Common Weakness Enumeration (CWE) database

Common weakness enumeration (CWE) database is a categorized list of security related flaw in software. We use CWE identifiers to describe types of vulnerabilities in our database.

For more information about Common weakness enumeration (CWE) database please refer to the official MITRE website.

Below is the list of CWE identifiers we use to describe vulnerabilities:


CWE-5 - J2EE Misconfiguration: Data Transmission Without Encryption

CWE-6 - J2EE Misconfiguration: Insufficient Session-ID Length

CWE-7 - J2EE Misconfiguration: Missing Custom Error Page

CWE-8 - J2EE Misconfiguration: Entity Bean Declared Remote

CWE-9 - J2EE Misconfiguration: Weak Access Permissions for EJB Methods

CWE-11 - ASP.NET Misconfiguration: Creating Debug Binary

CWE-12 - ASP.NET Misconfiguration: Missing Custom Error Page

CWE-13 - ASP.NET Misconfiguration: Password in Configuration File

CWE-14 - Compiler Removal of Code to Clear Buffers

CWE-15 - External Control of System or Configuration Setting

CWE-16 - Configuration

CWE-19 - Data Handling

CWE-20 - Improper input validation

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23 - Relative Path Traversal

CWE-24 - Path Traversal: \'../filedir\'

CWE-25 - Path Traversal: \'/../filedir\'

CWE-26 - Path Traversal: \'/dir/../filename\'

CWE-27 - Path Traversal: \'dir/../../filename\'

CWE-28 - Path Traversal: \'..\\filedir\'

CWE-29 - Path Traversal: \'\\..\\filename\'

CWE-30 - Path Traversal: \'\\dir\\..\\filename\'

CWE-31 - Path Traversal: \'dir\\..\\..\\filename\'

CWE-32 - Path Traversal: \'...\' (Triple Dot)

CWE-33 - Path Traversal: \'....\' (Multiple Dot)

CWE-34 - Path Traversal: \'....//\'

CWE-35 - Path Traversal: \'.../...//\'

CWE-36 - Absolute Path Traversal

CWE-37 - Path Traversal: \'/absolute/pathname/here\'

CWE-38 - Path Traversal: \'\\absolute\\pathname\\here\'

CWE-39 - Path Traversal: \'C:dirname\'

CWE-40 - Path Traversal: \'\\\\UNC\\share\\name\\\' (Windows UNC Share)

CWE-41 - Improper Resolution of Path Equivalence

CWE-42 - Path Equivalence

CWE-43 - Path Equivalence: \'filename....\' (Multiple Trailing Dot)

CWE-44 - Path Equivalence: \'\' (Internal Dot)

CWE-45 - Path Equivalence: \'\' (Multiple Internal Dot)

CWE-46 - Path Equivalence: 'filename ' (Trailing Space)

CWE-47 - Path Equivalence: \' filename\' (Leading Space)

CWE-48 - Path Equivalence: \'file name\' (Internal Whitespace)

CWE-49 - Path Equivalence: \'filename/\' (Trailing Slash)

CWE-50 - Path Equivalence: \'//multiple/leading/slash\'

CWE-51 - Path Equivalence: \'/multiple//internal/slash\'

CWE-52 - Path Equivalence: \'/multiple/trailing/slash//\'

CWE-53 - Path Equivalence: \'\\multiple\\\\internal\\backslash\'

CWE-54 - Path Equivalence: \'filedir\\\' (Trailing Backslash)

CWE-55 - Path Equivalence: \'/./\' (Single Dot Directory)

CWE-56 - Path Equivalence: \'filedir*\' (Wildcard)

CWE-57 - Path Equivalence: \'fakedir/../realdir/filename\'

CWE-58 - Path Equivalence: Windows 8.3 Filename

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CWE-61 - UNIX Symbolic Link (Symlink) Following

CWE-62 - UNIX Hard Link

CWE-64 - Windows Shortcut Following (.LNK)

CWE-65 - Windows hard link

CWE-66 - Improper Handling of File Names that Identify Virtual Resources

CWE-67 - Improper Handling of Windows Device Names

CWE-69 - Improper Handling of Windows ::DATA Alternate Data Stream

CWE-71 - DEPRECATED: Apple \'.DS_Store\'

CWE-72 - Improper Handling of Apple HFS+ Alternate Data Stream Path

CWE-73 - External Control of File Name or Path

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-75 - Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

CWE-76 - Improper Neutralization of Equivalent Special Elements

CWE-77 - Command injection

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80 - Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-81 - Improper Neutralization of Script in an Error Message Web Page

CWE-82 - Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

CWE-83 - Improper Neutralization of Script in Attributes in a Web Page

CWE-84 - Improper Neutralization of Encoded URI Schemes in a Web Page

CWE-85 - Doubled Character XSS Manipulations

CWE-86 - Improper Neutralization of Invalid Characters in Identifiers in Web Pages

CWE-87 - Improper Neutralization of Alternate XSS Syntax

CWE-88 - Improper Neutralization of Argument Delimiters in a Command

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CWE-91 - XML Injection

CWE-92 - DEPRECATED: Improper Sanitization of Custom Special Characters

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-94 - Improper Control of Generation of Code ('Code Injection')

CWE-95 - Eval Injection

CWE-96 - Improper Neutralization of Directives in Statically Saved Code (\'Static Code Injection\')

CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')

CWE-102 - Struts: Duplicate Validation Forms

CWE-103 - Struts: Incomplete validate() Method Definition

CWE-104 - Struts: Form Bean Does Not Extend Validation Class

CWE-105 - Struts: Form Field Without Validator

CWE-106 - Struts: Plug-in Framework not in Use

CWE-107 - Struts: Unused Validation Form

CWE-108 - Struts: Unvalidated Action Form

CWE-109 - Struts: Validator Turned Off

CWE-110 - Struts: Validator Without Form Field

CWE-111 - Direct Use of Unsafe JNI

CWE-112 - Missing XML Validation

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-114 - Process Control

CWE-115 - Misinterpretation of Input

CWE-116 - Improper Encoding or Escaping of Output

CWE-117 - Improper Output Neutralization for Logs

CWE-118 - Incorrect Access of Indexable Resource (\'Range Error\')

CWE-119 - Memory corruption

CWE-120 - Buffer overflow

CWE-121 - Stack-based buffer overflow

CWE-122 - Heap-based Buffer Overflow

CWE-123 - Write-what-where Condition

CWE-124 - Buffer Underwrite ('Buffer Underflow')

