IDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSEIDORSSRFAUTH BYPASSJWT FORGERYRACE CONDITIONXXEBROKEN OBJECT-LEVEL AUTHPRIVILEGE ESCALATIONMASS ASSIGNMENTGRAPHQL INTROSPECTION ABUSE
Impactr Logoimpactr
FeaturesHow it worksEvidencePricingLearnCompare
  1. Home
  2. CWE

cwe database

Common Weakness Enumeration, cross-linked.

CWE catalogs the weakness types behind real vulnerabilities. Each entry here links to the vulnerabilities it produces, related weaknesses, and the official MITRE definition - so a CWE ID is a doorway into how the flaw is exploited and fixed.

Covering 969 core weaknesses today, expanding toward full CWE coverage.

CWE-5

J2EE Misconfiguration: Data Transmission Without Encryption

CWE-6

J2EE Misconfiguration: Insufficient Session-ID Length

CWE-7

J2EE Misconfiguration: Missing Custom Error Page

CWE-8

J2EE Misconfiguration: Entity Bean Declared Remote

CWE-9

J2EE Misconfiguration: Weak Access Permissions for EJB Methods

CWE-11

ASP.NET Misconfiguration: Creating Debug Binary

CWE-12

ASP.NET Misconfiguration: Missing Custom Error Page

CWE-13

ASP.NET Misconfiguration: Password in Configuration File

CWE-14

Compiler Removal of Code to Clear Buffers

CWE-15

External Control of System or Configuration Setting

CWE-20

Improper Input Validation

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23

Relative Path Traversal

CWE-24

Path Traversal: '../filedir'

CWE-25

Path Traversal: '/../filedir'

CWE-26

Path Traversal: '/dir/../filename'

CWE-27

Path Traversal: 'dir/../../filename'

CWE-28

Path Traversal: '..filedir'

CWE-29

Path Traversal: '..filename'

CWE-30

Path Traversal: 'dir..filename'

CWE-31

Path Traversal: 'dir....filename'

CWE-32

Path Traversal: '...' (Triple Dot)

CWE-33

Path Traversal: '....' (Multiple Dot)

CWE-34

Path Traversal: '....//'

CWE-35

Path Traversal: '.../...//'

CWE-36

Absolute Path Traversal

CWE-37

Path Traversal: '/absolute/pathname/here'

CWE-38

Path Traversal: 'absolutepathnamehere'

CWE-39

Path Traversal: 'C:dirname'

CWE-40

Path Traversal: 'UNCsharename' (Windows UNC Share)

CWE-41

Improper Resolution of Path Equivalence

CWE-42

Path Equivalence: 'filename.' (Trailing Dot)

CWE-43

Path Equivalence: 'filename....' (Multiple Trailing Dot)

CWE-44

Path Equivalence: 'file.name' (Internal Dot)

CWE-45

Path Equivalence: 'file...name' (Multiple Internal Dot)

CWE-46

Path Equivalence: 'filename ' (Trailing Space)

CWE-47

Path Equivalence: ' filename' (Leading Space)

CWE-48

Path Equivalence: 'file name' (Internal Whitespace)

CWE-49

Path Equivalence: 'filename/' (Trailing Slash)

CWE-50

Path Equivalence: '//multiple/leading/slash'

CWE-51

Path Equivalence: '/multiple//internal/slash'

CWE-52

Path Equivalence: '/multiple/trailing/slash//'

CWE-53

Path Equivalence: 'multipleinternalbackslash'

CWE-54

Path Equivalence: 'filedir' (Trailing Backslash)

CWE-55

Path Equivalence: '/./' (Single Dot Directory)

CWE-56

Path Equivalence: 'filedir*' (Wildcard)

CWE-57

Path Equivalence: 'fakedir/../realdir/filename'

CWE-58

Path Equivalence: Windows 8.3 Filename

CWE-59

Improper Link Resolution Before File Access ('Link Following')

CWE-61

UNIX Symbolic Link (Symlink) Following

CWE-62

UNIX Hard Link

CWE-64

Windows Shortcut Following (.LNK)

CWE-65

Windows Hard Link

CWE-66

Improper Handling of File Names that Identify Virtual Resources

CWE-67

Improper Handling of Windows Device Names

CWE-69

Improper Handling of Windows ::DATA Alternate Data Stream

CWE-71

DEPRECATED: Apple '.DS_Store'

CWE-72

Improper Handling of Apple HFS+ Alternate Data Stream Path

CWE-73

External Control of File Name or Path

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-75

Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)

CWE-76

Improper Neutralization of Equivalent Special Elements

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-81

Improper Neutralization of Script in an Error Message Web Page

CWE-82

Improper Neutralization of Script in Attributes of IMG Tags in a Web Page

CWE-83

Improper Neutralization of Script in Attributes in a Web Page

CWE-84

Improper Neutralization of Encoded URI Schemes in a Web Page

CWE-85

Doubled Character XSS Manipulations

CWE-86

Improper Neutralization of Invalid Characters in Identifiers in Web Pages

CWE-87

Improper Neutralization of Alternate XSS Syntax

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CWE-91

XML Injection (aka Blind XPath Injection)

CWE-92

DEPRECATED: Improper Sanitization of Custom Special Characters

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

CWE-96

Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')

CWE-97

Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

CWE-98

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

CWE-99

Improper Control of Resource Identifiers ('Resource Injection')

CWE-102

Struts: Duplicate Validation Forms

CWE-103

Struts: Incomplete validate() Method Definition

CWE-104

Struts: Form Bean Does Not Extend Validation Class

CWE-105

Struts: Form Field Without Validator

CWE-106

Struts: Plug-in Framework not in Use

CWE-107

Struts: Unused Validation Form

CWE-108

Struts: Unvalidated Action Form

CWE-109

Struts: Validator Turned Off

CWE-110

Struts: Validator Without Form Field

CWE-111

Direct Use of Unsafe JNI

CWE-112

Missing XML Validation

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

CWE-114

Process Control

CWE-115

Misinterpretation of Input

CWE-116

Improper Encoding or Escaping of Output

CWE-117

Improper Output Neutralization for Logs

CWE-118

Incorrect Access of Indexable Resource ('Range Error')

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-121

Stack-based Buffer Overflow

CWE-122

Heap-based Buffer Overflow

CWE-123

Write-what-where Condition

CWE-124

Buffer Underwrite ('Buffer Underflow')

