115 Misinterpretation of Input Base

CWE-437 Incomplete Model of Endpoint Features Base

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Base

CWE-650 Trusting HTTP Permission Methods on the Server Side Variant

CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages Variant

CWE-439 Behavioral Change in New Version or Environment Base

CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') Class

CWE-918 Server-Side Request Forgery (SSRF) Base

CWE-443 DEPRECATED: HTTP response splitting Base

CWE-446 UI Discrepancy for Security Feature Class

CWE-447 Unimplemented or Unsupported Feature in UI Base

CWE-448 Obsolete Feature in UI Base

CWE-449 The UI Performs the Wrong Action Base

CWE-458 DEPRECATED: Incorrect Initialization Base

CWE-506 Embedded Malicious Code Class

CWE-507 Trojan Horse Base

CWE-508 Non-Replicating Malicious Code Base

CWE-509 Replicating Malicious Code (Virus or Worm) Base

CWE-510 Trapdoor Base

CWE-511 Logic/Time Bomb Base

CWE-512 Spyware Base

CWE-516 DEPRECATED: Covert Timing Channel Base

CWE-533 DEPRECATED: Information Exposure Through Server Log Files Variant

CWE-534 DEPRECATED: Information Exposure Through Debug Log Files Variant

CWE-542 DEPRECATED: Information Exposure Through Cleanup Log Files Variant

CWE-545 DEPRECATED: Use of Dynamic Class Loading Variant

CWE-573 Improper Following of Specification by Caller Class

CWE-243 Creation of chroot Jail Without Changing Working Directory Variant

CWE-253 Incorrect Check of Function Return Value Base

CWE-325 Missing Cryptographic Step Base

CWE-358 Improperly Implemented Security Check for Standard Base

CWE-475 Undefined Behavior for Input to API Base

CWE-577 EJB Bad Practices: Use of Sockets Variant

CWE-578 EJB Bad Practices: Use of Class Loader Variant

CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Session Variant

CWE-580 clone() Method Without super.clone() Variant

CWE-581 Object Model Violation: Just One of Equals and Hashcode Defined Variant

CWE-628 Function Call with Incorrectly Specified Arguments Base

CWE-683 Function Call With Incorrect Order of Arguments Variant

CWE-685 Function Call With Incorrect Number of Arguments Variant

CWE-686 Function Call With Incorrect Argument Type Variant

CWE-687 Function Call With Incorrectly Specified Argument Value Variant

CWE-560 Use of umask() with chmod-style Argument Variant

CWE-688 Function Call With Incorrect Variable or Reference as Argument Variant

CWE-675 Multiple Operations on Resource in Single-Operation Context Class

CWE-1341 Multiple Releases of Same Resource or Handle Base

CWE-605 Multiple Binds to the Same Port Variant

CWE-764 Multiple Locks of a Critical Resource Base

CWE-765 Multiple Unlocks of a Critical Resource Base

CWE-694 Use of Multiple Resources with Duplicate Identifier Base

CWE-462 Duplicate Key in Associative List (Alist) Variant

CWE-695 Use of Low-Level Functionality Base

CWE-245 J2EE Bad Practices: Direct Management of Connections Variant

CWE-246 J2EE Bad Practices: Direct Use of Sockets Variant

CWE-383 J2EE Bad Practices: Direct Use of Threads Variant

CWE-574 EJB Bad Practices: Use of Synchronization Primitives Variant

CWE-575 EJB Bad Practices: Use of AWT Swing Variant

CWE-576 EJB Bad Practices: Use of Java I/O Variant

CWE-592 DEPRECATED: Authentication Bypass Issues Class

CWE-596 DEPRECATED: Incorrect Semantic Object Comparison Base

CWE-602 Client-Side Enforcement of Server-Side Security Class

CWE-565 Reliance on Cookies without Validation and Integrity Checking Base

CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision Variant