CWE-125 - Out-of-bounds read

CWE-126 - Buffer over-read

CWE-127 - Buffer Under-read

CWE-128 - Wrap-around Error

CWE-129 - Improper Validation of Array Index

CWE-130 - Improper Handling of Length Parameter Inconsistency

CWE-131 - Incorrect Calculation of Buffer Size

CWE-132 - DEPRECATED: Miscalculated Null Termination

CWE-134 - Use of Externally-Controlled Format String

CWE-135 - Incorrect Calculation of Multi-Byte String Length

CWE-138 - Improper Neutralization of Special Elements

CWE-140 - Improper Neutralization of Delimiters

CWE-141 - Improper Neutralization of Parameter/Argument Delimiters

CWE-142 - Improper Neutralization of Value Delimiters

CWE-143 - Improper Neutralization of Record Delimiters

CWE-144 - Improper Neutralization of Line Delimiters

CWE-145 - Improper Neutralization of Section Delimiters

CWE-146 - Improper Neutralization of Expression/Command Delimiters

CWE-147 - Improper Neutralization of Input Terminators

CWE-148 - Improper Neutralization of Input Leaders

CWE-149 - Improper Neutralization of Quoting Syntax

CWE-150 - Improper Neutralization of Escape, Meta, or Control Sequences

CWE-151 - Improper Neutralization of Comment Delimiters

CWE-152 - Improper Neutralization of Macro Symbols

CWE-153 - Improper Neutralization of Substitution Characters

CWE-154 - Improper Neutralization of Variable Name Delimiters

CWE-155 - Improper Neutralization of Wildcards or Matching Symbols

CWE-156 - Improper Neutralization of Whitespace

CWE-157 - Failure to Sanitize Paired Delimiters

CWE-158 - Improper Neutralization of Null Byte or NUL Character

CWE-159 - Improper Handling of Invalid Use of Special Elements

CWE-160 - Improper Neutralization of Leading Special Elements

CWE-161 - Improper Neutralization of Multiple Leading Special Elements

CWE-162 - Improper Neutralization of Trailing Special Elements

CWE-163 - Improper Neutralization of Multiple Trailing Special Elements

CWE-164 - Improper Neutralization of Internal Special Elements

CWE-165 - Improper Neutralization of Multiple Internal Special Elements

CWE-166 - Improper Handling of Missing Special Element

CWE-167 - Improper Handling of Additional Special Element

CWE-168 - Improper Handling of Inconsistent Special Elements

CWE-170 - Improper Null Termination

CWE-172 - Encoding Error

CWE-173 - Improper Handling of Alternate Encoding

CWE-174 - Double Decoding of the Same Data

CWE-175 - Improper Handling of Mixed Encoding

CWE-176 - Improper Handling of Unicode Encoding

CWE-177 - Improper Handling of URL Encoding (Hex Encoding)

CWE-178 - Improper Handling of Case Sensitivity

CWE-179 - Incorrect Behavior Order: Early Validation

CWE-180 - Incorrect Behavior Order: Validate Before Canonicalize

CWE-181 - Incorrect Behavior Order: Validate Before Filter

CWE-182 - Collapse of Data into Unsafe Value

CWE-183 - Permissive List of Allowed Inputs

CWE-184 - Incomplete List of Disallowed Inputs

CWE-185 - Incorrect Regular Expression

CWE-186 - Overly Restrictive Regular Expression

CWE-187 - Partial String Comparison

CWE-188 - Reliance on Data/Memory Layout

CWE-190 - Integer overflow

CWE-191 - Integer underflow

CWE-192 - Integer Coercion Error

CWE-193 - Off-by-one Error

CWE-194 - Unexpected Sign Extension

CWE-195 - Signed to Unsigned Conversion Error

CWE-196 - Unsigned to Signed Conversion Error

CWE-197 - Numeric Truncation Error

CWE-198 - Use of Incorrect Byte Ordering

CWE-199 - Information Management Errors

CWE-200 - Information exposure

CWE-201 - Insertion of Sensitive Information Into Sent Data

CWE-202 - Exposure of Sensitive Information Through Data Queries

CWE-203 - Observable discrepancy

CWE-204 - Observable Response Discrepancy

CWE-205 - Observable Behavioral Discrepancy

CWE-206 - Observable Internal Behavioral Discrepancy

CWE-207 - Observable Behavioral Discrepancy With Equivalent Products

CWE-208 - Information Exposure Through Timing Discrepancy

CWE-209 - Information Exposure Through an Error Message

CWE-210 - Self-generated Error Message Containing Sensitive Information

CWE-211 - Externally-generated error message containing sensitive information

CWE-212 - Improper Removal of Sensitive Information Before Storage or Transfer

CWE-213 - Exposure of Sensitive Information Due to Incompatible Policies

CWE-214 - Invocation of Process Using Visible Sensitive Information

CWE-215 - Insertion of Sensitive Information Into Debugging Code

CWE-216 - DEPRECATED: Containment Errors (Container Errors)

CWE-217 - DEPRECATED: Failure to Protect Stored Data from Modification

CWE-218 - DEPRECATED: Failure to provide confidentiality for stored data

CWE-219 - Storage of File with Sensitive Data Under Web Root

CWE-220 - Storage of File With Sensitive Data Under FTP Root

CWE-221 - Information Loss or Omission

CWE-222 - Truncation of Security-relevant Information

CWE-223 - Omission of Security-relevant Information

CWE-224 - Obscured Security-relevant Information by Alternate Name

CWE-225 - DEPRECATED: General Information Management Problems

CWE-226 - Sensitive Information in Resource Not Removed Before Reuse

CWE-228 - Improper Handling of Syntactically Invalid Structure

CWE-229 - Improper Handling of Values

CWE-230 - Improper Handling of Missing Values

CWE-231 - Improper Handling of Extra Values

CWE-232 - Improper Handling of Undefined Values

CWE-233 - Improper Handling of Parameters

CWE-234 - Failure to Handle Missing Parameter

CWE-235 - Improper Handling of Extra Parameters

CWE-236 - Improper Handling of Undefined Parameters

CWE-237 - Improper Handling of Structural Elements

CWE-238 - Improper Handling of Incomplete Structural Elements

CWE-239 - Failure to Handle Incomplete Element

CWE-240 - Improper Handling of Inconsistent Structural Elements

CWE-241 - Improper Handling of Unexpected Data Type

CWE-242 - Use of Inherently Dangerous Function

CWE-243 - Creation of chroot Jail Without Changing Working Directory

CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')