CWE-125

Out-of-bounds Read

CWE-126

Buffer Over-read

CWE-127

Buffer Under-read

CWE-128

Wrap-around Error

CWE-129

Improper Validation of Array Index

CWE-130

Improper Handling of Length Parameter Inconsistency

CWE-131

Incorrect Calculation of Buffer Size

CWE-132

DEPRECATED: Miscalculated Null Termination

CWE-134

Use of Externally-Controlled Format String

CWE-135

Incorrect Calculation of Multi-Byte String Length

CWE-138

Improper Neutralization of Special Elements

CWE-140

Improper Neutralization of Delimiters

CWE-141

Improper Neutralization of Parameter/Argument Delimiters

CWE-142

Improper Neutralization of Value Delimiters

CWE-143

Improper Neutralization of Record Delimiters

CWE-144

Improper Neutralization of Line Delimiters

CWE-145

Improper Neutralization of Section Delimiters

CWE-146

Improper Neutralization of Expression/Command Delimiters

CWE-147

Improper Neutralization of Input Terminators

CWE-148

Improper Neutralization of Input Leaders

CWE-149

Improper Neutralization of Quoting Syntax

CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

CWE-151

Improper Neutralization of Comment Delimiters

CWE-152

Improper Neutralization of Macro Symbols

CWE-153

Improper Neutralization of Substitution Characters

CWE-154

Improper Neutralization of Variable Name Delimiters

CWE-155

Improper Neutralization of Wildcards or Matching Symbols

CWE-156

Improper Neutralization of Whitespace

CWE-157

Failure to Sanitize Paired Delimiters

CWE-158

Improper Neutralization of Null Byte or NUL Character

CWE-159

Improper Handling of Invalid Use of Special Elements

CWE-160

Improper Neutralization of Leading Special Elements

CWE-161

Improper Neutralization of Multiple Leading Special Elements

CWE-162

Improper Neutralization of Trailing Special Elements

CWE-163

Improper Neutralization of Multiple Trailing Special Elements

CWE-164

Improper Neutralization of Internal Special Elements

CWE-165

Improper Neutralization of Multiple Internal Special Elements

CWE-166

Improper Handling of Missing Special Element

CWE-167

Improper Handling of Additional Special Element

CWE-168

Improper Handling of Inconsistent Special Elements

CWE-170

Improper Null Termination

CWE-172

Encoding Error

CWE-173

Improper Handling of Alternate Encoding

CWE-174

Double Decoding of the Same Data

CWE-175

Improper Handling of Mixed Encoding

CWE-176

Improper Handling of Unicode Encoding

CWE-177

Improper Handling of URL Encoding (Hex Encoding)

CWE-178

Improper Handling of Case Sensitivity

CWE-179

Incorrect Behavior Order: Early Validation

CWE-180

Incorrect Behavior Order: Validate Before Canonicalize

CWE-181

Incorrect Behavior Order: Validate Before Filter

CWE-182

Collapse of Data into Unsafe Value

CWE-183

Permissive List of Allowed Inputs

CWE-184

Incomplete List of Disallowed Inputs

CWE-185

Incorrect Regular Expression

CWE-186

Overly Restrictive Regular Expression

CWE-187

Partial String Comparison

CWE-188

Reliance on Data/Memory Layout

CWE-190

Integer Overflow or Wraparound

CWE-191

Integer Underflow (Wrap or Wraparound)

CWE-192

Integer Coercion Error

CWE-193

Off-by-one Error

CWE-194

Unexpected Sign Extension

CWE-195

Signed to Unsigned Conversion Error

CWE-196

Unsigned to Signed Conversion Error

CWE-197

Numeric Truncation Error

CWE-198

Use of Incorrect Byte Ordering

CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

CWE-201

Insertion of Sensitive Information Into Sent Data

CWE-202

Exposure of Sensitive Information Through Data Queries

CWE-203

Observable Discrepancy

CWE-204

Observable Response Discrepancy

CWE-205

Observable Behavioral Discrepancy

CWE-206

Observable Internal Behavioral Discrepancy

CWE-207

Observable Behavioral Discrepancy With Equivalent Products

CWE-208

Observable Timing Discrepancy

CWE-209

Generation of Error Message Containing Sensitive Information

CWE-210

Self-generated Error Message Containing Sensitive Information

CWE-211

Externally-Generated Error Message Containing Sensitive Information

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

CWE-213

Exposure of Sensitive Information Due to Incompatible Policies

CWE-214

Invocation of Process Using Visible Sensitive Information

CWE-215

Insertion of Sensitive Information Into Debugging Code

CWE-216

DEPRECATED: Containment Errors (Container Errors)

CWE-217

DEPRECATED: Failure to Protect Stored Data from Modification

CWE-218

DEPRECATED: Failure to provide confidentiality for stored data

CWE-219

Storage of File with Sensitive Data Under Web Root

CWE-220

Storage of File With Sensitive Data Under FTP Root

CWE-221

Information Loss or Omission

CWE-222

Truncation of Security-relevant Information

CWE-223

Omission of Security-relevant Information

CWE-224

Obscured Security-relevant Information by Alternate Name

CWE-225

DEPRECATED: General Information Management Problems

CWE-226

Sensitive Information in Resource Not Removed Before Reuse

CWE-228

Improper Handling of Syntactically Invalid Structure

CWE-229

Improper Handling of Values

CWE-230

Improper Handling of Missing Values

CWE-231

Improper Handling of Extra Values

CWE-232

Improper Handling of Undefined Values

CWE-233

Improper Handling of Parameters

CWE-234

Failure to Handle Missing Parameter

CWE-235

Improper Handling of Extra Parameters

CWE-236

Improper Handling of Undefined Parameters

CWE-237

Improper Handling of Structural Elements

CWE-238

Improper Handling of Incomplete Structural Elements

CWE-239

Failure to Handle Incomplete Element

CWE-240

Improper Handling of Inconsistent Structural Elements

CWE-241

Improper Handling of Unexpected Data Type

CWE-242

Use of Inherently Dangerous Function

CWE-243

Creation of chroot Jail Without Changing Working Directory

CWE-244

Improper Clearing of Heap Memory Before Release ('Heap Inspection')

