Filter by CWE
All CWEs
J2EE Misconfiguration: Data Transmission Without Encryption
CWE-5
J2EE Misconfiguration: Insufficient Session-ID Length
CWE-6
J2EE Misconfiguration: Missing Custom Error Page
CWE-7
J2EE Misconfiguration: Entity Bean Declared Remote
CWE-8
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
CWE-9
ASP.NET Misconfiguration: Creating Debug Binary
CWE-11
ASP.NET Misconfiguration: Missing Custom Error Page
CWE-12
ASP.NET Misconfiguration: Password in Configuration File
CWE-13
Compiler Removal of Code to Clear Buffers
CWE-14
External Control of System or Configuration Setting
CWE-15
Improper Input Validation
CWE-20
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-22
Relative Path Traversal
CWE-23
Path Traversal: '../filedir'
CWE-24
Path Traversal: '/../filedir'
CWE-25
Path Traversal: '/dir/../filename'
CWE-26
Path Traversal: 'dir/../../filename'
CWE-27
Path Traversal: '..filedir'
CWE-28
Path Traversal: '..filename'
CWE-29
Path Traversal: 'dir..filename'
CWE-30
Path Traversal: 'dir....filename'
CWE-31
Path Traversal: '...' (Triple Dot)
CWE-32
Path Traversal: '....' (Multiple Dot)
CWE-33
Path Traversal: '....//'
CWE-34
Path Traversal: '.../...//'
CWE-35
Absolute Path Traversal
CWE-36
Path Traversal: '/absolute/pathname/here'
CWE-37
Path Traversal: 'absolutepathnamehere'
CWE-38
Path Traversal: 'C:dirname'
CWE-39
Path Traversal: 'UNCsharename' (Windows UNC Share)
CWE-40
Improper Resolution of Path Equivalence
CWE-41
Path Equivalence: 'filename.' (Trailing Dot)
CWE-42
Path Equivalence: 'filename....' (Multiple Trailing Dot)
CWE-43
Path Equivalence: 'file.name' (Internal Dot)
CWE-44
Path Equivalence: 'file...name' (Multiple Internal Dot)
CWE-45
Path Equivalence: 'filename ' (Trailing Space)
CWE-46
Path Equivalence: ' filename' (Leading Space)
CWE-47
Path Equivalence: 'file name' (Internal Whitespace)
CWE-48
Path Equivalence: 'filename/' (Trailing Slash)
CWE-49
Path Equivalence: '//multiple/leading/slash'
CWE-50
Path Equivalence: '/multiple//internal/slash'
CWE-51
Path Equivalence: '/multiple/trailing/slash//'
CWE-52
Path Equivalence: 'multipleinternalbackslash'
CWE-53
Path Equivalence: 'filedir' (Trailing Backslash)
CWE-54
Path Equivalence: '/./' (Single Dot Directory)
CWE-55
Path Equivalence: 'filedir*' (Wildcard)
CWE-56
Path Equivalence: 'fakedir/../realdir/filename'
CWE-57
Path Equivalence: Windows 8.3 Filename
CWE-58
Improper Link Resolution Before File Access ('Link Following')
CWE-59
UNIX Symbolic Link (Symlink) Following
CWE-61
UNIX Hard Link
CWE-62
Windows Shortcut Following (.LNK)
CWE-64
Windows Hard Link
CWE-65
Improper Handling of File Names that Identify Virtual Resources
CWE-66
Improper Handling of Windows Device Names
CWE-67
Improper Handling of Windows ::DATA Alternate Data Stream
CWE-69
Improper Handling of Apple HFS+ Alternate Data Stream Path
CWE-72
External Control of File Name or Path
CWE-73
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-74
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-75
Improper Neutralization of Equivalent Special Elements
CWE-76
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-77
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-78
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-80
Improper Neutralization of Script in an Error Message Web Page
CWE-81
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-82
Improper Neutralization of Script in Attributes in a Web Page
CWE-83
Improper Neutralization of Encoded URI Schemes in a Web Page
CWE-84
Doubled Character XSS Manipulations
CWE-85
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-86
Improper Neutralization of Alternate XSS Syntax
CWE-87
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-88
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-89
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-90
XML Injection (aka Blind XPath Injection)
CWE-91
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-93
Improper Control of Generation of Code ('Code Injection')
CWE-94
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-95
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-96
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CWE-97
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-98
Improper Control of Resource Identifiers ('Resource Injection')
CWE-99
Struts: Duplicate Validation Forms
CWE-102
Struts: Incomplete validate() Method Definition
CWE-103
Struts: Form Bean Does Not Extend Validation Class
CWE-104
Struts: Form Field Without Validator
CWE-105
Struts: Plug-in Framework not in Use
CWE-106
Struts: Unused Validation Form
CWE-107
Struts: Unvalidated Action Form
CWE-108
Struts: Validator Turned Off
CWE-109
Struts: Validator Without Form Field
CWE-110
Direct Use of Unsafe JNI
CWE-111
Missing XML Validation
CWE-112
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-113
Process Control
CWE-114
Misinterpretation of Input
CWE-115
Improper Encoding or Escaping of Output
CWE-116
Improper Output Neutralization for Logs
CWE-117
Incorrect Access of Indexable Resource ('Range Error')
CWE-118
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-119
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-120
Stack-based Buffer Overflow
CWE-121
Heap-based Buffer Overflow
CWE-122
Write-what-where Condition
CWE-123
Buffer Underwrite ('Buffer Underflow')
CWE-124
Out-of-bounds Read
CWE-125
Buffer Over-read
CWE-126
Buffer Under-read
CWE-127
Wrap-around Error
CWE-128
Improper Validation of Array Index
CWE-129
Improper Handling of Length Parameter Inconsistency
CWE-130
Incorrect Calculation of Buffer Size
CWE-131
Use of Externally-Controlled Format String
CWE-134
Incorrect Calculation of Multi-Byte String Length
CWE-135
Improper Neutralization of Special Elements
CWE-138
Improper Neutralization of Delimiters
CWE-140
Improper Neutralization of Parameter/Argument Delimiters
CWE-141
Improper Neutralization of Value Delimiters
CWE-142
Improper Neutralization of Record Delimiters
CWE-143
Improper Neutralization of Line Delimiters
CWE-144
Improper Neutralization of Section Delimiters
CWE-145
Improper Neutralization of Expression/Command Delimiters
CWE-146
