CWE-677: Weakness Base Elements
ID
CWE-677
Type
Implicit
Status
Draft
This view (slice) displays only weakness base elements.
Relationships
| Type | # ID | Name | Abstraction | Structure | Status | |
|---|---|---|---|---|---|---|
| Weakness | CWE-15 | External Control of System or Configuration Setting | Base | Simple | Incomplete | |
| Weakness | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Base | Simple | Stable | |
| Weakness | CWE-23 | Relative Path Traversal | Base | Simple | Draft | |
| Weakness | CWE-36 | Absolute Path Traversal | Base | Simple | Draft | |
| Weakness | CWE-41 | Improper Resolution of Path Equivalence | Base | Simple | Incomplete | |
| Weakness | CWE-59 | Improper Link Resolution Before File Access ('Link Following') | Base | Simple | Draft | |
| Weakness | CWE-66 | Improper Handling of File Names that Identify Virtual Resources | Base | Simple | Draft | |
| Weakness | CWE-73 | External Control of File Name or Path | Base | Simple | Draft | |
| Weakness | CWE-76 | Improper Neutralization of Equivalent Special Elements | Base | Simple | Draft | |
| Weakness | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Base | Simple | Stable | |
| Weakness | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Base | Simple | Stable | |
| Weakness | CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | Base | Simple | Draft | |
| Weakness | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Base | Simple | Stable | |
| Weakness | CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | Base | Simple | Draft | |
| Weakness | CWE-91 | XML Injection (aka Blind XPath Injection) | Base | Simple | Draft | |
| Weakness | CWE-92 | DEPRECATED: Improper Sanitization of Custom Special Characters | Base | Simple | Deprecated | |
| Weakness | CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | Base | Simple | Draft | |
| Weakness | CWE-94 | Improper Control of Generation of Code ('Code Injection') | Base | Simple | Draft | |
| Weakness | CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | Base | Simple | Draft | |
| Weakness | CWE-112 | Missing XML Validation | Base | Simple | Draft | |
| Weakness | CWE-115 | Misinterpretation of Input | Base | Simple | Incomplete | |
| Weakness | CWE-117 | Improper Output Neutralization for Logs | Base | Simple | Draft | |
| Weakness | CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Base | Simple | Incomplete | |
| Weakness | CWE-123 | Write-what-where Condition | Base | Simple | Draft | |
| Weakness | CWE-124 | Buffer Underwrite ('Buffer Underflow') | Base | Simple | Incomplete | |
| Weakness | CWE-125 | Out-of-bounds Read | Base | Simple | Draft | |
| Weakness | CWE-128 | Wrap-around Error | Base | Simple | Incomplete | |
| Weakness | CWE-130 | Improper Handling of Length Parameter Inconsistency | Base | Simple | Incomplete | |
| Weakness | CWE-131 | Incorrect Calculation of Buffer Size | Base | Simple | Draft | |
| Weakness | CWE-132 | DEPRECATED: Miscalculated Null Termination | Base | Simple | Deprecated | |
| Weakness | CWE-134 | Use of Externally-Controlled Format String | Base | Simple | Draft | |
| Weakness | CWE-135 | Incorrect Calculation of Multi-Byte String Length | Base | Simple | Draft | |
| Weakness | CWE-140 | Improper Neutralization of Delimiters | Base | Simple | Draft | |
| Weakness | CWE-166 | Improper Handling of Missing Special Element | Base | Simple | Draft | |
| Weakness | CWE-167 | Improper Handling of Additional Special Element | Base | Simple | Draft | |
| Weakness | CWE-168 | Improper Handling of Inconsistent Special Elements | Base | Simple | Draft | |
| Weakness | CWE-170 | Improper Null Termination | Base | Simple | Incomplete | |
| Weakness | CWE-178 | Improper Handling of Case Sensitivity | Base | Simple | Incomplete | |
| Weakness | CWE-179 | Incorrect Behavior Order: Early Validation | Base | Simple | Incomplete | |
| Weakness | CWE-182 | Collapse of Data into Unsafe Value | Base | Simple | Draft | |
| Weakness | CWE-183 | Permissive List of Allowed Inputs | Base | Simple | Draft | |
| Weakness | CWE-184 | Incomplete List of Disallowed Inputs | Base | Simple | Draft | |
| Weakness | CWE-186 | Overly Restrictive Regular Expression | Base | Simple | Draft | |
| Weakness | CWE-188 | Reliance on Data/Memory Layout | Base | Simple | Draft | |
| Weakness | CWE-190 | Integer Overflow or Wraparound | Base | Simple | Stable | |