CWE-245

J2EE Bad Practices: Direct Management of Connections

CWE-246

J2EE Bad Practices: Direct Use of Sockets

CWE-247

DEPRECATED: Reliance on DNS Lookups in a Security Decision

CWE-248

Uncaught Exception

CWE-249

DEPRECATED: Often Misused: Path Manipulation

CWE-250

Execution with Unnecessary Privileges

CWE-252

Unchecked Return Value

CWE-253

Incorrect Check of Function Return Value

CWE-256

Plaintext Storage of a Password

CWE-257

Storing Passwords in a Recoverable Format

CWE-258

Empty Password in Configuration File

CWE-259

Use of Hard-coded Password

CWE-260

Password in Configuration File

CWE-261

Weak Encoding for Password

CWE-262

Not Using Password Aging

CWE-263

Password Aging with Long Expiration

CWE-266

Incorrect Privilege Assignment

CWE-267

Privilege Defined With Unsafe Actions

CWE-268

Privilege Chaining

CWE-269

Improper Privilege Management

CWE-270

Privilege Context Switching Error

CWE-271

Privilege Dropping / Lowering Errors

CWE-272

Least Privilege Violation

CWE-273

Improper Check for Dropped Privileges

CWE-274

Improper Handling of Insufficient Privileges

CWE-276

Incorrect Default Permissions

CWE-277

Insecure Inherited Permissions

CWE-278

Insecure Preserved Inherited Permissions

CWE-279

Incorrect Execution-Assigned Permissions

CWE-280

Improper Handling of Insufficient Permissions or Privileges

CWE-281

Improper Preservation of Permissions

CWE-282

Improper Ownership Management

CWE-283

Unverified Ownership

CWE-284

Improper Access Control

CWE-285

Improper Authorization

CWE-286

Incorrect User Management

CWE-287

Improper Authentication

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-289

Authentication Bypass by Alternate Name

CWE-290

Authentication Bypass by Spoofing

CWE-291

Reliance on IP Address for Authentication

CWE-292

DEPRECATED: Trusting Self-reported DNS Name

CWE-293

Using Referer Field for Authentication

CWE-294

Authentication Bypass by Capture-replay

CWE-295

Improper Certificate Validation

CWE-296

Improper Following of a Certificate's Chain of Trust

CWE-297

Improper Validation of Certificate with Host Mismatch

CWE-298

Improper Validation of Certificate Expiration

CWE-299

Improper Check for Certificate Revocation

CWE-300

Channel Accessible by Non-Endpoint

CWE-301

Reflection Attack in an Authentication Protocol

CWE-302

Authentication Bypass by Assumed-Immutable Data

CWE-303

Incorrect Implementation of Authentication Algorithm

CWE-304

Missing Critical Step in Authentication

CWE-305

Authentication Bypass by Primary Weakness

CWE-306

Missing Authentication for Critical Function

CWE-307

Improper Restriction of Excessive Authentication Attempts

CWE-308

Use of Single-factor Authentication

CWE-309

Use of Password System for Primary Authentication

CWE-311

Missing Encryption of Sensitive Data

CWE-312

Cleartext Storage of Sensitive Information

CWE-313

Cleartext Storage in a File or on Disk

CWE-314

Cleartext Storage in the Registry

CWE-315

Cleartext Storage of Sensitive Information in a Cookie

CWE-316

Cleartext Storage of Sensitive Information in Memory

CWE-317

Cleartext Storage of Sensitive Information in GUI

CWE-318

Cleartext Storage of Sensitive Information in Executable

CWE-319

Cleartext Transmission of Sensitive Information

CWE-321

Use of Hard-coded Cryptographic Key

CWE-322

Key Exchange without Entity Authentication

CWE-323

Reusing a Nonce, Key Pair in Encryption

CWE-324

Use of a Key Past its Expiration Date

CWE-325

Missing Cryptographic Step

CWE-326

Inadequate Encryption Strength

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

CWE-328

Use of Weak Hash

CWE-329

Generation of Predictable IV with CBC Mode

CWE-330

Use of Insufficiently Random Values

CWE-331

Insufficient Entropy

CWE-332

Insufficient Entropy in PRNG

CWE-333

Improper Handling of Insufficient Entropy in TRNG

CWE-334

Small Space of Random Values

CWE-335

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CWE-336

Same Seed in Pseudo-Random Number Generator (PRNG)

CWE-337

Predictable Seed in Pseudo-Random Number Generator (PRNG)

CWE-338

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-339

Small Seed Space in PRNG

CWE-340

Generation of Predictable Numbers or Identifiers

CWE-341

Predictable from Observable State

CWE-342

Predictable Exact Value from Previous Values

CWE-343

Predictable Value Range from Previous Values

CWE-344

Use of Invariant Value in Dynamically Changing Context

CWE-345

Insufficient Verification of Data Authenticity

CWE-346

Origin Validation Error

CWE-347

Improper Verification of Cryptographic Signature

CWE-348

Use of Less Trusted Source

CWE-349

Acceptance of Extraneous Untrusted Data With Trusted Data

CWE-350

Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-351

Insufficient Type Distinction

CWE-352

Cross-Site Request Forgery (CSRF)

CWE-353

Missing Support for Integrity Check

CWE-354

Improper Validation of Integrity Check Value

CWE-356

Product UI does not Warn User of Unsafe Actions

CWE-357

Insufficient UI Warning of Dangerous Operations

CWE-358

Improperly Implemented Security Check for Standard

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

CWE-360

Trust of System Event Data

CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-363

Race Condition Enabling Link Following

CWE-364

Signal Handler Race Condition

CWE-365

DEPRECATED: Race Condition in Switch

CWE-366

Race Condition within a Thread

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-368

Context Switching Race Condition

CWE-369

Divide By Zero

CWE-370

Missing Check for Certificate Revocation after Initial Check

CWE-372

Incomplete Internal State Distinction

CWE-373

DEPRECATED: State Synchronization Error

CWE-374

Passing Mutable Objects to an Untrusted Method

CWE-375

Returning a Mutable Object to an Untrusted Caller

CWE-377

Insecure Temporary File

CWE-378

Creation of Temporary File With Insecure Permissions

CWE-379

Creation of Temporary File in Directory with Insecure Permissions

CWE-382

J2EE Bad Practices: Use of System.exit()

CWE-383

J2EE Bad Practices: Direct Use of Threads

CWE-384

Session Fixation

CWE-385

Covert Timing Channel

CWE-386

Symbolic Name not Mapping to Correct Object

CWE-390

Detection of Error Condition Without Action

CWE-391

Unchecked Error Condition

CWE-392

Missing Report of Error Condition

CWE-393

Return of Wrong Status Code

CWE-394

Unexpected Status Code or Return Value

CWE-395

Use of NullPointerException Catch to Detect NULL Pointer Dereference

CWE-396

Declaration of Catch for Generic Exception

CWE-397

Declaration of Throws for Generic Exception

CWE-400

Uncontrolled Resource Consumption

CWE-401

Missing Release of Memory after Effective Lifetime

CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')

CWE-403

Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')

CWE-404

Improper Resource Shutdown or Release

CWE-405

Asymmetric Resource Consumption (Amplification)

CWE-406

Insufficient Control of Network Message Volume (Network Amplification)

CWE-407

Inefficient Algorithmic Complexity

CWE-408

Incorrect Behavior Order: Early Amplification

CWE-409

Improper Handling of Highly Compressed Data (Data Amplification)

CWE-410

Insufficient Resource Pool

CWE-412

Unrestricted Externally Accessible Lock

CWE-413

Improper Resource Locking

CWE-414

Missing Lock Check

CWE-415

Double Free

CWE-416

Use After Free

CWE-419

Unprotected Primary Channel

CWE-420

Unprotected Alternate Channel

CWE-421

Race Condition During Access to Alternate Channel

CWE-422

Unprotected Windows Messaging Channel ('Shatter')

CWE-423

DEPRECATED: Proxied Trusted Channel

CWE-424

Improper Protection of Alternate Path

CWE-425

Direct Request ('Forced Browsing')