CWE-610 Externally Controlled Reference to a Resource in Another Sphere Class

CWE-384 Session Fixation Compound

CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Base

CWE-611 Improper Restriction of XML External Entity Reference Base

CWE-636 Not Failing Securely ('Failing Open') Class

CWE-455 Non-exit on Failed Initialization Base

CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') Class

CWE-642 External Control of Critical State Data Class

CWE-426 Untrusted Search Path Base

CWE-472 External Control of Assumed-Immutable Web Parameter Base

CWE-653 Improper Isolation or Compartmentalization Class

CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC) Base

CWE-1331 Improper Isolation of Shared Resources in Network On Chip (NoC) Base

CWE-655 Insufficient Psychological Acceptability Class

CWE-656 Reliance on Security Through Obscurity Class

CWE-657 Violation of Secure Design Principles Class

CWE-1192 Improper Identifier for IP Block used in System-On-Chip (SOC) Base

CWE-654 Reliance on a Single Factor in a Security Decision Base

CWE-671 Lack of Administrator Control over Security Class

CWE-662 Improper Synchronization Class

CWE-1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element Base

CWE-1096 Singleton Class Instance Creation without Proper Locking or Synchronization Variant

CWE-543 Use of Singleton Pattern Without Synchronization in a Multithreaded Context Variant

CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context Base

CWE-663 Use of a Non-reentrant Function in a Concurrent Context Base

CWE-558 Use of getlogin() in Multithreaded Application Variant

CWE-667 Improper Locking Class

CWE-1232 Improper Lock Behavior After Power State Transition Base

CWE-1234 Hardware Internal or Debug Modes Allow Override of Locks Base

CWE-412 Unrestricted Externally Accessible Lock Base

CWE-413 Improper Resource Locking Base

CWE-591 Sensitive Data Storage in Improperly Locked Memory Variant

CWE-414 Missing Lock Check Base

CWE-609 Double-Checked Locking Base

CWE-832 Unlock of a Resource that is not Locked Base

CWE-833 Deadlock Base

CWE-820 Missing Synchronization Base

CWE-821 Incorrect Synchronization Base

CWE-1088 Synchronous Access of Remote Resource without Timeout Base

CWE-1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels Base

CWE-572 Call to Thread run() instead of start() Variant

CWE-664 Improper Control of a Resource Through its Lifetime Pillar

CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State Base

CWE-1249 Application-Level Admin Tool with Inconsistent View of Underlying Operating System Base

CWE-1251 Mirrored Regions with Different Values Base

CWE-372 Incomplete Internal State Distinction Base

CWE-471 Modification of Assumed-Immutable Data (MAID) Base

CWE-473 PHP External Variable Modification Variant

CWE-607 Public Static Final Field References Mutable Object Variant

CWE-487 Reliance on Package-level Scope Base

CWE-495 Private Data Structure Returned From A Public Method Variant

CWE-496 Public Data Assigned to Private Array-Typed Field Variant

CWE-501 Trust Boundary Violation Base

CWE-665 Improper Initialization Class

CWE-1279 Cryptographic Operations are run Before Supporting Units are Ready Base

CWE-1434 Insecure Setting of Generative AI/ML Model Inference Parameters Base

CWE-456 Missing Initialization of a Variable Variant

CWE-457 Use of Uninitialized Variable Variant

CWE-908 Use of Uninitialized Resource Base

CWE-909 Missing Initialization of Resource Class

CWE-1271 Uninitialized Value on Reset for Registers Holding Security Settings Base