Improper Neutralization of Input Terminators
CWE-147
Improper Neutralization of Input Leaders
CWE-148
Improper Neutralization of Quoting Syntax
CWE-149
Improper Neutralization of Escape, Meta, or Control Sequences
CWE-150
Improper Neutralization of Comment Delimiters
CWE-151
Improper Neutralization of Macro Symbols
CWE-152
Improper Neutralization of Substitution Characters
CWE-153
Improper Neutralization of Variable Name Delimiters
CWE-154
Improper Neutralization of Wildcards or Matching Symbols
CWE-155
Improper Neutralization of Whitespace
CWE-156
Failure to Sanitize Paired Delimiters
CWE-157
Improper Neutralization of Null Byte or NUL Character
CWE-158
Improper Handling of Invalid Use of Special Elements
CWE-159
Improper Neutralization of Leading Special Elements
CWE-160
Improper Neutralization of Multiple Leading Special Elements
CWE-161
Improper Neutralization of Trailing Special Elements
CWE-162
Improper Neutralization of Multiple Trailing Special Elements
CWE-163
Improper Neutralization of Internal Special Elements
CWE-164
Improper Neutralization of Multiple Internal Special Elements
CWE-165
Improper Handling of Missing Special Element
CWE-166
Improper Handling of Additional Special Element
CWE-167
Improper Handling of Inconsistent Special Elements
CWE-168
Improper Null Termination
CWE-170
Encoding Error
CWE-172
Improper Handling of Alternate Encoding
CWE-173
Double Decoding of the Same Data
CWE-174
Improper Handling of Mixed Encoding
CWE-175
Improper Handling of Unicode Encoding
CWE-176
Improper Handling of URL Encoding (Hex Encoding)
CWE-177
Improper Handling of Case Sensitivity
CWE-178
Incorrect Behavior Order: Early Validation
CWE-179
Incorrect Behavior Order: Validate Before Canonicalize
CWE-180
Incorrect Behavior Order: Validate Before Filter
CWE-181
Collapse of Data into Unsafe Value
CWE-182
Permissive List of Allowed Inputs
CWE-183
Incomplete List of Disallowed Inputs
CWE-184
Incorrect Regular Expression
CWE-185
Overly Restrictive Regular Expression
CWE-186
Partial String Comparison
CWE-187
Reliance on Data/Memory Layout
CWE-188
Integer Overflow or Wraparound
CWE-190
Integer Underflow (Wrap or Wraparound)
CWE-191
Integer Coercion Error
CWE-192
Off-by-one Error
CWE-193
Unexpected Sign Extension
CWE-194
Signed to Unsigned Conversion Error
CWE-195
Unsigned to Signed Conversion Error
CWE-196
Numeric Truncation Error
CWE-197
Use of Incorrect Byte Ordering
CWE-198
Exposure of Sensitive Information to an Unauthorized Actor
CWE-200
Insertion of Sensitive Information Into Sent Data
CWE-201
Exposure of Sensitive Information Through Data Queries
CWE-202
Observable Discrepancy
CWE-203
Observable Response Discrepancy
CWE-204
Observable Behavioral Discrepancy
CWE-205
Observable Internal Behavioral Discrepancy
CWE-206
Observable Behavioral Discrepancy With Equivalent Products
CWE-207
Observable Timing Discrepancy
CWE-208
Generation of Error Message Containing Sensitive Information
CWE-209
Self-generated Error Message Containing Sensitive Information
CWE-210
Externally-Generated Error Message Containing Sensitive Information
CWE-211
Improper Removal of Sensitive Information Before Storage or Transfer
CWE-212
Exposure of Sensitive Information Due to Incompatible Policies
CWE-213
Invocation of Process Using Visible Sensitive Information
CWE-214
Insertion of Sensitive Information Into Debugging Code
CWE-215
Storage of File with Sensitive Data Under Web Root
CWE-219
Storage of File With Sensitive Data Under FTP Root
CWE-220
Information Loss or Omission
CWE-221
Truncation of Security-relevant Information
CWE-222
Omission of Security-relevant Information
CWE-223
Obscured Security-relevant Information by Alternate Name
CWE-224
Sensitive Information in Resource Not Removed Before Reuse
CWE-226
Improper Handling of Syntactically Invalid Structure
CWE-228
Improper Handling of Values
CWE-229
Improper Handling of Missing Values
CWE-230
Improper Handling of Extra Values
CWE-231
Improper Handling of Undefined Values
CWE-232
Improper Handling of Parameters
CWE-233
Failure to Handle Missing Parameter
CWE-234
Improper Handling of Extra Parameters
CWE-235
Improper Handling of Undefined Parameters
CWE-236
Improper Handling of Structural Elements
CWE-237
Improper Handling of Incomplete Structural Elements
CWE-238
Failure to Handle Incomplete Element
CWE-239
Improper Handling of Inconsistent Structural Elements
CWE-240
Improper Handling of Unexpected Data Type
CWE-241
Use of Inherently Dangerous Function
CWE-242
Creation of chroot Jail Without Changing Working Directory
CWE-243
Improper Clearing of Heap Memory Before Release ('Heap Inspection')
CWE-244
J2EE Bad Practices: Direct Management of Connections
CWE-245
J2EE Bad Practices: Direct Use of Sockets
CWE-246
Uncaught Exception
CWE-248
Execution with Unnecessary Privileges
CWE-250
Unchecked Return Value
CWE-252
Incorrect Check of Function Return Value
CWE-253
Plaintext Storage of a Password
CWE-256
Storing Passwords in a Recoverable Format
CWE-257
Empty Password in Configuration File
CWE-258
Use of Hard-coded Password
CWE-259
Password in Configuration File
CWE-260
Weak Encoding for Password
CWE-261
Not Using Password Aging
CWE-262
Password Aging with Long Expiration
CWE-263
Incorrect Privilege Assignment
CWE-266
Privilege Defined With Unsafe Actions
CWE-267
Privilege Chaining
CWE-268
Improper Privilege Management
CWE-269
Privilege Context Switching Error
CWE-270
Privilege Dropping / Lowering Errors
CWE-271
Least Privilege Violation
CWE-272
Improper Check for Dropped Privileges
CWE-273
Improper Handling of Insufficient Privileges
CWE-274
Incorrect Default Permissions
CWE-276
Insecure Inherited Permissions
CWE-277
Insecure Preserved Inherited Permissions
CWE-278
Incorrect Execution-Assigned Permissions
CWE-279
Improper Handling of Insufficient Permissions or Privileges
CWE-280
Improper Preservation of Permissions
CWE-281
Improper Ownership Management
CWE-282
Unverified Ownership
CWE-283
Improper Access Control
CWE-284
Improper Authorization
CWE-285
Incorrect User Management
CWE-286
Improper Authentication
CWE-287
Authentication Bypass Using an Alternate Path or Channel
CWE-288