CWE-426

Untrusted Search Path

CWE-427

Uncontrolled Search Path Element

CWE-428

Unquoted Search Path or Element

CWE-430

Deployment of Wrong Handler

CWE-431

Missing Handler

CWE-432

Dangerous Signal Handler not Disabled During Sensitive Operations

CWE-433

Unparsed Raw Web Content Delivery

CWE-434

Unrestricted Upload of File with Dangerous Type

CWE-435

Improper Interaction Between Multiple Correctly-Behaving Entities

CWE-436

Interpretation Conflict

CWE-437

Incomplete Model of Endpoint Features

CWE-439

Behavioral Change in New Version or Environment

CWE-440

Expected Behavior Violation

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

CWE-443

DEPRECATED: HTTP response splitting

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

CWE-446

UI Discrepancy for Security Feature

CWE-447

Unimplemented or Unsupported Feature in UI

CWE-448

Obsolete Feature in UI

CWE-449

The UI Performs the Wrong Action

CWE-450

Multiple Interpretations of UI Input

CWE-451

User Interface (UI) Misrepresentation of Critical Information

CWE-453

Insecure Default Variable Initialization

CWE-454

External Initialization of Trusted Variables or Data Stores

CWE-455

Non-exit on Failed Initialization

CWE-456

Missing Initialization of a Variable

CWE-457

Use of Uninitialized Variable

CWE-458

DEPRECATED: Incorrect Initialization

CWE-459

Incomplete Cleanup

CWE-460

Improper Cleanup on Thrown Exception

CWE-462

Duplicate Key in Associative List (Alist)

CWE-463

Deletion of Data Structure Sentinel

CWE-464

Addition of Data Structure Sentinel

CWE-466

Return of Pointer Value Outside of Expected Range

CWE-467

Use of sizeof() on a Pointer Type

CWE-468

Incorrect Pointer Scaling

CWE-469

Use of Pointer Subtraction to Determine Size

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CWE-471

Modification of Assumed-Immutable Data (MAID)

CWE-472

External Control of Assumed-Immutable Web Parameter

CWE-473

PHP External Variable Modification

CWE-474

Use of Function with Inconsistent Implementations

CWE-475

Undefined Behavior for Input to API

CWE-476

NULL Pointer Dereference

CWE-477

Use of Obsolete Function

CWE-478

Missing Default Case in Multiple Condition Expression

CWE-479

Signal Handler Use of a Non-reentrant Function

CWE-480

Use of Incorrect Operator

CWE-481

Assigning instead of Comparing

CWE-482

Comparing instead of Assigning

CWE-483

Incorrect Block Delimitation

CWE-484

Omitted Break Statement in Switch

CWE-486

Comparison of Classes by Name

CWE-487

Reliance on Package-level Scope

CWE-488

Exposure of Data Element to Wrong Session

CWE-489

Active Debug Code

CWE-491

Public cloneable() Method Without Final ('Object Hijack')

CWE-492

Use of Inner Class Containing Sensitive Data

CWE-493

Critical Public Variable Without Final Modifier

CWE-494

Download of Code Without Integrity Check

CWE-495

Private Data Structure Returned From A Public Method

CWE-496

Public Data Assigned to Private Array-Typed Field

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

CWE-498

Cloneable Class Containing Sensitive Information

CWE-499

Serializable Class Containing Sensitive Data

CWE-500

Public Static Field Not Marked Final

CWE-501

Trust Boundary Violation

CWE-502

Deserialization of Untrusted Data

CWE-506

Embedded Malicious Code

CWE-507

Trojan Horse

CWE-508

Non-Replicating Malicious Code

CWE-509

Replicating Malicious Code (Virus or Worm)

CWE-510

Trapdoor

CWE-511

Logic/Time Bomb

CWE-512

Spyware

CWE-514

Covert Channel

CWE-515

Covert Storage Channel

CWE-516

DEPRECATED: Covert Timing Channel

CWE-520

.NET Misconfiguration: Use of Impersonation

CWE-521

Weak Password Requirements

CWE-522

Insufficiently Protected Credentials

CWE-523

Unprotected Transport of Credentials

CWE-524

Use of Cache Containing Sensitive Information

CWE-525

Use of Web Browser Cache Containing Sensitive Information

CWE-526

Cleartext Storage of Sensitive Information in an Environment Variable

CWE-527

Exposure of Version-Control Repository to an Unauthorized Control Sphere

CWE-528

Exposure of Core Dump File to an Unauthorized Control Sphere

CWE-529

Exposure of Access Control List Files to an Unauthorized Control Sphere

CWE-530

Exposure of Backup File to an Unauthorized Control Sphere

CWE-531

Inclusion of Sensitive Information in Test Code

CWE-532

Insertion of Sensitive Information into Log File

CWE-533

DEPRECATED: Information Exposure Through Server Log Files

CWE-534

DEPRECATED: Information Exposure Through Debug Log Files

CWE-535

Exposure of Information Through Shell Error Message

CWE-536

Servlet Runtime Error Message Containing Sensitive Information

CWE-537

Java Runtime Error Message Containing Sensitive Information

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

CWE-539

Use of Persistent Cookies Containing Sensitive Information

CWE-540

Inclusion of Sensitive Information in Source Code

CWE-541

Inclusion of Sensitive Information in an Include File

CWE-542

DEPRECATED: Information Exposure Through Cleanup Log Files

CWE-543

Use of Singleton Pattern Without Synchronization in a Multithreaded Context

CWE-544

Missing Standardized Error Handling Mechanism

CWE-545

DEPRECATED: Use of Dynamic Class Loading

CWE-546

Suspicious Comment

CWE-547

Use of Hard-coded, Security-relevant Constants

CWE-548

Exposure of Information Through Directory Listing

CWE-549

Missing Password Field Masking

CWE-550

Server-generated Error Message Containing Sensitive Information

CWE-551

Incorrect Behavior Order: Authorization Before Parsing and Canonicalization

CWE-552

Files or Directories Accessible to External Parties

CWE-553

Command Shell in Externally Accessible Directory

CWE-554

ASP.NET Misconfiguration: Not Using Input Validation Framework

CWE-555

J2EE Misconfiguration: Plaintext Password in Configuration File

CWE-556

ASP.NET Misconfiguration: Use of Identity Impersonation

CWE-558

Use of getlogin() in Multithreaded Application

CWE-560

Use of umask() with chmod-style Argument

CWE-561

Dead Code

CWE-562

Return of Stack Variable Address

CWE-563

Assignment to Variable without Use

CWE-564

SQL Injection: Hibernate

CWE-565

Reliance on Cookies without Validation and Integrity Checking

CWE-566

Authorization Bypass Through User-Controlled SQL Primary Key

CWE-567

Unsynchronized Access to Shared Data in a Multithreaded Context

CWE-568

finalize() Method Without super.finalize()