CWE-245 - J2EE Bad Practices: Direct Management of Connections

CWE-246 - J2EE Bad Practices: Direct Use of Sockets

CWE-247 - DEPRECATED: Reliance on DNS Lookups in a Security Decision

CWE-248 - Uncaught Exception

CWE-249 - DEPRECATED: Often Misused: Path Manipulation

CWE-250 - Execution with Unnecessary Privileges

CWE-252 - Unchecked Return Value

CWE-253 - Incorrect Check of Function Return Value

CWE-254 - Security Features

CWE-255 - Credentials Management

CWE-256 - Unprotected Storage of Credentials

CWE-257 - Storing Passwords in a Recoverable Format

CWE-258 - Empty password in configuration file

CWE-259 - Use of Hard-coded Password

CWE-260 - Password in Configuration File

CWE-261 - Weak Cryptography for Passwords

CWE-262 - Not Using Password Aging

CWE-263 - Password Aging with Long Expiration

CWE-264 - Permissions, Privileges, and Access Controls

CWE-265 - Privilege / Sandbox Issues

CWE-266 - Incorrect Privilege Assignment

CWE-267 - Privilege Defined With Unsafe Actions

CWE-268 - Privilege Chaining

CWE-269 - Improper Privilege Management

CWE-270 - Privilege Context Switching Error

CWE-271 - Privilege Dropping / Lowering Errors

CWE-272 - Least Privilege Violation

CWE-273 - Improper Check for Dropped Privileges

CWE-274 - Improper Handling of Insufficient Privileges

CWE-276 - Incorrect Default Permissions

CWE-277 - Insecure inherited permissions

CWE-278 - Insecure Preserved Inherited Permissions

CWE-279 - Incorrect Execution-Assigned Permissions

CWE-280 - Improper Handling of Insufficient Permissions or Privileges

CWE-281 - Improper preservation of permissions

CWE-282 - Improper Ownership Management

CWE-283 - Unverified Ownership

CWE-284 - Improper Access Control

CWE-285 - Improper Authorization

CWE-286 - Incorrect User Management

CWE-287 - Improper Authentication

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

CWE-289 - Authentication Bypass by Alternate Name

CWE-290 - Authentication Bypass by Spoofing

CWE-291 - Reliance on IP Address for Authentication

CWE-292 - DEPRECATED: Trusting Self-reported DNS Name

CWE-293 - Using Referer Field for Authentication

CWE-294 - Authentication Bypass by Capture-replay

CWE-295 - Improper Certificate Validation

CWE-296 - Improper Following of a Certificate\'s Chain of Trust

CWE-297 - Improper Validation of Certificate with Host Mismatch

CWE-298 - Improper Validation of Certificate Expiration

CWE-299 - Improper Check for Certificate Revocation

CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

CWE-301 - Reflection Attack in an Authentication Protocol

CWE-302 - Authentication Bypass by Assumed-Immutable Data

CWE-303 - Incorrect Implementation of Authentication Algorithm

CWE-304 - Missing Critical Step in Authentication

CWE-305 - Authentication Bypass by Primary Weakness

CWE-306 - Missing Authentication for Critical Function

CWE-307 - Improper Restriction of Excessive Authentication Attempts

CWE-308 - Use of Single-factor Authentication

CWE-309 - Use of Password System for Primary Authentication

CWE-310 - Cryptographic Issues

CWE-311 - Missing Encryption of Sensitive Data

CWE-312 - Cleartext Storage of Sensitive Information

CWE-313 - Cleartext Storage in a File or on Disk

CWE-314 - Cleartext Storage in the Registry

CWE-315 - Cleartext Storage of Sensitive Information in a Cookie

CWE-316 - Cleartext Storage of Sensitive Information in Memory

CWE-317 - Cleartext Storage of Sensitive Information in GUI

CWE-318 - Cleartext Storage of Sensitive Information in Executable

CWE-319 - Cleartext Transmission of Sensitive Information

CWE-320 - Key Management Errors

CWE-321 - Use of Hard-coded Cryptographic Key

CWE-322 - Key Exchange without Entity Authentication

CWE-323 - Reusing a Nonce, Key Pair in Encryption

CWE-324 - Use of a Key Past its Expiration Date

CWE-325 - Missing Required Cryptographic Step

CWE-326 - Inadequate Encryption Strength

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CWE-328 - Use of Weak Hash

CWE-329 - Not Using an Unpredictable IV with CBC Mode

CWE-330 - Use of Insufficiently Random Values

CWE-331 - Insufficient Entropy

CWE-332 - Insufficient Entropy in PRNG

CWE-333 - Improper Handling of Insufficient Entropy in TRNG

CWE-334 - Small Space of Random Values

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CWE-336 - Same Seed in Pseudo-Random Number Generator (PRNG)

CWE-337 - Predictable Seed in Pseudo-Random Number Generator (PRNG)

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-339 - Small Seed Space in PRNG

CWE-340 - Generation of Predictable Numbers or Identifiers

CWE-341 - Predictable from Observable State

CWE-342 - Predictable Exact Value from Previous Values

CWE-343 - Predictable Value Range from Previous Values

CWE-344 - Use of Invariant Value in Dynamically Changing Context

CWE-345 - Insufficient Verification of Data Authenticity

CWE-346 - Origin Validation Error

CWE-347 - Improper Verification of Cryptographic Signature

CWE-348 - Use of Less Trusted Source

CWE-349 - Acceptance of Extraneous Untrusted Data With Trusted Data

CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-351 - Insufficient Type Distinction

CWE-352 - Cross-Site Request Forgery (CSRF)

CWE-353 - Missing Support for Integrity Check

CWE-354 - Improper Validation of Integrity Check Value

CWE-356 - Product UI does not Warn User of Unsafe Actions

CWE-357 - Insufficient UI Warning of Dangerous Operations

CWE-358 - Improperly Implemented Security Check for Standard

CWE-359 - Exposure of Private Information ('Privacy Violation')

CWE-360 - Trust of System Event Data

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-363 - Race Condition Enabling Link Following

CWE-364 - Signal Handler Race Condition

CWE-365 - DEPRECATED: Race Condition in Switch

CWE-366 - Race Condition within a Thread

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-368 - Context Switching Race Condition

CWE-369 - Divide By Zero

CWE-370 - Missing Check for Certificate Revocation after Initial Check

CWE-371 - State Issues

CWE-372 - Incomplete Internal State Distinction

CWE-373 - DEPRECATED: State Synchronization Error

CWE-374 - Passing Mutable Objects to an Untrusted Method

CWE-375 - Returning a Mutable Object to an Untrusted Caller

CWE-377 - Insecure Temporary File

CWE-378 - Creation of Temporary File With Insecure Permissions

CWE-379 - Creation of Temporary File in Directory with Insecure Permissions

CWE-382 - J2EE Bad Practices: Use of System.exit()

CWE-383 - J2EE Bad Practices: Direct Use of Threads

CWE-384 - Session Fixation

CWE-385 - Covert Timing Channel

CWE-386 - Symbolic Name not Mapping to Correct Object

CWE-388 - Error Handling

CWE-390 - Detection of error condition without action

CWE-391 - Unchecked Error Condition

CWE-392 - Missing Report of Error Condition

CWE-393 - Return of Wrong Status Code

CWE-394 - Unexpected Status Code or Return Value

CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference

CWE-396 - Declaration of Catch for Generic Exception

CWE-397 - Declaration of Throws for Generic Exception

CWE-399 - Resource Management Errors

CWE-400 - Resource exhaustion

CWE-401 - Missing release of memory after effective lifetime

CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')

CWE-403 - Exposure of File Descriptor to Unintended Control Sphere (\'File Descriptor Leak\')

CWE-404 - Improper Resource Shutdown or Release

CWE-405 - Asymmetric Resource Consumption (Amplification)

CWE-406 - Insufficient Control of Network Message Volume

CWE-407 - Inefficient Algorithmic Complexity

CWE-408 - Incorrect Behavior Order: Early Amplification

CWE-409 - Improper Handling of Highly Compressed Data (Data Amplification)