Authentication Bypass by Alternate Name
CWE-289
Authentication Bypass by Spoofing
CWE-290
Reliance on IP Address for Authentication
CWE-291
Using Referer Field for Authentication
CWE-293
Authentication Bypass by Capture-replay
CWE-294
Improper Certificate Validation
CWE-295
Improper Following of a Certificate's Chain of Trust
CWE-296
Improper Validation of Certificate with Host Mismatch
CWE-297
Improper Validation of Certificate Expiration
CWE-298
Improper Check for Certificate Revocation
CWE-299
Channel Accessible by Non-Endpoint
CWE-300
Reflection Attack in an Authentication Protocol
CWE-301
Authentication Bypass by Assumed-Immutable Data
CWE-302
Incorrect Implementation of Authentication Algorithm
CWE-303
Missing Critical Step in Authentication
CWE-304
Authentication Bypass by Primary Weakness
CWE-305
Missing Authentication for Critical Function
CWE-306
Improper Restriction of Excessive Authentication Attempts
CWE-307
Use of Single-factor Authentication
CWE-308
Use of Password System for Primary Authentication
CWE-309
Missing Encryption of Sensitive Data
CWE-311
Cleartext Storage of Sensitive Information
CWE-312
Cleartext Storage in a File or on Disk
CWE-313
Cleartext Storage in the Registry
CWE-314
Cleartext Storage of Sensitive Information in a Cookie
CWE-315
Cleartext Storage of Sensitive Information in Memory
CWE-316
Cleartext Storage of Sensitive Information in GUI
CWE-317
Cleartext Storage of Sensitive Information in Executable
CWE-318
Cleartext Transmission of Sensitive Information
CWE-319
Use of Hard-coded Cryptographic Key
CWE-321
Key Exchange without Entity Authentication
CWE-322
Reusing a Nonce, Key Pair in Encryption
CWE-323
Use of a Key Past its Expiration Date
CWE-324
Missing Cryptographic Step
CWE-325
Inadequate Encryption Strength
CWE-326
Use of a Broken or Risky Cryptographic Algorithm
CWE-327
Use of Weak Hash
CWE-328
Generation of Predictable IV with CBC Mode
CWE-329
Use of Insufficiently Random Values
CWE-330
Insufficient Entropy
CWE-331
Insufficient Entropy in PRNG
CWE-332
Improper Handling of Insufficient Entropy in TRNG
CWE-333
Small Space of Random Values
CWE-334
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
CWE-335
Same Seed in Pseudo-Random Number Generator (PRNG)
CWE-336
Predictable Seed in Pseudo-Random Number Generator (PRNG)
CWE-337
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-338
Small Seed Space in PRNG
CWE-339
Generation of Predictable Numbers or Identifiers
CWE-340
Predictable from Observable State
CWE-341
Predictable Exact Value from Previous Values
CWE-342
Predictable Value Range from Previous Values
CWE-343
Use of Invariant Value in Dynamically Changing Context
CWE-344
Insufficient Verification of Data Authenticity
CWE-345
Origin Validation Error
CWE-346
Improper Verification of Cryptographic Signature
CWE-347
Use of Less Trusted Source
CWE-348
Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-349
Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-350
Insufficient Type Distinction
CWE-351
Cross-Site Request Forgery (CSRF)
CWE-352
Missing Support for Integrity Check
CWE-353
Improper Validation of Integrity Check Value
CWE-354
Product UI does not Warn User of Unsafe Actions
CWE-356
Insufficient UI Warning of Dangerous Operations
CWE-357
Improperly Implemented Security Check for Standard
CWE-358
Exposure of Private Personal Information to an Unauthorized Actor
CWE-359
Trust of System Event Data
CWE-360
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-362
Race Condition Enabling Link Following
CWE-363
Signal Handler Race Condition
CWE-364
Race Condition in Switch
CWE-365
Race Condition within a Thread
CWE-366
Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-367
Context Switching Race Condition
CWE-368
Divide By Zero
CWE-369
Missing Check for Certificate Revocation after Initial Check
CWE-370
Incomplete Internal State Distinction
CWE-372
Passing Mutable Objects to an Untrusted Method
CWE-374
Returning a Mutable Object to an Untrusted Caller
CWE-375
Insecure Temporary File
CWE-377
Creation of Temporary File With Insecure Permissions
CWE-378
Creation of Temporary File in Directory with Insecure Permissions
CWE-379
J2EE Bad Practices: Use of System.exit()
CWE-382
J2EE Bad Practices: Direct Use of Threads
CWE-383
Session Fixation
CWE-384
Covert Timing Channel
CWE-385
Symbolic Name not Mapping to Correct Object
CWE-386
Detection of Error Condition Without Action
CWE-390
Unchecked Error Condition
CWE-391
Missing Report of Error Condition
CWE-392
Return of Wrong Status Code
CWE-393
Unexpected Status Code or Return Value
CWE-394
Use of NullPointerException Catch to Detect NULL Pointer Dereference
CWE-395
Declaration of Catch for Generic Exception
CWE-396
Declaration of Throws for Generic Exception
CWE-397
Uncontrolled Resource Consumption
CWE-400
Missing Release of Memory after Effective Lifetime
CWE-401
Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-402
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-403
Improper Resource Shutdown or Release
CWE-404
Asymmetric Resource Consumption (Amplification)
CWE-405
Insufficient Control of Network Message Volume (Network Amplification)
CWE-406
Inefficient Algorithmic Complexity
CWE-407
Incorrect Behavior Order: Early Amplification
CWE-408
Improper Handling of Highly Compressed Data (Data Amplification)
CWE-409
Insufficient Resource Pool
CWE-410
Unrestricted Externally Accessible Lock
CWE-412
Improper Resource Locking
CWE-413
Missing Lock Check
CWE-414
Double Free
CWE-415
Use After Free
CWE-416
Unprotected Primary Channel
CWE-419
Unprotected Alternate Channel
CWE-420
Race Condition During Access to Alternate Channel
CWE-421
Unprotected Windows Messaging Channel ('Shatter')
CWE-422
Improper Protection of Alternate Path
CWE-424
Direct Request ('Forced Browsing')
CWE-425
Untrusted Search Path
CWE-426
Uncontrolled Search Path Element
CWE-427
Unquoted Search Path or Element
CWE-428
Deployment of Wrong Handler
CWE-430
Missing Handler
CWE-431
Dangerous Signal Handler not Disabled During Sensitive Operations
CWE-432
Unparsed Raw Web Content Delivery
CWE-433
Unrestricted Upload of File with Dangerous Type