CWE-570

Expression is Always False

CWE-571

Expression is Always True

CWE-572

Call to Thread run() instead of start()

CWE-573

Improper Following of Specification by Caller

CWE-574

EJB Bad Practices: Use of Synchronization Primitives

CWE-575

EJB Bad Practices: Use of AWT Swing

CWE-576

EJB Bad Practices: Use of Java I/O

CWE-577

EJB Bad Practices: Use of Sockets

CWE-578

EJB Bad Practices: Use of Class Loader

CWE-579

J2EE Bad Practices: Non-serializable Object Stored in Session

CWE-580

clone() Method Without super.clone()

CWE-581

Object Model Violation: Just One of Equals and Hashcode Defined

CWE-582

Array Declared Public, Final, and Static

CWE-583

finalize() Method Declared Public

CWE-584

Return Inside Finally Block

CWE-585

Empty Synchronized Block

CWE-586

Explicit Call to Finalize()

CWE-587

Assignment of a Fixed Address to a Pointer

CWE-588

Attempt to Access Child of a Non-structure Pointer

CWE-589

Call to Non-ubiquitous API

CWE-590

Free of Memory not on the Heap

CWE-591

Sensitive Data Storage in Improperly Locked Memory

CWE-592

DEPRECATED: Authentication Bypass Issues

CWE-593

Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created

CWE-594

J2EE Framework: Saving Unserializable Objects to Disk

CWE-595

Comparison of Object References Instead of Object Contents

CWE-596

DEPRECATED: Incorrect Semantic Object Comparison

CWE-597

Use of Wrong Operator in String Comparison

CWE-598

Use of HTTP Request With Sensitive Query String

CWE-599

Missing Validation of OpenSSL Certificate

CWE-600

Uncaught Exception in Servlet

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

CWE-602

Client-Side Enforcement of Server-Side Security

CWE-603

Use of Client-Side Authentication

CWE-605

Multiple Binds to the Same Port

CWE-606

Unchecked Input for Loop Condition

CWE-607

Public Static Final Field References Mutable Object

CWE-608

Struts: Non-private Field in ActionForm Class

CWE-609

Double-Checked Locking

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

CWE-611

Improper Restriction of XML External Entity Reference

CWE-612

Improper Authorization of Index Containing Sensitive Information

CWE-613

Insufficient Session Expiration

CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-615

Inclusion of Sensitive Information in Source Code Comments

CWE-616

Incomplete Identification of Uploaded File Variables (PHP)

CWE-617

Reachable Assertion

CWE-618

Exposed Unsafe ActiveX Method

CWE-619

Dangling Database Cursor ('Cursor Injection')

CWE-620

Unverified Password Change

CWE-621

Variable Extraction Error

CWE-622

Improper Validation of Function Hook Arguments

CWE-623

Unsafe ActiveX Control Marked Safe For Scripting

CWE-624

Executable Regular Expression Error

CWE-625

Permissive Regular Expression

CWE-626

Null Byte Interaction Error (Poison Null Byte)

CWE-627

Dynamic Variable Evaluation

CWE-628

Function Call with Incorrectly Specified Arguments

CWE-636

Not Failing Securely ('Failing Open')

CWE-637

Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')

CWE-638

Not Using Complete Mediation

CWE-639

Authorization Bypass Through User-Controlled Key

CWE-640

Weak Password Recovery Mechanism for Forgotten Password

CWE-641

Improper Restriction of Names for Files and Other Resources

CWE-642

External Control of Critical State Data

CWE-643

Improper Neutralization of Data within XPath Expressions ('XPath Injection')

CWE-644

Improper Neutralization of HTTP Headers for Scripting Syntax

CWE-645

Overly Restrictive Account Lockout Mechanism

CWE-646

Reliance on File Name or Extension of Externally-Supplied File

CWE-647

Use of Non-Canonical URL Paths for Authorization Decisions

CWE-648

Incorrect Use of Privileged APIs

CWE-649

Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking

CWE-650

Trusting HTTP Permission Methods on the Server Side

CWE-651

Exposure of WSDL File Containing Sensitive Information

CWE-652

Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')

CWE-653

Improper Isolation or Compartmentalization

CWE-654

Reliance on a Single Factor in a Security Decision

CWE-655

Insufficient Psychological Acceptability

CWE-656

Reliance on Security Through Obscurity

CWE-657

Violation of Secure Design Principles

CWE-662

Improper Synchronization

CWE-663

Use of a Non-reentrant Function in a Concurrent Context

CWE-664

Improper Control of a Resource Through its Lifetime

CWE-665

Improper Initialization

CWE-666

Operation on Resource in Wrong Phase of Lifetime

CWE-667

Improper Locking

CWE-668

Exposure of Resource to Wrong Sphere

CWE-669

Incorrect Resource Transfer Between Spheres

CWE-670

Always-Incorrect Control Flow Implementation

CWE-671

Lack of Administrator Control over Security

CWE-672

Operation on a Resource after Expiration or Release

CWE-673

External Influence of Sphere Definition

CWE-674

Uncontrolled Recursion

CWE-675

Multiple Operations on Resource in Single-Operation Context

CWE-676

Use of Potentially Dangerous Function

CWE-680

Integer Overflow to Buffer Overflow

CWE-681

Incorrect Conversion between Numeric Types

CWE-682

Incorrect Calculation

CWE-683

Function Call With Incorrect Order of Arguments

CWE-684

Incorrect Provision of Specified Functionality

CWE-685

Function Call With Incorrect Number of Arguments

CWE-686

Function Call With Incorrect Argument Type

CWE-687

Function Call With Incorrectly Specified Argument Value

CWE-688

Function Call With Incorrect Variable or Reference as Argument

CWE-689

Permission Race Condition During Resource Copy

CWE-690

Unchecked Return Value to NULL Pointer Dereference

CWE-691

Insufficient Control Flow Management

CWE-692

Incomplete Denylist to Cross-Site Scripting

CWE-693

Protection Mechanism Failure

CWE-694

Use of Multiple Resources with Duplicate Identifier

CWE-695

Use of Low-Level Functionality

CWE-696

Incorrect Behavior Order

CWE-697

Incorrect Comparison

CWE-698

Execution After Redirect (EAR)

CWE-703

Improper Check or Handling of Exceptional Conditions

CWE-704

Incorrect Type Conversion or Cast

CWE-705

Incorrect Control Flow Scoping

CWE-706

Use of Incorrectly-Resolved Name or Reference

CWE-707

Improper Neutralization

CWE-708

Incorrect Ownership Assignment

CWE-710

Improper Adherence to Coding Standards

CWE-732

Incorrect Permission Assignment for Critical Resource

CWE-733

Compiler Optimization Removal or Modification of Security-critical Code

CWE-749

Exposed Dangerous Method or Function

CWE-754

Improper Check for Unusual or Exceptional Conditions

CWE-755

Improper Handling of Exceptional Conditions

CWE-756

Missing Custom Error Page

CWE-757

Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')