CWE-666 Operation on Resource in Wrong Phase of Lifetime Class

CWE-672 Operation on a Resource after Expiration or Release Class

CWE-324 Use of a Key Past its Expiration Date Base

CWE-613 Insufficient Session Expiration Base

CWE-910 Use of Expired File Descriptor Base

CWE-826 Premature Release of Resource During Expected Lifetime Base

CWE-668 Exposure of Resource to Wrong Sphere Class

CWE-1282 Assumed-Immutable Data is Stored in Writable Memory Base

CWE-1327 Binding to an Unrestricted IP Address Base

CWE-374 Passing Mutable Objects to an Untrusted Method Base

CWE-375 Returning a Mutable Object to an Untrusted Caller Base

CWE-427 Uncontrolled Search Path Element Base

CWE-428 Unquoted Search Path or Element Base

CWE-488 Exposure of Data Element to Wrong Session Base

CWE-491 Public cloneable() Method Without Final ('Object Hijack') Variant

CWE-492 Use of Inner Class Containing Sensitive Data Variant

CWE-493 Critical Public Variable Without Final Modifier Variant

CWE-500 Public Static Field Not Marked Final Variant

CWE-498 Cloneable Class Containing Sensitive Information Variant

CWE-499 Serializable Class Containing Sensitive Data Variant

CWE-524 Use of Cache Containing Sensitive Information Base

CWE-525 Use of Web Browser Cache Containing Sensitive Information Variant

CWE-582 Array Declared Public, Final, and Static Variant

CWE-583 finalize() Method Declared Public Variant

CWE-608 Struts: Non-private Field in ActionForm Class Variant

CWE-767 Access to Critical Private Variable via Public Method Base

CWE-8 J2EE Misconfiguration: Entity Bean Declared Remote Variant

CWE-669 Incorrect Resource Transfer Between Spheres Class

CWE-1420 Exposure of Sensitive Information during Transient Execution Base

CWE-1421 Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution Base

CWE-1422 Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution Base

CWE-1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution Base

CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Base

CWE-434 Unrestricted Upload of File with Dangerous Type Base

CWE-829 Inclusion of Functionality from Untrusted Control Sphere Base

CWE-827 Improper Control of Document Type Definition Variant

CWE-830 Inclusion of Web Functionality from an Untrusted Source Variant

CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Variant

CWE-673 External Influence of Sphere Definition Class

CWE-704 Incorrect Type Conversion or Cast Class

CWE-1389 Incorrect Parsing of Numbers with Different Radices Base

CWE-588 Attempt to Access Child of a Non-structure Pointer Variant

CWE-681 Incorrect Conversion between Numeric Types Base

CWE-192 Integer Coercion Error Variant

CWE-194 Unexpected Sign Extension Variant

CWE-195 Signed to Unsigned Conversion Error Variant

CWE-196 Unsigned to Signed Conversion Error Variant

CWE-197 Numeric Truncation Error Base

CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') Base

CWE-706 Use of Incorrectly-Resolved Name or Reference Class

CWE-178 Improper Handling of Case Sensitivity Base

CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Base

CWE-23 Relative Path Traversal Base

CWE-24 Path Traversal: '../filedir' Variant

CWE-25 Path Traversal: '/../filedir' Variant

CWE-26 Path Traversal: '/dir/../filename' Variant

CWE-27 Path Traversal: 'dir/../../filename' Variant

CWE-28 Path Traversal: '..\filedir' Variant

CWE-29 Path Traversal: '\..\filename' Variant

CWE-30 Path Traversal: '\dir\..\filename' Variant

CWE-31 Path Traversal: 'dir\..\..\filename' Variant

CWE-32 Path Traversal: '...' (Triple Dot) Variant

CWE-33 Path Traversal: '....' (Multiple Dot) Variant

CWE-34 Path Traversal: '....//' Variant

CWE-35 Path Traversal: '.../...//' Variant

CWE-36 Absolute Path Traversal Base

CWE-38 Path Traversal: '\absolute\pathname\here' Variant

CWE-39 Path Traversal: 'C:dirname' Variant

CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share) Variant

CWE-386 Symbolic Name not Mapping to Correct Object Base

CWE-41 Improper Resolution of Path Equivalence Base

CWE-44 Path Equivalence: 'file.name' (Internal Dot) Variant

CWE-47 Path Equivalence: ' filename' (Leading Space) Variant

CWE-48 Path Equivalence: 'file name' (Internal Whitespace) Variant

CWE-51 Path Equivalence: '/multiple//internal/slash' Variant

CWE-55 Path Equivalence: '/./' (Single Dot Directory) Variant

CWE-57 Path Equivalence: 'fakedir/../realdir/filename' Variant

CWE-58 Path Equivalence: Windows 8.3 Filename Variant

CWE-59 Improper Link Resolution Before File Access ('Link Following') Base