CWE-434
Improper Interaction Between Multiple Correctly-Behaving Entities
CWE-435
Interpretation Conflict
CWE-436
Incomplete Model of Endpoint Features
CWE-437
Behavioral Change in New Version or Environment
CWE-439
Expected Behavior Violation
CWE-440
Unintended Proxy or Intermediary ('Confused Deputy')
CWE-441
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-444
UI Discrepancy for Security Feature
CWE-446
Unimplemented or Unsupported Feature in UI
CWE-447
Obsolete Feature in UI
CWE-448
The UI Performs the Wrong Action
CWE-449
Multiple Interpretations of UI Input
CWE-450
User Interface (UI) Misrepresentation of Critical Information
CWE-451
Insecure Default Variable Initialization
CWE-453
External Initialization of Trusted Variables or Data Stores
CWE-454
Non-exit on Failed Initialization
CWE-455
Missing Initialization of a Variable
CWE-456
Use of Uninitialized Variable
CWE-457
Incomplete Cleanup
CWE-459
Improper Cleanup on Thrown Exception
CWE-460
Duplicate Key in Associative List (Alist)
CWE-462
Deletion of Data Structure Sentinel
CWE-463
Addition of Data Structure Sentinel
CWE-464
Return of Pointer Value Outside of Expected Range
CWE-466
Use of sizeof() on a Pointer Type
CWE-467
Incorrect Pointer Scaling
CWE-468
Use of Pointer Subtraction to Determine Size
CWE-469
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-470
Modification of Assumed-Immutable Data (MAID)
CWE-471
External Control of Assumed-Immutable Web Parameter
CWE-472
PHP External Variable Modification
CWE-473
Use of Function with Inconsistent Implementations
CWE-474
Undefined Behavior for Input to API
CWE-475
NULL Pointer Dereference
CWE-476
Use of Obsolete Function
CWE-477
Missing Default Case in Multiple Condition Expression
CWE-478
Signal Handler Use of a Non-reentrant Function
CWE-479
Use of Incorrect Operator
CWE-480
Assigning instead of Comparing
CWE-481
Comparing instead of Assigning
CWE-482
Incorrect Block Delimitation
CWE-483
Omitted Break Statement in Switch
CWE-484
Comparison of Classes by Name
CWE-486
Reliance on Package-level Scope
CWE-487
Exposure of Data Element to Wrong Session
CWE-488
Active Debug Code
CWE-489
Public cloneable() Method Without Final ('Object Hijack')
CWE-491
Use of Inner Class Containing Sensitive Data
CWE-492
Critical Public Variable Without Final Modifier
CWE-493
Download of Code Without Integrity Check
CWE-494
Private Data Structure Returned From A Public Method
CWE-495
Public Data Assigned to Private Array-Typed Field
CWE-496
Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-497
Cloneable Class Containing Sensitive Information
CWE-498
Serializable Class Containing Sensitive Data
CWE-499
Public Static Field Not Marked Final
CWE-500
Trust Boundary Violation
CWE-501
Deserialization of Untrusted Data
CWE-502
Embedded Malicious Code
CWE-506
Trojan Horse
CWE-507
Non-Replicating Malicious Code
CWE-508
Replicating Malicious Code (Virus or Worm)
CWE-509
Trapdoor
CWE-510
Logic/Time Bomb
CWE-511
Spyware
CWE-512
Covert Channel
CWE-514
Covert Storage Channel
CWE-515
.NET Misconfiguration: Use of Impersonation
CWE-520
Weak Password Requirements
CWE-521
Insufficiently Protected Credentials
CWE-522
Unprotected Transport of Credentials
CWE-523
Use of Cache Containing Sensitive Information
CWE-524
Use of Web Browser Cache Containing Sensitive Information
CWE-525
Cleartext Storage of Sensitive Information in an Environment Variable
CWE-526
Exposure of Version-Control Repository to an Unauthorized Control Sphere
CWE-527
Exposure of Core Dump File to an Unauthorized Control Sphere
CWE-528
Exposure of Access Control List Files to an Unauthorized Control Sphere
CWE-529
Exposure of Backup File to an Unauthorized Control Sphere
CWE-530
Inclusion of Sensitive Information in Test Code
CWE-531
Insertion of Sensitive Information into Log File
CWE-532
Exposure of Information Through Shell Error Message
CWE-535
Servlet Runtime Error Message Containing Sensitive Information
CWE-536
Java Runtime Error Message Containing Sensitive Information
CWE-537
Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-538
Use of Persistent Cookies Containing Sensitive Information
CWE-539
Inclusion of Sensitive Information in Source Code
CWE-540
Inclusion of Sensitive Information in an Include File
CWE-541
Use of Singleton Pattern Without Synchronization in a Multithreaded Context
CWE-543
Missing Standardized Error Handling Mechanism
CWE-544
Suspicious Comment
CWE-546
Use of Hard-coded, Security-relevant Constants
CWE-547
Exposure of Information Through Directory Listing
CWE-548
Missing Password Field Masking
CWE-549
Server-generated Error Message Containing Sensitive Information
CWE-550
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE-551
Files or Directories Accessible to External Parties
CWE-552
Command Shell in Externally Accessible Directory
CWE-553
ASP.NET Misconfiguration: Not Using Input Validation Framework
CWE-554
J2EE Misconfiguration: Plaintext Password in Configuration File
CWE-555
ASP.NET Misconfiguration: Use of Identity Impersonation
CWE-556
Use of getlogin() in Multithreaded Application
CWE-558
Use of umask() with chmod-style Argument
CWE-560
Dead Code
CWE-561
Return of Stack Variable Address
CWE-562
Assignment to Variable without Use
CWE-563
SQL Injection: Hibernate
CWE-564
Reliance on Cookies without Validation and Integrity Checking
CWE-565
Authorization Bypass Through User-Controlled SQL Primary Key
CWE-566
Unsynchronized Access to Shared Data in a Multithreaded Context
CWE-567
finalize() Method Without super.finalize()
CWE-568
Expression is Always False
CWE-570
Expression is Always True
CWE-571
Call to Thread run() instead of start()
CWE-572
Improper Following of Specification by Caller
CWE-573
EJB Bad Practices: Use of Synchronization Primitives
CWE-574
EJB Bad Practices: Use of AWT Swing
CWE-575
EJB Bad Practices: Use of Java I/O
CWE-576
EJB Bad Practices: Use of Sockets
CWE-577
EJB Bad Practices: Use of Class Loader
CWE-578
J2EE Bad Practices: Non-serializable Object Stored in Session
CWE-579
clone() Method Without super.clone()
CWE-580
Object Model Violation: Just One of Equals and Hashcode Defined