CWE-410 - Insufficient Resource Pool

CWE-412 - Unrestricted Externally Accessible Lock

CWE-413 - Improper Resource Locking

CWE-414 - Missing Lock Check

CWE-415 - Double Free

CWE-416 - Use After Free

CWE-419 - Unprotected primary channel

CWE-420 - Unprotected Alternate Channel

CWE-421 - Race Condition During Access to Alternate Channel

CWE-422 - Unprotected Windows Messaging Channel (\'Shatter\')

CWE-423 - DEPRECATED: Proxied Trusted Channel

CWE-424 - Improper Protection of Alternate Path

CWE-425 - Direct Request ('Forced Browsing')

CWE-426 - Untrusted Search Path

CWE-427 - Uncontrolled Search Path Element

CWE-428 - Unquoted Search Path or Element

CWE-430 - Deployment of Wrong Handler

CWE-431 - Missing Handler

CWE-432 - Dangerous Signal Handler not Disabled During Sensitive Operations

CWE-433 - Unparsed Raw Web Content Delivery

CWE-434 - Unrestricted Upload of File with Dangerous Type

CWE-435 - Improper Interaction Between Multiple Correctly-Behaving Entities

CWE-436 - Interpretation Conflict

CWE-437 - Incomplete Model of Endpoint Features

CWE-439 - Behavioral Change in New Version or Environment

CWE-440 - Expected Behavior Violation

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

CWE-443 - DEPRECATED: HTTP response splitting

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-446 - UI Discrepancy for Security Feature

CWE-447 - Unimplemented or Unsupported Feature in UI

CWE-448 - Obsolete Feature in UI

CWE-449 - The UI Performs the Wrong Action

CWE-450 - Multiple Interpretations of UI Input

CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CWE-453 - Insecure Default Variable Initialization

CWE-454 - External Initialization of Trusted Variables or Data Stores

CWE-455 - Non-exit on Failed Initialization

CWE-456 - Missing Initialization of a Variable

CWE-457 - Use of Uninitialized Variable

CWE-458 - DEPRECATED: Incorrect Initialization

CWE-459 - Incomplete cleanup

CWE-460 - Improper Cleanup on Thrown Exception

CWE-462 - Duplicate Key in Associative List (Alist)

CWE-463 - Deletion of Data Structure Sentinel

CWE-464 - Addition of Data Structure Sentinel

CWE-466 - Return of pointer value outside of expected range

CWE-467 - Use of sizeof() on a Pointer Type

CWE-468 - Incorrect Pointer Scaling

CWE-469 - Use of Pointer Subtraction to Determine Size

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CWE-471 - Modification of Assumed-Immutable Data

CWE-472 - External Control of Assumed-Immutable Web Parameter

CWE-473 - PHP External Variable Modification

CWE-474 - Use of Function with Inconsistent Implementations

CWE-475 - Undefined Behavior for Input to API

CWE-476 - NULL Pointer Dereference

CWE-477 - Use of Obsolete Function

CWE-478 - Missing Default Case in Multiple Condition Expression

CWE-479 - Signal Handler Use of a Non-reentrant Function

CWE-480 - Use of Incorrect Operator

CWE-481 - Assigning instead of Comparing

CWE-482 - Comparing instead of Assigning

CWE-483 - Incorrect Block Delimitation

CWE-484 - Omitted Break Statement in Switch

CWE-485 - Insufficient Encapsulation

CWE-486 - Comparison of Classes by Name

CWE-487 - Reliance on Package-level Scope

CWE-488 - Exposure of Data Element to Wrong Session

CWE-489 - Active Debug Code

CWE-491 - Public cloneable() Method Without Final (\'Object Hijack\')

CWE-492 - Use of Inner Class Containing Sensitive Data

CWE-493 - Critical Public Variable Without Final Modifier

CWE-494 - Download of Code Without Integrity Check

CWE-495 - Private Data Structure Returned From A Public Method

CWE-496 - Public Data Assigned to Private Array-Typed Field

CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE-498 - Cloneable Class Containing Sensitive Information

CWE-499 - Serializable Class Containing Sensitive Data

CWE-500 - Public Static Field Not Marked Final

CWE-501 - Trust Boundary Violation

CWE-502 - Deserialization of Untrusted Data

CWE-506 - Embedded Malicious Code

CWE-507 - Trojan Horse

CWE-508 - Non-Replicating Malicious Code

CWE-509 - Replicating Malicious Code (Virus or Worm)

CWE-510 - Trapdoor

CWE-511 - Logic/Time Bomb

CWE-512 - Spyware

CWE-514 - Covert Channel

CWE-515 - Covert Storage Channel

CWE-516 - DEPRECATED: Covert Timing Channel

CWE-520 - .NET Misconfiguration: Use of Impersonation

CWE-521 - Weak Password Requirements

CWE-522 - Insufficiently Protected Credentials

CWE-523 - Unprotected Transport of Credentials

CWE-524 - Use of Cache Containing Sensitive Information

CWE-525 - Use of Web Browser Cache Containing Sensitive Information

CWE-526 - Cleartext Storage of Sensitive Information in an Environment Variable

CWE-527 - Exposure of Version-Control Repository to an Unauthorized Control Sphere

CWE-528 - Exposure of Core Dump File to an Unauthorized Control Sphere

CWE-529 - Exposure of Access Control List Files to an Unauthorized Control Sphere

CWE-530 - Exposure of Backup File to an Unauthorized Control Sphere

CWE-531 - Inclusion of Sensitive Information in Test Code

CWE-532 - Information Exposure Through Log Files

CWE-533 - DEPRECATED: Information Exposure Through Server Log Files

CWE-534 - DEPRECATED: Information Exposure Through Debug Log Files

CWE-535 - Exposure of Information Through Shell Error Message

CWE-536 - Servlet Runtime Error Message Containing Sensitive Information

CWE-537 - Java Runtime Error Message Containing Sensitive Information

CWE-538 - File And Directory Information Exposure

CWE-539 - Use of Persistent Cookies Containing Sensitive Information

CWE-540 - Inclusion of Sensitive Information in Source Code

CWE-541 - Inclusion of Sensitive Information in an Include File

CWE-542 - DEPRECATED: Information Exposure Through Cleanup Log Files

CWE-543 - Use of Singleton Pattern Without Synchronization in a Multithreaded Context