CWE-758

Reliance on Undefined, Unspecified, or Implementation-Defined Behavior

CWE-759

Use of a One-Way Hash without a Salt

CWE-760

Use of a One-Way Hash with a Predictable Salt

CWE-761

Free of Pointer not at Start of Buffer

CWE-762

Mismatched Memory Management Routines

CWE-763

Release of Invalid Pointer or Reference

CWE-764

Multiple Locks of a Critical Resource

CWE-765

Multiple Unlocks of a Critical Resource

CWE-766

Critical Data Element Declared Public

CWE-767

Access to Critical Private Variable via Public Method

CWE-768

Incorrect Short Circuit Evaluation

CWE-769

DEPRECATED: Uncontrolled File Descriptor Consumption

CWE-770

Allocation of Resources Without Limits or Throttling

CWE-771

Missing Reference to Active Allocated Resource

CWE-772

Missing Release of Resource after Effective Lifetime

CWE-773

Missing Reference to Active File Descriptor or Handle

CWE-774

Allocation of File Descriptors or Handles Without Limits or Throttling

CWE-775

Missing Release of File Descriptor or Handle after Effective Lifetime

CWE-776

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-777

Regular Expression without Anchors

CWE-778

Insufficient Logging

CWE-779

Logging of Excessive Data

CWE-780

Use of RSA Algorithm without OAEP

CWE-781

Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code

CWE-782

Exposed IOCTL with Insufficient Access Control

CWE-783

Operator Precedence Logic Error

CWE-784

Reliance on Cookies without Validation and Integrity Checking in a Security Decision

CWE-785

Use of Path Manipulation Function without Maximum-sized Buffer

CWE-786

Access of Memory Location Before Start of Buffer

CWE-787

Out-of-bounds Write

CWE-788

Access of Memory Location After End of Buffer

CWE-789

Memory Allocation with Excessive Size Value

CWE-790

Improper Filtering of Special Elements

CWE-791

Incomplete Filtering of Special Elements

CWE-792

Incomplete Filtering of One or More Instances of Special Elements

CWE-793

Only Filtering One Instance of a Special Element

CWE-794

Incomplete Filtering of Multiple Instances of Special Elements

CWE-795

Only Filtering Special Elements at a Specified Location

CWE-796

Only Filtering Special Elements Relative to a Marker

CWE-797

Only Filtering Special Elements at an Absolute Position

CWE-798

Use of Hard-coded Credentials

CWE-799

Improper Control of Interaction Frequency

CWE-804

Guessable CAPTCHA

CWE-805

Buffer Access with Incorrect Length Value

CWE-806

Buffer Access Using Size of Source Buffer

CWE-807

Reliance on Untrusted Inputs in a Security Decision

CWE-820

Missing Synchronization

CWE-821

Incorrect Synchronization

CWE-822

Untrusted Pointer Dereference

CWE-823

Use of Out-of-range Pointer Offset

CWE-824

Access of Uninitialized Pointer

CWE-825

Expired Pointer Dereference

CWE-826

Premature Release of Resource During Expected Lifetime

CWE-827

Improper Control of Document Type Definition

CWE-828

Signal Handler with Functionality that is not Asynchronous-Safe

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

CWE-830

Inclusion of Web Functionality from an Untrusted Source

CWE-831

Signal Handler Function Associated with Multiple Signals

CWE-832

Unlock of a Resource that is not Locked

CWE-833

Deadlock

CWE-834

Excessive Iteration

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-836

Use of Password Hash Instead of Password for Authentication

CWE-837

Improper Enforcement of a Single, Unique Action

CWE-838

Inappropriate Encoding for Output Context

CWE-839

Numeric Range Comparison Without Minimum Check

CWE-841

Improper Enforcement of Behavioral Workflow

CWE-842

Placement of User into Incorrect Group

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

CWE-862

Missing Authorization

CWE-863

Incorrect Authorization

CWE-908

Use of Uninitialized Resource

CWE-909

Missing Initialization of Resource

CWE-910

Use of Expired File Descriptor

CWE-911

Improper Update of Reference Count

CWE-912

Hidden Functionality

CWE-913

Improper Control of Dynamically-Managed Code Resources

CWE-914

Improper Control of Dynamically-Identified Variables

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

CWE-916

Use of Password Hash With Insufficient Computational Effort

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

CWE-918

Server-Side Request Forgery (SSRF)

CWE-920

Improper Restriction of Power Consumption

CWE-921

Storage of Sensitive Data in a Mechanism without Access Control

CWE-922

Insecure Storage of Sensitive Information

CWE-923

Improper Restriction of Communication Channel to Intended Endpoints

CWE-924

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CWE-925

Improper Verification of Intent by Broadcast Receiver

CWE-926

Improper Export of Android Application Components

CWE-927

Use of Implicit Intent for Sensitive Communication

CWE-939

Improper Authorization in Handler for Custom URL Scheme

CWE-940

Improper Verification of Source of a Communication Channel

CWE-941

Incorrectly Specified Destination in a Communication Channel

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

CWE-943

Improper Neutralization of Special Elements in Data Query Logic

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

CWE-1007

Insufficient Visual Distinction of Homoglyphs Presented to User

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

CWE-1022

Use of Web Link to Untrusted Target with window.opener Access

CWE-1023

Incomplete Comparison with Missing Factors

CWE-1024

Comparison of Incompatible Types

CWE-1025

Comparison Using Wrong Factors

CWE-1037

Processor Optimization Removal or Modification of Security-critical Code

CWE-1038

Insecure Automated Optimizations

CWE-1039

Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism

CWE-1041

Use of Redundant Code

CWE-1042

Static Member Data Element outside of a Singleton Class Element

CWE-1043

Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

CWE-1044

Architecture with Number of Horizontal Layers Outside of Expected Range

CWE-1045

Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor

CWE-1046

Creation of Immutable Text Using String Concatenation

CWE-1047

Modules with Circular Dependencies

CWE-1048

Invokable Control Element with Large Number of Outward Calls

CWE-1049

Excessive Data Query Operations in a Large Data Table

CWE-1050

Excessive Platform Resource Consumption within a Loop

CWE-1051

Initialization with Hard-Coded Network Resource Configuration Data

CWE-1052

Excessive Use of Hard-Coded Literals in Initialization

CWE-1053

Missing Documentation for Design

CWE-1054

Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer

CWE-1055

Multiple Inheritance from Concrete Classes

CWE-1056

Invokable Control Element with Variadic Parameters

CWE-1057

Data Access Operations Outside of Expected Data Manager Component

CWE-1058

Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element

CWE-1059

Insufficient Technical Documentation

CWE-1060

Excessive Number of Inefficient Server-Side Data Accesses

CWE-1061

Insufficient Encapsulation

CWE-1062

Parent Class with References to Child Class

CWE-1063

Creation of Class Instance within a Static Code Block

CWE-1064

Invokable Control Element with Signature Containing an Excessive Number of Parameters