CWE-581
Array Declared Public, Final, and Static
CWE-582
finalize() Method Declared Public
CWE-583
Return Inside Finally Block
CWE-584
Empty Synchronized Block
CWE-585
Explicit Call to Finalize()
CWE-586
Assignment of a Fixed Address to a Pointer
CWE-587
Attempt to Access Child of a Non-structure Pointer
CWE-588
Call to Non-ubiquitous API
CWE-589
Free of Memory not on the Heap
CWE-590
Sensitive Data Storage in Improperly Locked Memory
CWE-591
Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
CWE-593
J2EE Framework: Saving Unserializable Objects to Disk
CWE-594
Comparison of Object References Instead of Object Contents
CWE-595
Use of Wrong Operator in String Comparison
CWE-597
Use of GET Request Method With Sensitive Query Strings
CWE-598
Missing Validation of OpenSSL Certificate
CWE-599
Uncaught Exception in Servlet
CWE-600
URL Redirection to Untrusted Site ('Open Redirect')
CWE-601
Client-Side Enforcement of Server-Side Security
CWE-602
Use of Client-Side Authentication
CWE-603
Multiple Binds to the Same Port
CWE-605
Unchecked Input for Loop Condition
CWE-606
Public Static Final Field References Mutable Object
CWE-607
Struts: Non-private Field in ActionForm Class
CWE-608
Double-Checked Locking
CWE-609
Externally Controlled Reference to a Resource in Another Sphere
CWE-610
Improper Restriction of XML External Entity Reference
CWE-611
Improper Authorization of Index Containing Sensitive Information
CWE-612
Insufficient Session Expiration
CWE-613
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-614
Inclusion of Sensitive Information in Source Code Comments
CWE-615
Incomplete Identification of Uploaded File Variables (PHP)
CWE-616
Reachable Assertion
CWE-617
Exposed Unsafe ActiveX Method
CWE-618
Dangling Database Cursor ('Cursor Injection')
CWE-619
Unverified Password Change
CWE-620
Variable Extraction Error
CWE-621
Improper Validation of Function Hook Arguments
CWE-622
Unsafe ActiveX Control Marked Safe For Scripting
CWE-623
Executable Regular Expression Error
CWE-624
Permissive Regular Expression
CWE-625
Null Byte Interaction Error (Poison Null Byte)
CWE-626
Dynamic Variable Evaluation
CWE-627
Function Call with Incorrectly Specified Arguments
CWE-628
Not Failing Securely ('Failing Open')
CWE-636
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
CWE-637
Not Using Complete Mediation
CWE-638
Authorization Bypass Through User-Controlled Key
CWE-639
Weak Password Recovery Mechanism for Forgotten Password
CWE-640
Improper Restriction of Names for Files and Other Resources
CWE-641
External Control of Critical State Data
CWE-642
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-643
Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-644
Overly Restrictive Account Lockout Mechanism
CWE-645
Reliance on File Name or Extension of Externally-Supplied File
CWE-646
Use of Non-Canonical URL Paths for Authorization Decisions
CWE-647
Incorrect Use of Privileged APIs
CWE-648
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-649
Trusting HTTP Permission Methods on the Server Side
CWE-650
Exposure of WSDL File Containing Sensitive Information
CWE-651
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE-652
Improper Isolation or Compartmentalization
CWE-653
Reliance on a Single Factor in a Security Decision
CWE-654
Insufficient Psychological Acceptability
CWE-655
Reliance on Security Through Obscurity
CWE-656
Violation of Secure Design Principles
CWE-657
Improper Synchronization
CWE-662
Use of a Non-reentrant Function in a Concurrent Context
CWE-663
Improper Control of a Resource Through its Lifetime
CWE-664
Improper Initialization
CWE-665
Operation on Resource in Wrong Phase of Lifetime
CWE-666
Improper Locking
CWE-667
Exposure of Resource to Wrong Sphere
CWE-668
Incorrect Resource Transfer Between Spheres
CWE-669
Always-Incorrect Control Flow Implementation
CWE-670
Lack of Administrator Control over Security
CWE-671
Operation on a Resource after Expiration or Release
CWE-672
External Influence of Sphere Definition
CWE-673
Uncontrolled Recursion
CWE-674
Multiple Operations on Resource in Single-Operation Context
CWE-675
Use of Potentially Dangerous Function
CWE-676
Integer Overflow to Buffer Overflow
CWE-680
Incorrect Conversion between Numeric Types
CWE-681
Incorrect Calculation
CWE-682
Function Call With Incorrect Order of Arguments
CWE-683
Incorrect Provision of Specified Functionality
CWE-684
Function Call With Incorrect Number of Arguments
CWE-685
Function Call With Incorrect Argument Type
CWE-686
Function Call With Incorrectly Specified Argument Value
CWE-687
Function Call With Incorrect Variable or Reference as Argument
CWE-688
Permission Race Condition During Resource Copy
CWE-689
Unchecked Return Value to NULL Pointer Dereference
CWE-690
Insufficient Control Flow Management
CWE-691
Incomplete Denylist to Cross-Site Scripting
CWE-692
Protection Mechanism Failure
CWE-693
Use of Multiple Resources with Duplicate Identifier
CWE-694
Use of Low-Level Functionality
CWE-695
Incorrect Behavior Order
CWE-696
Incorrect Comparison
CWE-697
Execution After Redirect (EAR)
CWE-698
Improper Check or Handling of Exceptional Conditions
CWE-703
Incorrect Type Conversion or Cast
CWE-704
Incorrect Control Flow Scoping
CWE-705
Use of Incorrectly-Resolved Name or Reference
CWE-706
Improper Neutralization
CWE-707
Incorrect Ownership Assignment
CWE-708
Improper Adherence to Coding Standards
CWE-710
Incorrect Permission Assignment for Critical Resource
CWE-732
Compiler Optimization Removal or Modification of Security-critical Code
CWE-733
Exposed Dangerous Method or Function
CWE-749
Improper Check for Unusual or Exceptional Conditions
CWE-754
Improper Handling of Exceptional Conditions
CWE-755
Missing Custom Error Page
CWE-756
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-757
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
CWE-758
Use of a One-Way Hash without a Salt
CWE-759
Use of a One-Way Hash with a Predictable Salt
CWE-760
Free of Pointer not at Start of Buffer
CWE-761
Mismatched Memory Management Routines
CWE-762
Release of Invalid Pointer or Reference
CWE-763
Multiple Locks of a Critical Resource