CWE-544 - Missing Standardized Error Handling Mechanism

CWE-545 - DEPRECATED: Use of Dynamic Class Loading

CWE-546 - Suspicious Comment

CWE-547 - Use of Hard-coded, Security-relevant Constants

CWE-548 - Exposure of Information Through Directory Listing

CWE-549 - Missing Password Field Masking

CWE-550 - Server-generated Error Message Containing Sensitive Information

CWE-551 - Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

CWE-552 - Files or Directories Accessible to External Parties

CWE-553 - Command Shell in Externally Accessible Directory

CWE-554 - ASP.NET Misconfiguration: Not Using Input Validation Framework

CWE-555 - J2EE Misconfiguration: Plaintext Password in Configuration File

CWE-556 - ASP.NET Misconfiguration: Use of Identity Impersonation

CWE-558 - Use of getlogin() in Multithreaded Application

CWE-560 - Use of umask() with chmod-style Argument

CWE-561 - Dead Code

CWE-562 - Return of Stack Variable Address

CWE-563 - Assignment to Variable without Use

CWE-564 - SQL Injection: Hibernate

CWE-565 - Reliance on Cookies without Validation and Integrity Checking

CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key

CWE-567 - Unsynchronized Access to Shared Data in a Multithreaded Context

CWE-568 - finalize() Method Without super.finalize()

CWE-570 - Expression is Always False

CWE-571 - Expression is Always True

CWE-572 - Call to Thread run() instead of start()

CWE-573 - Improper Following of Specification by Caller

CWE-574 - EJB Bad Practices: Use of Synchronization Primitives

CWE-575 - EJB Bad Practices: Use of AWT Swing

CWE-576 - EJB Bad Practices: Use of Java I/O

CWE-577 - EJB Bad Practices: Use of Sockets

CWE-578 - EJB Bad Practices: Use of Class Loader

CWE-579 - J2EE Bad Practices: Non-serializable Object Stored in Session

CWE-580 - clone() Method Without super.clone()

CWE-581 - Object Model Violation: Just One of Equals and Hashcode Defined

CWE-582 - Array Declared Public, Final, and Static

CWE-583 - finalize() Method Declared Public

CWE-584 - Return Inside Finally Block

CWE-585 - Empty Synchronized Block

CWE-586 - Explicit Call to Finalize()

CWE-587 - Assignment of a Fixed Address to a Pointer

CWE-588 - Attempt to Access Child of a Non-structure Pointer

CWE-589 - Call to Non-ubiquitous API

CWE-590 - Free of Memory not on the Heap

CWE-591 - Sensitive Data Storage in Improperly Locked Memory

CWE-592 - Authentication Bypass Issues

CWE-593 - Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

CWE-594 - J2EE Framework: Saving Unserializable Objects to Disk

CWE-595 - Comparison of Object References Instead of Object Contents

CWE-596 - DEPRECATED: Incorrect Semantic Object Comparison

CWE-597 - Use of Wrong Operator in String Comparison

CWE-598 - Information Exposure Through Query Strings in GET Request

CWE-599 - Missing Validation of OpenSSL Certificate

CWE-600 - Uncaught Exception in Servlet

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CWE-602 - Client-Side Enforcement of Server-Side Security

CWE-603 - Use of Client-Side Authentication

CWE-605 - Multiple Binds to the Same Port

CWE-606 - Unchecked Input for Loop Condition

CWE-607 - Public Static Final Field References Mutable Object

CWE-608 - Struts: Non-private Field in ActionForm Class

CWE-609 - Double-Checked Locking

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CWE-612 - Improper Authorization of Index Containing Sensitive Information

CWE-613 - Insufficient Session Expiration

CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-615 - Inclusion of Sensitive Information in Source Code Comments

CWE-616 - Incomplete Identification of Uploaded File Variables (PHP)

CWE-617 - Reachable Assertion

CWE-618 - Exposed Unsafe ActiveX Method

CWE-619 - Dangling Database Cursor ('Cursor Injection')

CWE-620 - Unverified Password Change

CWE-621 - Variable Extraction Error

CWE-622 - Improper Validation of Function Hook Argument

CWE-623 - Unsafe ActiveX Control Marked Safe For Scripting

CWE-624 - Executable Regular Expression Error

CWE-625 - Permissive Regular Expression

CWE-626 - Null Byte Interaction Error (Poison Null Byte)

CWE-627 - Dynamic Variable Evaluation

CWE-628 - Function Call with Incorrectly Specified Arguments

CWE-636 - Not Failing Securely (\'Failing Open\')

CWE-637 - Unnecessary Complexity in Protection Mechanism (Not Using \'Economy of Mechanism\')

CWE-638 - Not Using Complete Mediation

CWE-639 - Authorization Bypass Through User-Controlled Key

CWE-640 - Weak password recovery mechanism

CWE-641 - Improper Restriction of Names for Files and Other Resources

CWE-642 - External Control of Critical State Data

CWE-643 - Improper Neutralization of Data within XPath Expressions

CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

CWE-645 - Overly Restrictive Account Lockout Mechanism

CWE-646 - Reliance on File Name or Extension of Externally-Supplied File

CWE-647 - Use of Non-Canonical URL Paths for Authorization Decisions

CWE-648 - Incorrect Use of Privileged APIs

CWE-649 - Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking

CWE-650 - Trusting HTTP Permission Methods on the Server Side

CWE-651 - Exposure of WSDL File Containing Sensitive Information

CWE-652 - Improper Neutralization of Data within XQuery Expressions (\'XQuery Injection\')

CWE-653 - Improper isolation or compartmentalization

CWE-654 - Reliance on a Single Factor in a Security Decision

CWE-655 - Insufficient Psychological Acceptability

CWE-656 - Reliance on Security Through Obscurity

CWE-657 - Violation of Secure Design Principles

CWE-661 - Weaknesses in Software Written in PHP

CWE-662 - Improper Synchronization

CWE-663 - Use of a Non-reentrant Function in a Concurrent Context

CWE-664 - Improper control of a resource through its lifetime

CWE-665 - Improper Initialization

CWE-666 - Operation on Resource in Wrong Phase of Lifetime

CWE-667 - Improper Locking

CWE-668 - Exposure of resource to wrong sphere

CWE-669 - Incorrect Resource Transfer Between Spheres

CWE-670 - Always-Incorrect Control Flow Implementation

CWE-671 - Lack of Administrator Control over Security

CWE-672 - Operation on a Resource after Expiration or Release

CWE-673 - External Influence of Sphere Definition

CWE-674 - Uncontrolled Recursion

CWE-675 - Multiple Operations on Resource in Single-Operation Context

CWE-676 - Use of Potentially Dangerous Function

CWE-680 - Integer Overflow to Buffer Overflow

CWE-681 - Incorrect Conversion between Numeric Types

CWE-682 - Incorrect Calculation

CWE-683 - Function Call With Incorrect Order of Arguments

CWE-684 - Incorrect Provision of Specified Functionality

CWE-685 - Function Call With Incorrect Number of Arguments

CWE-686 - Function Call With Incorrect Argument Type

CWE-687 - Function Call With Incorrectly Specified Argument Value

CWE-688 - Function Call With Incorrect Variable or Reference as Argument

CWE-689 - Permission Race Condition During Resource Copy

CWE-690 - Unchecked Return Value to NULL Pointer Dereference

CWE-691 - Insufficient Control Flow Management

CWE-692 - Incomplete Blacklist to Cross-Site Scripting

CWE-693 - Protection Mechanism Failure

CWE-694 - Use of Multiple Resources with Duplicate Identifier

CWE-695 - Use of Low-Level Functionality

CWE-696 - Incorrect Behavior Order

CWE-697 - Incorrect Comparison

CWE-698 - Execution After Redirect (EAR)