CWE-1386 Insecure Operation on Windows Junction / Mount Point Base

CWE-61 UNIX Symbolic Link (Symlink) Following Compound

CWE-62 UNIX Hard Link Variant

CWE-64 Windows Shortcut Following (.LNK) Variant

CWE-65 Windows Hard Link Variant

CWE-66 Improper Handling of File Names that Identify Virtual Resources Base

CWE-67 Improper Handling of Windows Device Names Variant

CWE-69 Improper Handling of Windows ::DATA Alternate Data Stream Variant

CWE-72 Improper Handling of Apple HFS+ Alternate Data Stream Path Variant

CWE-911 Improper Update of Reference Count Base

CWE-913 Improper Control of Dynamically-Managed Code Resources Class

CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Variant

CWE-502 Deserialization of Untrusted Data Base

CWE-914 Improper Control of Dynamically-Identified Variables Base

CWE-621 Variable Extraction Error Variant

CWE-627 Dynamic Variable Evaluation Variant

CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Base

CWE-94 Improper Control of Generation of Code ('Code Injection') Base

CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Base

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Variant

CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') Base

CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page Variant

CWE-922 Insecure Storage of Sensitive Information Class

CWE-921 Storage of Sensitive Data in a Mechanism without Access Control Base

CWE-670 Always-Incorrect Control Flow Implementation Class

CWE-480 Use of Incorrect Operator Base

CWE-481 Assigning instead of Comparing Variant

CWE-482 Comparing instead of Assigning Variant

CWE-597 Use of Wrong Operator in String Comparison Variant

CWE-483 Incorrect Block Delimitation Base

CWE-484 Omitted Break Statement in Switch Base

CWE-617 Reachable Assertion Base

CWE-698 Execution After Redirect (EAR) Base

CWE-783 Operator Precedence Logic Error Base

CWE-674 Uncontrolled Recursion Class

CWE-682 Incorrect Calculation Pillar

CWE-128 Wrap-around Error Base

CWE-131 Incorrect Calculation of Buffer Size Base

CWE-467 Use of sizeof() on a Pointer Type Variant

CWE-1335 Incorrect Bitwise Shift of Integer Base

CWE-1339 Insufficient Precision or Accuracy of a Real Number Base

CWE-135 Incorrect Calculation of Multi-Byte String Length Base

CWE-191 Integer Underflow (Wrap or Wraparound) Base

CWE-193 Off-by-one Error Base

CWE-369 Divide By Zero Base

CWE-468 Incorrect Pointer Scaling Base

CWE-469 Use of Pointer Subtraction to Determine Size Base

CWE-684 Incorrect Provision of Specified Functionality Class

CWE-1245 Improper Finite State Machines (FSMs) in Hardware Logic Base

CWE-392 Missing Report of Error Condition Base

CWE-393 Return of Wrong Status Code Base

CWE-440 Expected Behavior Violation Base

CWE-912 Hidden Functionality Class

CWE-1242 Inclusion of Undocumented Features or Chicken Bits Base

CWE-691 Insufficient Control Flow Management Pillar

CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls Base

CWE-1281 Sequence of Processor Instructions Leads to Unexpected Behavior Base

CWE-430 Deployment of Wrong Handler Base

CWE-431 Missing Handler Base

CWE-696 Incorrect Behavior Order Class

CWE-1190 DMA Device Enabled Too Early in Boot Phase Base

CWE-1193 Power-On of Untrusted Execution Core Before Enabling Fabric Access Control Base

CWE-705 Incorrect Control Flow Scoping Class

CWE-248 Uncaught Exception Base

CWE-600 Uncaught Exception in Servlet Variant

CWE-382 J2EE Bad Practices: Use of System.exit() Variant

CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference Base

CWE-584 Return Inside Finally Block Base

CWE-768 Incorrect Short Circuit Evaluation Variant

CWE-799 Improper Control of Interaction Frequency Class

CWE-837 Improper Enforcement of a Single, Unique Action Base

CWE-834 Excessive Iteration Class

CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context Base

CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Base

CWE-841 Improper Enforcement of Behavioral Workflow Base

CWE-693 Protection Mechanism Failure Pillar

CWE-1248 Semiconductor Defects in Hardware Logic with Security-Sensitive Implications Base

CWE-1253 Incorrect Selection of Fuse Values Base

CWE-1269 Product Released in Non-Release Configuration Base

CWE-1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques Base

CWE-1291 Public Key Re-Use for Signing both Debug and Production Code Base

CWE-1318 Missing Support for Security Features in On-chip Fabrics or Buses Base

CWE-1319 Improper Protection against Electromagnetic Fault Injection (EM-FI) Base