CWE-764
Multiple Unlocks of a Critical Resource
CWE-765
Critical Data Element Declared Public
CWE-766
Access to Critical Private Variable via Public Method
CWE-767
Incorrect Short Circuit Evaluation
CWE-768
Allocation of Resources Without Limits or Throttling
CWE-770
Missing Reference to Active Allocated Resource
CWE-771
Missing Release of Resource after Effective Lifetime
CWE-772
Missing Reference to Active File Descriptor or Handle
CWE-773
Allocation of File Descriptors or Handles Without Limits or Throttling
CWE-774
Missing Release of File Descriptor or Handle after Effective Lifetime
CWE-775
Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-776
Regular Expression without Anchors
CWE-777
Insufficient Logging
CWE-778
Logging of Excessive Data
CWE-779
Use of RSA Algorithm without OAEP
CWE-780
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
CWE-781
Exposed IOCTL with Insufficient Access Control
CWE-782
Operator Precedence Logic Error
CWE-783
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-784
Use of Path Manipulation Function without Maximum-sized Buffer
CWE-785
Access of Memory Location Before Start of Buffer
CWE-786
Out-of-bounds Write
CWE-787
Access of Memory Location After End of Buffer
CWE-788
Memory Allocation with Excessive Size Value
CWE-789
Improper Filtering of Special Elements
CWE-790
Incomplete Filtering of Special Elements
CWE-791
Incomplete Filtering of One or More Instances of Special Elements
CWE-792
Only Filtering One Instance of a Special Element
CWE-793
Incomplete Filtering of Multiple Instances of Special Elements
CWE-794
Only Filtering Special Elements at a Specified Location
CWE-795
Only Filtering Special Elements Relative to a Marker
CWE-796
Only Filtering Special Elements at an Absolute Position
CWE-797
Use of Hard-coded Credentials
CWE-798
Improper Control of Interaction Frequency
CWE-799
Guessable CAPTCHA
CWE-804
Buffer Access with Incorrect Length Value
CWE-805
Buffer Access Using Size of Source Buffer
CWE-806
Reliance on Untrusted Inputs in a Security Decision
CWE-807
Missing Synchronization
CWE-820
Incorrect Synchronization
CWE-821
Untrusted Pointer Dereference
CWE-822
Use of Out-of-range Pointer Offset
CWE-823
Access of Uninitialized Pointer
CWE-824
Expired Pointer Dereference
CWE-825
Premature Release of Resource During Expected Lifetime
CWE-826
Improper Control of Document Type Definition
CWE-827
Signal Handler with Functionality that is not Asynchronous-Safe
CWE-828
Inclusion of Functionality from Untrusted Control Sphere
CWE-829
Inclusion of Web Functionality from an Untrusted Source
CWE-830
Signal Handler Function Associated with Multiple Signals
CWE-831
Unlock of a Resource that is not Locked
CWE-832
Deadlock
CWE-833
Excessive Iteration
CWE-834
Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-835
Use of Password Hash Instead of Password for Authentication
CWE-836
Improper Enforcement of a Single, Unique Action
CWE-837
Inappropriate Encoding for Output Context
CWE-838
Numeric Range Comparison Without Minimum Check
CWE-839
Improper Enforcement of Behavioral Workflow
CWE-841
Placement of User into Incorrect Group
CWE-842
Access of Resource Using Incompatible Type ('Type Confusion')
CWE-843
Missing Authorization
CWE-862
Incorrect Authorization
CWE-863
Use of Uninitialized Resource
CWE-908
Missing Initialization of Resource
CWE-909
Use of Expired File Descriptor
CWE-910
Improper Update of Reference Count
CWE-911
Hidden Functionality
CWE-912
Improper Control of Dynamically-Managed Code Resources
CWE-913
Improper Control of Dynamically-Identified Variables
CWE-914
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-915
Use of Password Hash With Insufficient Computational Effort
CWE-916
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE-917
Server-Side Request Forgery (SSRF)
CWE-918
Improper Restriction of Power Consumption
CWE-920
Storage of Sensitive Data in a Mechanism without Access Control
CWE-921
Insecure Storage of Sensitive Information
CWE-922
Improper Restriction of Communication Channel to Intended Endpoints
CWE-923
Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-924
Improper Verification of Intent by Broadcast Receiver
CWE-925
Improper Export of Android Application Components
CWE-926
Use of Implicit Intent for Sensitive Communication
CWE-927
Improper Authorization in Handler for Custom URL Scheme
CWE-939
Improper Verification of Source of a Communication Channel
CWE-940
Incorrectly Specified Destination in a Communication Channel
CWE-941
Permissive Cross-domain Policy with Untrusted Domains
CWE-942
Improper Neutralization of Special Elements in Data Query Logic
CWE-943
Sensitive Cookie Without 'HttpOnly' Flag
CWE-1004
Insufficient Visual Distinction of Homoglyphs Presented to User
CWE-1007
Improper Restriction of Rendered UI Layers or Frames
CWE-1021
Use of Web Link to Untrusted Target with window.opener Access
CWE-1022
Incomplete Comparison with Missing Factors
CWE-1023
Comparison of Incompatible Types
CWE-1024
Comparison Using Wrong Factors
CWE-1025
Processor Optimization Removal or Modification of Security-critical Code
CWE-1037
Insecure Automated Optimizations
CWE-1038
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
CWE-1039
Use of Redundant Code
CWE-1041
Static Member Data Element outside of a Singleton Class Element
CWE-1042
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
CWE-1043
Architecture with Number of Horizontal Layers Outside of Expected Range
CWE-1044
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
CWE-1045
Creation of Immutable Text Using String Concatenation
CWE-1046
Modules with Circular Dependencies
CWE-1047
Invokable Control Element with Large Number of Outward Calls
CWE-1048
Excessive Data Query Operations in a Large Data Table
CWE-1049
Excessive Platform Resource Consumption within a Loop
CWE-1050
Initialization with Hard-Coded Network Resource Configuration Data
CWE-1051
Excessive Use of Hard-Coded Literals in Initialization
CWE-1052
Missing Documentation for Design
CWE-1053
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
CWE-1054
Multiple Inheritance from Concrete Classes
CWE-1055