CWE-1065

Runtime Resource Management Control Element in a Component Built to Run on Application Servers

CWE-1066

Missing Serialization Control Element

CWE-1067

Excessive Execution of Sequential Searches of Data Resource

CWE-1068

Inconsistency Between Implementation and Documented Design

CWE-1069

Empty Exception Block

CWE-1070

Serializable Data Element Containing non-Serializable Item Elements

CWE-1071

Empty Code Block

CWE-1072

Data Resource Access without Use of Connection Pooling

CWE-1073

Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses

CWE-1074

Class with Excessively Deep Inheritance

CWE-1075

Unconditional Control Flow Transfer outside of Switch Block

CWE-1076

Insufficient Adherence to Expected Conventions

CWE-1077

Floating Point Comparison with Incorrect Operator

CWE-1078

Inappropriate Source Code Style or Formatting

CWE-1079

Parent Class without Virtual Destructor Method

CWE-1080

Source Code File with Excessive Number of Lines of Code

CWE-1082

Class Instance Self Destruction Control Element

CWE-1083

Data Access from Outside Expected Data Manager Component

CWE-1084

Invokable Control Element with Excessive File or Data Access Operations

CWE-1085

Invokable Control Element with Excessive Volume of Commented-out Code

CWE-1086

Class with Excessive Number of Child Classes

CWE-1087

Class with Virtual Method without a Virtual Destructor

CWE-1088

Synchronous Access of Remote Resource without Timeout

CWE-1089

Large Data Table with Excessive Number of Indices

CWE-1090

Method Containing Access of a Member Element from Another Class

CWE-1091

Use of Object without Invoking Destructor Method

CWE-1092

Use of Same Invokable Control Element in Multiple Architectural Layers

CWE-1093

Excessively Complex Data Representation

CWE-1094

Excessive Index Range Scan for a Data Resource

CWE-1095

Loop Condition Value Update within the Loop

CWE-1096

Singleton Class Instance Creation without Proper Locking or Synchronization

CWE-1097

Persistent Storable Data Element without Associated Comparison Control Element

CWE-1098

Data Element containing Pointer Item without Proper Copy Control Element

CWE-1099

Inconsistent Naming Conventions for Identifiers

CWE-1100

Insufficient Isolation of System-Dependent Functions

CWE-1101

Reliance on Runtime Component in Generated Code

CWE-1102

Reliance on Machine-Dependent Data Representation

CWE-1103

Use of Platform-Dependent Third Party Components

CWE-1104

Use of Unmaintained Third Party Components

CWE-1105

Insufficient Encapsulation of Machine-Dependent Functionality

CWE-1106

Insufficient Use of Symbolic Constants

CWE-1107

Insufficient Isolation of Symbolic Constant Definitions

CWE-1108

Excessive Reliance on Global Variables

CWE-1109

Use of Same Variable for Multiple Purposes

CWE-1110

Incomplete Design Documentation

CWE-1111

Incomplete I/O Documentation

CWE-1112

Incomplete Documentation of Program Execution

CWE-1113

Inappropriate Comment Style

CWE-1114

Inappropriate Whitespace Style

CWE-1115

Source Code Element without Standard Prologue

CWE-1116

Inaccurate Source Code Comments

CWE-1117

Callable with Insufficient Behavioral Summary

CWE-1118

Insufficient Documentation of Error Handling Techniques

CWE-1119

Excessive Use of Unconditional Branching

CWE-1120

Excessive Code Complexity

CWE-1121

Excessive McCabe Cyclomatic Complexity

CWE-1122

Excessive Halstead Complexity

CWE-1123

Excessive Use of Self-Modifying Code

CWE-1124

Excessively Deep Nesting

CWE-1125

Excessive Attack Surface

CWE-1126

Declaration of Variable with Unnecessarily Wide Scope

CWE-1127

Compilation with Insufficient Warnings or Errors

CWE-1164

Irrelevant Code

CWE-1173

Improper Use of Validation Framework

CWE-1174

ASP.NET Misconfiguration: Improper Model Validation

CWE-1176

Inefficient CPU Computation

CWE-1177

Use of Prohibited Code

CWE-1187

DEPRECATED: Use of Uninitialized Resource

CWE-1188

Initialization of a Resource with an Insecure Default

CWE-1189

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

CWE-1190

DMA Device Enabled Too Early in Boot Phase

CWE-1191

On-Chip Debug and Test Interface With Improper Access Control

CWE-1192

Improper Identifier for IP Block used in System-On-Chip (SOC)

CWE-1193

Power-On of Untrusted Execution Core Before Enabling Fabric Access Control

CWE-1204

Generation of Weak Initialization Vector (IV)

CWE-1209

Failure to Disable Reserved Bits

CWE-1220

Insufficient Granularity of Access Control

CWE-1221

Incorrect Register Defaults or Module Parameters

CWE-1222

Insufficient Granularity of Address Regions Protected by Register Locks

CWE-1223

Race Condition for Write-Once Attributes

CWE-1224

Improper Restriction of Write-Once Bit Fields

CWE-1229

Creation of Emergent Resource

CWE-1230

Exposure of Sensitive Information Through Metadata

CWE-1231

Improper Prevention of Lock Bit Modification

CWE-1232

Improper Lock Behavior After Power State Transition

CWE-1233

Security-Sensitive Hardware Controls with Missing Lock Bit Protection

CWE-1234

Hardware Internal or Debug Modes Allow Override of Locks

CWE-1235

Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

CWE-1239

Improper Zeroization of Hardware Register

CWE-1240

Use of a Cryptographic Primitive with a Risky Implementation

CWE-1241

Use of Predictable Algorithm in Random Number Generator

CWE-1242

Inclusion of Undocumented Features or Chicken Bits

CWE-1243

Sensitive Non-Volatile Information Not Protected During Debug

CWE-1244

Internal Asset Exposed to Unsafe Debug Access Level or State

CWE-1245

Improper Finite State Machines (FSMs) in Hardware Logic

CWE-1246

Improper Write Handling in Limited-write Non-Volatile Memories

CWE-1247

Improper Protection Against Voltage and Clock Glitches

CWE-1248

Semiconductor Defects in Hardware Logic with Security-Sensitive Implications

CWE-1249

Application-Level Admin Tool with Inconsistent View of Underlying Operating System

CWE-1250

Improper Preservation of Consistency Between Independent Representations of Shared State