CWE-703 - Improper Check or Handling of Exceptional Conditions

CWE-704 - Type conversion

CWE-705 - Incorrect Control Flow Scoping

CWE-706 - Use of Incorrectly-Resolved Name or Reference

CWE-707 - Improper Neutralization

CWE-708 - Incorrect Ownership Assignment

CWE-710 - Improper Adherence to Coding Standards

CWE-732 - Incorrect Permission Assignment for Critical Resource

CWE-733 - Compiler Optimization Removal or Modification of Security-critical Code

CWE-749 - Exposed Dangerous Method or Function

CWE-754 - Improper Check for Unusual or Exceptional Conditions

CWE-755 - Improper Handling of Exceptional Conditions

CWE-756 - Missing Custom Error Page

CWE-757 - Selection of Less-Secure Algorithm During Negotiat

CWE-758 - Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

CWE-759 - Use of a One-Way Hash without a Salt

CWE-760 - Use of a One-Way Hash with a Predictable Salt

CWE-761 - Free of Pointer not at Start of Buffer

CWE-762 - Mismatched Memory Management Routines

CWE-763 - Release of invalid pointer or reference

CWE-764 - Multiple Locks of a Critical Resource

CWE-765 - Multiple Unlocks of a Critical Resource

CWE-766 - Critical Data Element Declared Public

CWE-767 - Access to Critical Private Variable via Public Method

CWE-768 - Incorrect Short Circuit Evaluation

CWE-769 - DEPRECATED: Uncontrolled File Descriptor Consumption

CWE-770 - Allocation of Resources Without Limits or Throttling

CWE-771 - Missing Reference to Active Allocated Resource

CWE-772 - Missing Release of Resource after Effective Lifetime

CWE-773 - Missing Reference to Active File Descriptor or Handle

CWE-774 - Allocation of File Descriptors or Handles Without Limits or Throttling

CWE-775 - Missing Release of File Descriptor or Handle after Effective Lifetime

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-777 - Regular Expression without Anchors

CWE-778 - Insufficient Logging

CWE-779 - Logging of Excessive Data

CWE-780 - Use of RSA Algorithm without OAEP

CWE-781 - Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

CWE-782 - Exposed IOCTL with Insufficient Access Control

CWE-783 - Operator Precedence Logic Error

CWE-784 - Reliance on Cookies without Validation and Integrity Checking in a Security Decision

CWE-785 - Use of Path Manipulation Function without Maximum-sized Buffer

CWE-786 - Access of Memory Location Before Start of Buffer

CWE-787 - Out-of-bounds write

CWE-788 - Access of Memory Location After End of Buffer

CWE-789 - Uncontrolled Memory Allocation

CWE-790 - Improper Filtering of Special Elements

CWE-791 - Incomplete Filtering of Special Elements

CWE-792 - Incomplete Filtering of One or More Instances of Special Elements

CWE-793 - Only Filtering One Instance of a Special Element

CWE-794 - Incomplete Filtering of Multiple Instances of Special Elements

CWE-795 - Only Filtering Special Elements at a Specified Location

CWE-796 - Only Filtering Special Elements Relative to a Marker

CWE-797 - Only Filtering Special Elements at an Absolute Position

CWE-798 - Use of Hard-coded Credentials

CWE-799 - Improper Control of Interaction Frequency

CWE-804 - Guessable CAPTCHA

CWE-805 - Buffer Access with Incorrect Length Value

CWE-806 - Buffer Access Using Size of Source Buffer

CWE-807 - Reliance on Untrusted Inputs in a Security Decision

CWE-820 - Missing Synchronization

CWE-821 - Incorrect Synchronization

CWE-822 - Untrusted Pointer Dereference

CWE-823 - Use of Out-of-range Pointer Offset

CWE-824 - Access of Uninitialized Pointer

CWE-825 - Expired pointer dereference

CWE-826 - Premature Release of Resource During Expected Lifetime

CWE-827 - Improper Control of Document Type Definition

CWE-828 - Signal Handler with Functionality that is not Asynchronous-Safe

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CWE-830 - Inclusion of Web Functionality from an Untrusted Source

CWE-831 - Signal Handler Function Associated with Multiple Signals

CWE-832 - Unlock of a Resource that is not Locked

CWE-833 - Deadlock

CWE-834 - Excessive Iteration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-836 - Use of Password Hash Instead of Password for Authentication

CWE-837 - Improper Enforcement of a Single, Unique Action

CWE-838 - Inappropriate Encoding for Output Context

CWE-839 - Numeric Range Comparison Without Minimum Check

CWE-840 - Business Logic Errors

CWE-841 - Improper Enforcement of Behavioral Workflow

CWE-842 - Placement of User into Incorrect Group

CWE-843 - Type confusion

CWE-862 - Missing Authorization

CWE-863 - Incorrect Authorization

CWE-908 - Use of Uninitialized Resource

CWE-909 - Missing initialization of resource

CWE-910 - Use of Expired File Descriptor

CWE-911 - Improper Update of Reference Count

CWE-912 - Hidden Functionality (Backdoor)

CWE-913 - Improper Control of Dynamically-Managed Code Resources

CWE-914 - Improper Control of Dynamically-Identified Variables

CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-916 - Use of Password Hash With Insufficient Computational Effort

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement

CWE-918 - Server-Side Request Forgery (SSRF)

CWE-920 - Improper Restriction of Power Consumption

CWE-921 - Storage of Sensitive Data in a Mechanism without Access Control

CWE-922 - Insecure Storage of Sensitive Information

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints

CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CWE-925 - Improper Verification of Intent by Broadcast Receiver

CWE-926 - Improper Export of Android Application Components

CWE-927 - Use of Implicit Intent for Sensitive Communication

CWE-939 - Improper Authorization in Handler for Custom URL Scheme

CWE-940 - Improper Verification of Source of a Communication Channel

CWE-941 - Incorrectly Specified Destination in a Communication Channel

CWE-942 - Overly Permissive Cross-domain Whitelist

CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag

CWE-1007 - Insufficient Visual Distinction of Homoglyphs Presented to User

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access

CWE-1023 - Incomplete Comparison with Missing Factors

CWE-1024 - Comparison of Incompatible Types

CWE-1025 - Comparison using wrong factors

CWE-1037 - Processor optimization removal or modification of security-critical code

CWE-1038 - Insecure Automated Optimizations

CWE-1039 - Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations

CWE-1041 - Use of Redundant Code

CWE-1042 - Static Member Data Element outside of a Singleton Class Element

CWE-1043 - Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

CWE-1044 - Architecture with Number of Horizontal Layers Outside of Expected Range