Invokable Control Element with Variadic Parameters
CWE-1056
Data Access Operations Outside of Expected Data Manager Component
CWE-1057
Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
CWE-1058
Insufficient Technical Documentation
CWE-1059
Excessive Number of Inefficient Server-Side Data Accesses
CWE-1060
Insufficient Encapsulation
CWE-1061
Parent Class with References to Child Class
CWE-1062
Creation of Class Instance within a Static Code Block
CWE-1063
Invokable Control Element with Signature Containing an Excessive Number of Parameters
CWE-1064
Runtime Resource Management Control Element in a Component Built to Run on Application Servers
CWE-1065
Missing Serialization Control Element
CWE-1066
Excessive Execution of Sequential Searches of Data Resource
CWE-1067
Inconsistency Between Implementation and Documented Design
CWE-1068
Empty Exception Block
CWE-1069
Serializable Data Element Containing non-Serializable Item Elements
CWE-1070
Empty Code Block
CWE-1071
Data Resource Access without Use of Connection Pooling
CWE-1072
Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
CWE-1073
Class with Excessively Deep Inheritance
CWE-1074
Unconditional Control Flow Transfer outside of Switch Block
CWE-1075
Insufficient Adherence to Expected Conventions
CWE-1076
Floating Point Comparison with Incorrect Operator
CWE-1077
Inappropriate Source Code Style or Formatting
CWE-1078
Parent Class without Virtual Destructor Method
CWE-1079
Source Code File with Excessive Number of Lines of Code
CWE-1080
Class Instance Self Destruction Control Element
CWE-1082
Data Access from Outside Expected Data Manager Component
CWE-1083
Invokable Control Element with Excessive File or Data Access Operations
CWE-1084
Invokable Control Element with Excessive Volume of Commented-out Code
CWE-1085
Class with Excessive Number of Child Classes
CWE-1086
Class with Virtual Method without a Virtual Destructor
CWE-1087
Synchronous Access of Remote Resource without Timeout
CWE-1088
Large Data Table with Excessive Number of Indices
CWE-1089
Method Containing Access of a Member Element from Another Class
CWE-1090
Use of Object without Invoking Destructor Method
CWE-1091
Use of Same Invokable Control Element in Multiple Architectural Layers
CWE-1092
Excessively Complex Data Representation
CWE-1093
Excessive Index Range Scan for a Data Resource
CWE-1094
Loop Condition Value Update within the Loop
CWE-1095
Singleton Class Instance Creation without Proper Locking or Synchronization
CWE-1096
Persistent Storable Data Element without Associated Comparison Control Element
CWE-1097
Data Element containing Pointer Item without Proper Copy Control Element
CWE-1098
Inconsistent Naming Conventions for Identifiers
CWE-1099
Insufficient Isolation of System-Dependent Functions
CWE-1100
Reliance on Runtime Component in Generated Code
CWE-1101
Reliance on Machine-Dependent Data Representation
CWE-1102
Use of Platform-Dependent Third Party Components
CWE-1103
Use of Unmaintained Third Party Components
CWE-1104
Insufficient Encapsulation of Machine-Dependent Functionality
CWE-1105
Insufficient Use of Symbolic Constants
CWE-1106
Insufficient Isolation of Symbolic Constant Definitions
CWE-1107
Excessive Reliance on Global Variables
CWE-1108
Use of Same Variable for Multiple Purposes
CWE-1109
Incomplete Design Documentation
CWE-1110
Incomplete I/O Documentation
CWE-1111
Incomplete Documentation of Program Execution
CWE-1112
Inappropriate Comment Style
CWE-1113
Inappropriate Whitespace Style
CWE-1114
Source Code Element without Standard Prologue
CWE-1115
Inaccurate Comments
CWE-1116
Callable with Insufficient Behavioral Summary
CWE-1117
Insufficient Documentation of Error Handling Techniques
CWE-1118
Excessive Use of Unconditional Branching
CWE-1119
Excessive Code Complexity
CWE-1120
Excessive McCabe Cyclomatic Complexity
CWE-1121
Excessive Halstead Complexity
CWE-1122
Excessive Use of Self-Modifying Code
CWE-1123
Excessively Deep Nesting
CWE-1124
Excessive Attack Surface
CWE-1125
Declaration of Variable with Unnecessarily Wide Scope
CWE-1126
Compilation with Insufficient Warnings or Errors
CWE-1127
Irrelevant Code
CWE-1164
Improper Use of Validation Framework
CWE-1173
ASP.NET Misconfiguration: Improper Model Validation
CWE-1174
Inefficient CPU Computation
CWE-1176
Use of Prohibited Code
CWE-1177
Insecure Default Initialization of Resource
CWE-1188
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1189
DMA Device Enabled Too Early in Boot Phase
CWE-1190
On-Chip Debug and Test Interface With Improper Access Control
CWE-1191
System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
CWE-1192
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
CWE-1193
Failure to Disable Reserved Bits
CWE-1209
Insufficient Granularity of Access Control
CWE-1220
Incorrect Register Defaults or Module Parameters
CWE-1221
Insufficient Granularity of Address Regions Protected by Register Locks
CWE-1222
Race Condition for Write-Once Attributes
CWE-1223
Improper Restriction of Write-Once Bit Fields
CWE-1224
Creation of Emergent Resource
CWE-1229
Exposure of Sensitive Information Through Metadata
CWE-1230
Improper Prevention of Lock Bit Modification
CWE-1231
Improper Lock Behavior After Power State Transition
CWE-1232
Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1233
Hardware Internal or Debug Modes Allow Override of Locks
CWE-1234
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
CWE-1235
Improper Neutralization of Formula Elements in a CSV File
CWE-1236
Improper Zeroization of Hardware Register
CWE-1239
Use of a Cryptographic Primitive with a Risky Implementation
CWE-1240
Use of Predictable Algorithm in Random Number Generator
CWE-1241
Inclusion of Undocumented Features or Chicken Bits
CWE-1242
Sensitive Non-Volatile Information Not Protected During Debug
CWE-1243
Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1244
Improper Finite State Machines (FSMs) in Hardware Logic
CWE-1245
Improper Write Handling in Limited-write Non-Volatile Memories
CWE-1246
Improper Protection Against Voltage and Clock Glitches
CWE-1247
Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