CWE-1251

Mirrored Regions with Different Values

CWE-1252

CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations

CWE-1253

Incorrect Selection of Fuse Values

CWE-1254

Incorrect Comparison Logic Granularity

CWE-1255

Comparison Logic is Vulnerable to Power Side-Channel Attacks

CWE-1256

Improper Restriction of Software Interfaces to Hardware Features

CWE-1257

Improper Access Control Applied to Mirrored or Aliased Memory Regions

CWE-1258

Exposure of Sensitive System Information Due to Uncleared Debug Information

CWE-1259

Improper Restriction of Security Token Assignment

CWE-1260

Improper Handling of Overlap Between Protected Memory Ranges

CWE-1261

Improper Handling of Single Event Upsets

CWE-1262

Improper Access Control for Register Interface

CWE-1263

Improper Physical Access Control

CWE-1264

Hardware Logic with Insecure De-Synchronization between Control and Data Channels

CWE-1265

Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls

CWE-1266

Improper Scrubbing of Sensitive Data from Decommissioned Device

CWE-1267

Policy Uses Obsolete Encoding

CWE-1268

Policy Privileges are not Assigned Consistently Between Control and Data Agents

CWE-1269

Product Released in Non-Release Configuration

CWE-1270

Generation of Incorrect Security Tokens

CWE-1271

Uninitialized Value on Reset for Registers Holding Security Settings

CWE-1272

Sensitive Information Uncleared Before Debug/Power State Transition

CWE-1273

Device Unlock Credential Sharing

CWE-1274

Improper Access Control for Volatile Memory Containing Boot Code

CWE-1275

Sensitive Cookie with Improper SameSite Attribute

CWE-1276

Hardware Child Block Incorrectly Connected to Parent System

CWE-1277

Firmware Not Updateable

CWE-1278

Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques

CWE-1279

Cryptographic Operations are run Before Supporting Units are Ready

CWE-1280

Access Control Check Implemented After Asset is Accessed

CWE-1281

Sequence of Processor Instructions Leads to Unexpected Behavior

CWE-1282

Assumed-Immutable Data is Stored in Writable Memory

CWE-1283

Mutable Attestation or Measurement Reporting Data

CWE-1284

Improper Validation of Specified Quantity in Input

CWE-1285

Improper Validation of Specified Index, Position, or Offset in Input

CWE-1286

Improper Validation of Syntactic Correctness of Input

CWE-1287

Improper Validation of Specified Type of Input

CWE-1288

Improper Validation of Consistency within Input

CWE-1289

Improper Validation of Unsafe Equivalence in Input

CWE-1290

Incorrect Decoding of Security Identifiers

CWE-1291

Public Key Re-Use for Signing both Debug and Production Code

CWE-1292

Incorrect Conversion of Security Identifiers

CWE-1293

Missing Source Correlation of Multiple Independent Data

CWE-1294

Insecure Security Identifier Mechanism

CWE-1295

Debug Messages Revealing Unnecessary Information

CWE-1296

Incorrect Chaining or Granularity of Debug Components

CWE-1297

Unprotected Confidential Information on Device is Accessible by OSAT Vendors

CWE-1298

Hardware Logic Contains Race Conditions

CWE-1299

Missing Protection Mechanism for Alternate Hardware Interface

CWE-1300

Improper Protection of Physical Side Channels

CWE-1301

Insufficient or Incomplete Data Removal within Hardware Component

CWE-1302

Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)

CWE-1303

Non-Transparent Sharing of Microarchitectural Resources

CWE-1304

Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation

CWE-1310

Missing Ability to Patch ROM Code

CWE-1311

Improper Translation of Security Attributes by Fabric Bridge

CWE-1312

Missing Protection for Mirrored Regions in On-Chip Fabric Firewall

CWE-1313

Hardware Allows Activation of Test or Debug Logic at Runtime

CWE-1314

Missing Write Protection for Parametric Data Values

CWE-1315

Improper Setting of Bus Controlling Capability in Fabric End-point

CWE-1316

Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges

CWE-1317

Improper Access Control in Fabric Bridge

CWE-1318

Missing Support for Security Features in On-chip Fabrics or Buses

CWE-1319

Improper Protection against Electromagnetic Fault Injection (EM-FI)

CWE-1320

Improper Protection for Outbound Error Messages and Alert Signals

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

CWE-1322

Use of Blocking Code in Single-threaded, Non-blocking Context

CWE-1323

Improper Management of Sensitive Trace Data

CWE-1324

DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface

CWE-1325

Improperly Controlled Sequential Memory Allocation

CWE-1326

Missing Immutable Root of Trust in Hardware

CWE-1327

Binding to an Unrestricted IP Address

CWE-1328

Security Version Number Mutable to Older Versions

CWE-1329

Reliance on Component That is Not Updateable

CWE-1330

Remanent Data Readable after Memory Erase

CWE-1331

Improper Isolation of Shared Resources in Network On Chip (NoC)

CWE-1332

Improper Handling of Faults that Lead to Instruction Skips

CWE-1333

Inefficient Regular Expression Complexity

CWE-1334

Unauthorized Error Injection Can Degrade Hardware Redundancy

CWE-1335

Incorrect Bitwise Shift of Integer

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

CWE-1338

Improper Protections Against Hardware Overheating

CWE-1339

Insufficient Precision or Accuracy of a Real Number

CWE-1341

Multiple Releases of Same Resource or Handle

CWE-1342

Information Exposure through Microarchitectural State after Transient Execution

CWE-1351

Improper Handling of Hardware Behavior in Exceptionally Cold Environments

CWE-1357

Reliance on Insufficiently Trustworthy Component

CWE-1384

Improper Handling of Physical or Environmental Conditions

CWE-1385

Missing Origin Validation in WebSockets

CWE-1386

Insecure Operation on Windows Junction / Mount Point

CWE-1389

Incorrect Parsing of Numbers with Different Radices

CWE-1390

Weak Authentication

CWE-1391

Use of Weak Credentials

CWE-1392

Use of Default Credentials

CWE-1393

Use of Default Password

CWE-1394

Use of Default Cryptographic Key

CWE-1395

Dependency on Vulnerable Third-Party Component

CWE-1419

Incorrect Initialization of Resource

CWE-1420

Exposure of Sensitive Information during Transient Execution

CWE-1421

Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution

CWE-1422

Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution

CWE-1423

Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution

CWE-1426

Improper Validation of Generative AI Output

CWE-1427

Improper Neutralization of Input Used for LLM Prompting

CWE-1428

Reliance on HTTP instead of HTTPS

CWE-1429

Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface

CWE-1431

Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

CWE-1434

Insecure Setting of Generative AI/ML Model Inference Parameters

Full CWE list at MITRE
Impactr Logoimpactr

Built by hackers, for the code you ship. Autonomous AI penetration testing for modern web apps and APIs.

© 2026 Impactr

Product

FeaturesCoverageUse casesEvidencePricingWaitlist

Resources

VulnerabilitiesGuidesComparisonsGlossaryCWE databaseBy industryBy languageHTTP status codesSecurity headers

Company

ContactTwitterLinkedInGitHub