CWE-1045 - Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor

CWE-1046 - Creation of Immutable Text Using String Concatenation

CWE-1047 - Modules with Circular Dependencies

CWE-1048 - Invokable Control Element with Large Number of Outward Calls

CWE-1049 - Excessive Data Query Operations in a Large Data Table

CWE-1050 - Excessive Platform Resource Consumption within a Loop

CWE-1051 - Initialization with Hard-Coded Network Resource Configuration Data

CWE-1052 - Excessive Use of Hard-Coded Literals in Initialization

CWE-1053 - Missing Documentation for Design

CWE-1054 - Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer

CWE-1055 - Multiple Inheritance from Concrete Classes

CWE-1056 - Invokable Control Element with Variadic Parameters

CWE-1057 - Data Access Operations Outside of Expected Data Manager Component

CWE-1058 - Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

CWE-1059 - Insufficient Technical Documentation

CWE-1060 - Excessive Number of Inefficient Server-Side Data Accesses

CWE-1061 - Insufficient Encapsulation

CWE-1062 - Parent Class with References to Child Class

CWE-1063 - Creation of Class Instance within a Static Code Block

CWE-1064 - Invokable Control Element with Signature Containing an Excessive Number of Parameters

CWE-1065 - Runtime Resource Management Control Element in a Component Built to Run on Application Servers

CWE-1066 - Missing Serialization Control Element

CWE-1067 - Excessive Execution of Sequential Searches of Data Resource

CWE-1068 - Inconsistency Between Implementation and Documented Design

CWE-1069 - Empty Exception Block

CWE-1070 - Serializable Data Element Containing non-Serializable Item Elements

CWE-1071 - Empty Code Block

CWE-1072 - Data Resource Access without Use of Connection Pooling

CWE-1073 - Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses

CWE-1074 - Class with Excessively Deep Inheritance

CWE-1075 - Unconditional Control Flow Transfer outside of Switch Block

CWE-1076 - Insufficient Adherence to Expected Conventions

CWE-1077 - Floating Point Comparison with Incorrect Operator

CWE-1078 - Inappropriate Source Code Style or Formatting

CWE-1079 - Parent Class without Virtual Destructor Method

CWE-1080 - Source Code File with Excessive Number of Lines of Code

CWE-1082 - Class Instance Self Destruction Control Element

CWE-1083 - Data Access from Outside Expected Data Manager Component

CWE-1084 - Invokable Control Element with Excessive File or Data Access Operations

CWE-1085 - Invokable Control Element with Excessive Volume of Commented-out Code

CWE-1086 - Class with Excessive Number of Child Classes

CWE-1087 - Class with Virtual Method without a Virtual Destructor

CWE-1088 - Synchronous Access of Remote Resource without Timeout

CWE-1089 - Large Data Table with Excessive Number of Indices

CWE-1090 - Method Containing Access of a Member Element from Another Class

CWE-1091 - Use of Object without Invoking Destructor Method

CWE-1092 - Use of Same Invokable Control Element in Multiple Architectural Layers

CWE-1093 - Excessively Complex Data Representation

CWE-1094 - Excessive Index Range Scan for a Data Resource

CWE-1095 - Loop Condition Value Update within the Loop

CWE-1096 - Singleton Class Instance Creation without Proper Locking or Synchronization

CWE-1097 - Persistent Storable Data Element without Associated Comparison Control Element

CWE-1098 - Data Element containing Pointer Item without Proper Copy Control Element

CWE-1099 - Inconsistent Naming Conventions for Identifiers

CWE-1100 - Insufficient Isolation of System-Dependent Functions

CWE-1101 - Reliance on Runtime Component in Generated Code

CWE-1102 - Reliance on Machine-Dependent Data Representation

CWE-1103 - Use of Platform-Dependent Third Party Components

CWE-1104 - Use of Unmaintained Third Party Components

CWE-1105 - Insufficient Encapsulation of Machine-Dependent Functionality

CWE-1106 - Insufficient Use of Symbolic Constants

CWE-1107 - Insufficient Isolation of Symbolic Constant Definitions

CWE-1108 - Excessive Reliance on Global Variables

CWE-1109 - Use of Same Variable for Multiple Purposes

CWE-1110 - Incomplete Design Documentation

CWE-1111 - Incomplete I/O Documentation

CWE-1112 - Incomplete Documentation of Program Execution

CWE-1113 - Inappropriate Comment Style

CWE-1114 - Inappropriate Whitespace Style

CWE-1115 - Source Code Element without Standard Prologue

CWE-1116 - Inaccurate Comments

CWE-1117 - Callable with Insufficient Behavioral Summary

CWE-1118 - Insufficient Documentation of Error Handling Techniques

CWE-1119 - Excessive Use of Unconditional Branching

CWE-1120 - Excessive Code Complexity

CWE-1121 - Excessive McCabe Cyclomatic Complexity

CWE-1122 - Excessive Halstead Complexity

CWE-1123 - Excessive Use of Self-Modifying Code

CWE-1124 - Excessively Deep Nesting

CWE-1125 - Excessive Attack Surface

CWE-1126 - Declaration of Variable with Unnecessarily Wide Scope

CWE-1127 - Compilation with Insufficient Warnings or Errors

CWE-1164 - Irrelevant Code

CWE-1173 - Improper Use of Validation Framework

CWE-1174 - ASP.NET Misconfiguration: Improper Model Validation

CWE-1176 - Inefficient CPU Computation

CWE-1177 - Use of Prohibited Code

CWE-1187 - DEPRECATED: Use of Uninitialized Resource

CWE-1188 - Insecure Default Initialization of Resource

CWE-1189 - Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

CWE-1190 - DMA Device Enabled Too Early in Boot Phase

CWE-1191 - On-Chip Debug and Test Interface With Improper Access Control

CWE-1192 - System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers

CWE-1193 - Power-On of Untrusted Execution Core Before Enabling Fabric Access Control

CWE-1204 - Generation of Weak Initialization Vector (IV)

CWE-1209 - Failure to Disable Reserved Bits

CWE-1220 - Insufficient Granularity of Access Control

CWE-1221 - Incorrect Register Defaults or Module Parameters

CWE-1222 - Insufficient Granularity of Address Regions Protected by Register Locks

CWE-1223 - Race Condition for Write-Once Attributes

CWE-1224 - Improper Restriction of Write-Once Bit Fields

CWE-1229 - Creation of Emergent Resource

CWE-1230 - Exposure of Sensitive Information Through Metadata

CWE-1231 - Improper Prevention of Lock Bit Modification

CWE-1232 - Improper Lock Behavior After Power State Transition

CWE-1233 - Security-Sensitive Hardware Controls with Missing Lock Bit Protection

CWE-1234 - Hardware Internal or Debug Modes Allow Override of Locks

CWE-1235 - Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

CWE-1239 - Improper Zeroization of Hardware Register

CWE-1240 - Use of a Cryptographic Primitive with a Risky Implementation

CWE-1241 - Use of Predictable Algorithm in Random Number Generator

CWE-1242 - Inclusion of Undocumented Features or Chicken Bits

CWE-1243 - Sensitive Non-Volatile Information Not Protected During Debug

CWE-1244 - Internal Asset Exposed to Unsafe Debug Access Level or State

CWE-1245 - Improper Finite State Machines (FSMs) in Hardware Logic

CWE-1246 - Improper Write Handling in Limited-write Non-Volatile Memories

CWE-1247 - Improper Protection Against Voltage and Clock Glitches

CWE-1248 - Semiconductor Defects in Hardware Logic with Security-Sensitive Implications