CWE-1326 Missing Immutable Root of Trust in Hardware Base

CWE-1338 Improper Protections Against Hardware Overheating Base

CWE-357 Insufficient UI Warning of Dangerous Operations Base

CWE-450 Multiple Interpretations of UI Input Base

CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') Base

CWE-807 Reliance on Untrusted Inputs in a Security Decision Base

CWE-697 Incorrect Comparison Pillar

CWE-1024 Comparison of Incompatible Types Base

CWE-1025 Comparison Using Wrong Factors Base

CWE-486 Comparison of Classes by Name Variant

CWE-595 Comparison of Object References Instead of Object Contents Variant

CWE-1077 Floating Point Comparison with Incorrect Operator Variant

CWE-183 Permissive List of Allowed Inputs Base

CWE-703 Improper Check or Handling of Exceptional Conditions Pillar

CWE-391 Unchecked Error Condition Base

CWE-754 Improper Check for Unusual or Exceptional Conditions Class

CWE-252 Unchecked Return Value Base

CWE-690 Unchecked Return Value to NULL Pointer Dereference Compound

CWE-394 Unexpected Status Code or Return Value Base

CWE-476 NULL Pointer Dereference Base

CWE-755 Improper Handling of Exceptional Conditions Class

CWE-280 Improper Handling of Insufficient Permissions or Privileges Base

CWE-390 Detection of Error Condition Without Action Base

CWE-544 Missing Standardized Error Handling Mechanism Base

CWE-756 Missing Custom Error Page Base

CWE-12 ASP.NET Misconfiguration: Missing Custom Error Page Variant

CWE-7 J2EE Misconfiguration: Missing Custom Error Page Variant

CWE-707 Improper Neutralization Pillar

CWE-1426 Improper Validation of Generative AI Output Base

CWE-182 Collapse of Data into Unsafe Value Base

CWE-463 Deletion of Data Structure Sentinel Base

CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Class

CWE-1236 Improper Neutralization of Formula Elements in a CSV File Base

CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Class

CWE-76 Improper Neutralization of Equivalent Special Elements Base

CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Class

CWE-1427 Improper Neutralization of Input Used for LLM Prompting Base

CWE-624 Executable Regular Expression Error Base

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Base

CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Base

CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Base

CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Base

CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Variant

CWE-81 Improper Neutralization of Script in an Error Message Web Page Variant

CWE-83 Improper Neutralization of Script in Attributes in a Web Page Variant

CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page Variant

CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page Variant

CWE-85 Doubled Character XSS Manipulations Variant

CWE-87 Improper Neutralization of Alternate XSS Syntax Variant

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Base

CWE-564 SQL Injection: Hibernate Variant

CWE-91 XML Injection (aka Blind XPath Injection) Base

CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') Base

CWE-652 Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') Base

CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Base

CWE-943 Improper Neutralization of Special Elements in Data Query Logic Class

CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Base

CWE-99 Improper Control of Resource Identifiers ('Resource Injection') Class

CWE-641 Improper Restriction of Names for Files and Other Resources Base

CWE-71 DEPRECATED: Apple '.DS_Store' Variant

CWE-710 Improper Adherence to Coding Standards Pillar

CWE-1041 Use of Redundant Code Base

CWE-1044 Architecture with Number of Horizontal Layers Outside of Expected Range Base

CWE-1048 Invokable Control Element with Large Number of Outward Calls Base

CWE-1065 Runtime Resource Management Control Element in a Component Built to Run on Application Servers Base

CWE-1066 Missing Serialization Control Element Base

CWE-1068 Inconsistency Between Implementation and Documented Design Base

CWE-1092 Use of Same Invokable Control Element in Multiple Architectural Layers Base

CWE-1101 Reliance on Runtime Component in Generated Code Base

CWE-1126 Declaration of Variable with Unnecessarily Wide Scope Base

CWE-1127 Compilation with Insufficient Warnings or Errors Base

CWE-1209 Failure to Disable Reserved Bits Base

CWE-477 Use of Obsolete Function Base

CWE-489 Active Debug Code Base

CWE-11 ASP.NET Misconfiguration: Creating Debug Binary Variant

CWE-570 Expression is Always False Base

CWE-571 Expression is Always True Base

CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior Class

CWE-1102 Reliance on Machine-Dependent Data Representation Base

CWE-1103 Use of Platform-Dependent Third Party Components Base

CWE-474 Use of Function with Inconsistent Implementations Base

CWE-589 Call to Non-ubiquitous API Variant

CWE-562 Return of Stack Variable Address Base

CWE-769 DEPRECATED: Uncontrolled File Descriptor Consumption Base

CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters Base