CWE-1248
Application-Level Admin Tool with Inconsistent View of Underlying Operating System
CWE-1249
Improper Preservation of Consistency Between Independent Representations of Shared State
CWE-1250
Mirrored Regions with Different Values
CWE-1251
CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
CWE-1252
Incorrect Selection of Fuse Values
CWE-1253
Incorrect Comparison Logic Granularity
CWE-1254
Comparison Logic is Vulnerable to Power Side-Channel Attacks
CWE-1255
Improper Restriction of Software Interfaces to Hardware Features
CWE-1256
Improper Access Control Applied to Mirrored or Aliased Memory Regions
CWE-1257
Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE-1258
Improper Restriction of Security Token Assignment
CWE-1259
Improper Handling of Overlap Between Protected Memory Ranges
CWE-1260
Improper Handling of Single Event Upsets
CWE-1261
Improper Access Control for Register Interface
CWE-1262
Improper Physical Access Control
CWE-1263
Hardware Logic with Insecure De-Synchronization between Control and Data Channels
CWE-1264
Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
CWE-1265
Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-1266
Policy Uses Obsolete Encoding
CWE-1267
Policy Privileges are not Assigned Consistently Between Control and Data Agents
CWE-1268
Product Released in Non-Release Configuration
CWE-1269
Generation of Incorrect Security Tokens
CWE-1270
Uninitialized Value on Reset for Registers Holding Security Settings
CWE-1271
Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1272
Device Unlock Credential Sharing
CWE-1273
Improper Access Control for Volatile Memory Containing Boot Code
CWE-1274
Sensitive Cookie with Improper SameSite Attribute
CWE-1275
Hardware Child Block Incorrectly Connected to Parent System
CWE-1276
Firmware Not Updateable
CWE-1277
Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
CWE-1278
Cryptographic Operations are run Before Supporting Units are Ready
CWE-1279
Access Control Check Implemented After Asset is Accessed
CWE-1280
Sequence of Processor Instructions Leads to Unexpected Behavior
CWE-1281
Assumed-Immutable Data is Stored in Writable Memory
CWE-1282
Mutable Attestation or Measurement Reporting Data
CWE-1283
Improper Validation of Specified Quantity in Input
CWE-1284
Improper Validation of Specified Index, Position, or Offset in Input
CWE-1285
Improper Validation of Syntactic Correctness of Input
CWE-1286
Improper Validation of Specified Type of Input
CWE-1287
Improper Validation of Consistency within Input
CWE-1288
Improper Validation of Unsafe Equivalence in Input
CWE-1289
Incorrect Decoding of Security Identifiers
CWE-1290
Public Key Re-Use for Signing both Debug and Production Code
CWE-1291
Incorrect Conversion of Security Identifiers
CWE-1292
Missing Source Correlation of Multiple Independent Data
CWE-1293
Insecure Security Identifier Mechanism
CWE-1294
Debug Messages Revealing Unnecessary Information
CWE-1295
Incorrect Chaining or Granularity of Debug Components
CWE-1296
Unprotected Confidential Information on Device is Accessible by OSAT Vendors
CWE-1297
Hardware Logic Contains Race Conditions
CWE-1298
Missing Protection Mechanism for Alternate Hardware Interface
CWE-1299
Improper Protection of Physical Side Channels
CWE-1300
Insufficient or Incomplete Data Removal within Hardware Component
CWE-1301
Missing Security Identifier
CWE-1302
Non-Transparent Sharing of Microarchitectural Resources
CWE-1303
Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
CWE-1304
Missing Ability to Patch ROM Code
CWE-1310
Improper Translation of Security Attributes by Fabric Bridge
CWE-1311
Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
CWE-1312
Hardware Allows Activation of Test or Debug Logic at Runtime
CWE-1313
Missing Write Protection for Parametric Data Values
CWE-1314
Improper Setting of Bus Controlling Capability in Fabric End-point
CWE-1315
Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
CWE-1316
Improper Access Control in Fabric Bridge
CWE-1317
Missing Support for Security Features in On-chip Fabrics or Buses
CWE-1318
Improper Protection against Electromagnetic Fault Injection (EM-FI)
CWE-1319
Improper Protection for Outbound Error Messages and Alert Signals
CWE-1320
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1321
Use of Blocking Code in Single-threaded, Non-blocking Context
CWE-1322
Improper Management of Sensitive Trace Data
CWE-1323
Sensitive Information Accessible by Physical Probing of JTAG Interface
CWE-1324
Improperly Controlled Sequential Memory Allocation
CWE-1325
Missing Immutable Root of Trust in Hardware
CWE-1326
Binding to an Unrestricted IP Address
CWE-1327
Security Version Number Mutable to Older Versions
CWE-1328
Reliance on Component That is Not Updateable
CWE-1329
Remanent Data Readable after Memory Erase
CWE-1330
Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1331
Improper Handling of Faults that Lead to Instruction Skips
CWE-1332
Unauthorized Error Injection Can Degrade Hardware Redundancy
CWE-1334
Improper Protections Against Hardware Overheating
CWE-1338
Generation of Weak Initialization Vector (IV)
CWE-1204
Inefficient Regular Expression Complexity
CWE-1333
Incorrect Bitwise Shift of Integer
CWE-1335
Improper Neutralization of Special Elements Used in a Template Engine
CWE-1336
Insufficient Precision or Accuracy of a Real Number
CWE-1339
Improper Handling of Hardware Behavior in Exceptionally Cold Environments
CWE-1351
Multiple Releases of Same Resource or Handle
CWE-1341
Information Exposure through Microarchitectural State after Transient Execution
CWE-1342
Reliance on Insufficiently Trustworthy Component
CWE-1357
Improper Handling of Physical or Environmental Conditions
CWE-1384
Missing Origin Validation in WebSockets
CWE-1385
Insecure Operation on Windows Junction / Mount Point
CWE-1386
Incorrect Parsing of Numbers with Different Radices
CWE-1389
Weak Authentication
CWE-1390
Use of Weak Credentials
CWE-1391
Use of Default Credentials
CWE-1392
Use of Default Password
CWE-1393
Use of Default Cryptographic Key
CWE-1394
Dependency on Vulnerable Third-Party Component
CWE-1395