CWE-1249 - Application-Level Admin Tool with Inconsistent View of Underlying Operating System

CWE-1250 - Improper Preservation of Consistency Between Independent Representations of Shared State

CWE-1251 - Mirrored Regions with Different Values

CWE-1252 - CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

CWE-1253 - Incorrect Selection of Fuse Values

CWE-1254 - Incorrect Comparison Logic Granularity

CWE-1255 - Comparison Logic is Vulnerable to Power Side-Channel Attacks

CWE-1256 - Improper restriction of software interfaces to hardware features

CWE-1257 - Improper Access Control Applied to Mirrored or Aliased Memory Regions

CWE-1258 - Exposure of Sensitive System Information Due to Uncleared Debug Information

CWE-1259 - Improper Restriction of Security Token Assignment

CWE-1260 - Improper Handling of Overlap Between Protected Memory Ranges

CWE-1261 - Improper Handling of Single Event Upsets

CWE-1262 - Improper Access Control for Register Interface

CWE-1263 - Improper Physical Access Control

CWE-1264 - Hardware Logic with Insecure De-Synchronization between Control and Data Channels

CWE-1265 - Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls

CWE-1266 - Improper Scrubbing of Sensitive Data from Decommissioned Device

CWE-1267 - Policy Uses Obsolete Encoding

CWE-1268 - Policy Privileges are not Assigned Consistently Between Control and Data Agents

CWE-1269 - Product Released in Non-Release Configuration

CWE-1270 - Generation of Incorrect Security Tokens

CWE-1271 - Uninitialized Value on Reset for Registers Holding Security Settings

CWE-1272 - Sensitive Information Uncleared Before Debug/Power State Transition

CWE-1273 - Device Unlock Credential Sharing

CWE-1274 - Improper Access Control for Volatile Memory Containing Boot Code

CWE-1275 - Sensitive Cookie with Improper SameSite Attribute

CWE-1276 - Hardware Child Block Incorrectly Connected to Parent System

CWE-1277 - Firmware Not Updateable

CWE-1278 - Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techni

CWE-1279 - Cryptographic Operations are run Before Supporting Units are Ready

CWE-1280 - Access Control Check Implemented After Asset is Accessed

CWE-1281 - Sequence of Processor Instructions Leads to Unexpected Behavior

CWE-1282 - Assumed-Immutable Data is Stored in Writable Memory

CWE-1283 - Mutable Attestation or Measurement Reporting Data

CWE-1284 - Improper Validation of Specified Quantity in Input

CWE-1285 - Improper Validation of Specified Index, Position, or Offset in Input

CWE-1286 - Improper Validation of Syntactic Correctness of Input

CWE-1287 - Improper Validation of Specified Type of Input

CWE-1288 - Improper Validation of Consistency within Input

CWE-1289 - Improper Validation of Unsafe Equivalence in Input

CWE-1290 - Incorrect Decoding of Security Identifiers

CWE-1291 - Public Key Re-Use for Signing both Debug and Production Code

CWE-1292 - Incorrect Conversion of Security Identifiers

CWE-1293 - Missing Source Correlation of Multiple Independent Data

CWE-1294 - Insecure Security Identifier Mechanism

CWE-1295 - Debug Messages Revealing Unnecessary Information

CWE-1296 - Incorrect Chaining or Granularity of Debug Components

CWE-1297 - Unprotected Confidential Information on Device is Accessible by OSAT Vendors

CWE-1298 - Hardware Logic Contains Race Conditions

CWE-1299 - Missing Protection Mechanism for Alternate Hardware Interface

CWE-1300 - Improper Protection of Physical Side Channels

CWE-1301 - Insufficient or Incomplete Data Removal within Hardware Component

CWE-1302 - Missing Security Identifier

CWE-1303 - Non-Transparent Sharing of Microarchitectural Resources

CWE-1304 - Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

CWE-1310 - Missing Ability to Patch ROM Code

CWE-1311 - Improper Translation of Security Attributes by Fabric Bridge

CWE-1312 - Missing Protection for Mirrored Regions in On-Chip Fabric Firewall

CWE-1313 - Hardware Allows Activation of Test or Debug Logic at Runtime

CWE-1314 - Missing Write Protection for Parametric Data Values

CWE-1315 - Improper Setting of Bus Controlling Capability in Fabric End-point

CWE-1316 - Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges

CWE-1317 - Improper Access Control in Fabric Bridge

CWE-1318 - Missing Support for Security Features in On-chip Fabrics or Buses

CWE-1319 - Improper Protection against Electromagnetic Fault Injection

CWE-1320 - Improper Protection for Outbound Error Messages and Alert Signals

CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes (\'Prototype Pollution\')

CWE-1322 - Use of Blocking Code in Single-threaded, Non-blocking Context

CWE-1323 - Improper Management of Sensitive Trace Data

CWE-1324 - DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface

CWE-1325 - Improperly Controlled Sequential Memory Allocation

CWE-1326 - Missing Immutable Root of Trust in Hardware

CWE-1327 - Binding to an Unrestricted IP Address

CWE-1328 - Security Version Number Mutable to Older Versions

CWE-1329 - Reliance on Component That is Not Updateable

CWE-1330 - Remanent Data Readable after Memory Erase

CWE-1331 - Improper Isolation of Shared Resources in Network On Chip (NoC)

CWE-1332 - Improper Handling of Faults that Lead to Instruction Skips

CWE-1333 - Inefficient Regular Expression Complexity

CWE-1334 - Unauthorized Error Injection Can Degrade Hardware Redundancy

CWE-1335 - Incorrect Bitwise Shift of Integer

CWE-1336 - Improper Neutralization of Special Elements Used in a Template Engine

CWE-1338 - Improper Protections Against Hardware Overheating

CWE-1339 - Insufficient Precision or Accuracy of a Real Number

CWE-1341 - Multiple Releases of Same Resource or Handle

CWE-1342 - Information Exposure through Microarchitectural State after Transient Execution

CWE-1351 - Improper Handling of Hardware Behavior in Exceptionally Cold Environments

CWE-1357 - Reliance on Insufficiently Trustworthy Component

CWE-1384 - Improper Handling of Physical or Environmental Conditions

CWE-1385 - Missing Origin Validation in WebSockets

CWE-1386 - Insecure Operation on Windows Junction / Mount Point

CWE-1389 - Incorrect Parsing of Numbers with Different Radices

CWE-1390 - Weak Authentication

CWE-1391 - Use of Weak Credentials

CWE-1392 - Use of Default Credentials

CWE-1393 - Use of Default Password

CWE-1394 - Use of Default Cryptographic Key

CWE-1395 - Dependency on Vulnerable Third-Party Component