| Weakness | CWE-191 | Integer Underflow (Wrap or Wraparound) | Base | Simple | Draft | |
| Weakness | CWE-193 | Off-by-one Error | Base | Simple | Draft | |
| Weakness | CWE-197 | Numeric Truncation Error | Base | Simple | Incomplete | |
| Weakness | CWE-201 | Insertion of Sensitive Information Into Sent Data | Base | Simple | Draft | |
| Weakness | CWE-202 | Exposure of Sensitive Information Through Data Queries | Base | Simple | Draft | |
| Weakness | CWE-203 | Observable Discrepancy | Base | Simple | Incomplete | |
| Weakness | CWE-204 | Observable Response Discrepancy | Base | Simple | Incomplete | |
| Weakness | CWE-205 | Observable Behavioral Discrepancy | Base | Simple | Incomplete | |
| Weakness | CWE-208 | Observable Timing Discrepancy | Base | Simple | Incomplete | |
| Weakness | CWE-209 | Generation of Error Message Containing Sensitive Information | Base | Simple | Draft | |
| Weakness | CWE-210 | Self-generated Error Message Containing Sensitive Information | Base | Simple | Draft | |
| Weakness | CWE-211 | Externally-Generated Error Message Containing Sensitive Information | Base | Simple | Incomplete | |
| Weakness | CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | Base | Simple | Incomplete | |
| Weakness | CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | Base | Simple | Draft | |
| Weakness | CWE-214 | Invocation of Process Using Visible Sensitive Information | Base | Simple | Incomplete | |
| Weakness | CWE-215 | Insertion of Sensitive Information Into Debugging Code | Base | Simple | Draft | |
| Weakness | CWE-217 | DEPRECATED: Failure to Protect Stored Data from Modification | Base | Simple | Deprecated | |
| Weakness | CWE-218 | DEPRECATED: Failure to provide confidentiality for stored data | Base | Simple | Deprecated | |
| Weakness | CWE-222 | Truncation of Security-relevant Information | Base | Simple | Draft | |
| Weakness | CWE-223 | Omission of Security-relevant Information | Base | Simple | Draft | |
| Weakness | CWE-224 | Obscured Security-relevant Information by Alternate Name | Base | Simple | Incomplete | |
| Weakness | CWE-225 | DEPRECATED: General Information Management Problems | Base | Simple | Deprecated | |
| Weakness | CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | Base | Simple | Draft | |
| Weakness | CWE-229 | Improper Handling of Values | Base | Simple | Incomplete | |
| Weakness | CWE-233 | Improper Handling of Parameters | Base | Simple | Incomplete | |
| Weakness | CWE-237 | Improper Handling of Structural Elements | Base | Simple | Incomplete | |
| Weakness | CWE-240 | Improper Handling of Inconsistent Structural Elements | Base | Simple | Draft | |
| Weakness | CWE-241 | Improper Handling of Unexpected Data Type | Base | Simple | Draft | |
| Weakness | CWE-242 | Use of Inherently Dangerous Function | Base | Simple | Draft | |
| Weakness | CWE-247 | DEPRECATED: Reliance on DNS Lookups in a Security Decision | Base | Simple | Deprecated | |
| Weakness | CWE-248 | Uncaught Exception | Base | Simple | Draft | |
| Weakness | CWE-250 | Execution with Unnecessary Privileges | Base | Simple | Draft | |
| Weakness | CWE-252 | Unchecked Return Value | Base | Simple | Draft | |
| Weakness | CWE-253 | Incorrect Check of Function Return Value | Base | Simple | Incomplete | |
| Weakness | CWE-256 | Plaintext Storage of a Password | Base | Simple | Incomplete | |
| Weakness | CWE-257 | Storing Passwords in a Recoverable Format | Base | Simple | Incomplete | |
| Weakness | CWE-260 | Password in Configuration File | Base | Simple | Incomplete | |
| Weakness | CWE-261 | Weak Encoding for Password | Base | Simple | Incomplete | |
| Weakness | CWE-262 | Not Using Password Aging | Base | Simple | Draft | |
| Weakness | CWE-263 | Password Aging with Long Expiration | Base | Simple | Draft | |
| Weakness | CWE-266 | Incorrect Privilege Assignment | Base | Simple | Draft | |
| Weakness | CWE-267 | Privilege Defined With Unsafe Actions | Base | Simple | Incomplete | |
| Weakness | CWE-268 | Privilege Chaining | Base | Simple | Draft | |
| Weakness | CWE-270 | Privilege Context Switching Error | Base | Simple | Draft | |
| Weakness | CWE-272 | Least Privilege Violation | Base | Simple | Incomplete | |
| Weakness | CWE-273 | Improper Check for Dropped Privileges | Base | Simple | Incomplete | |
| Weakness | CWE-274 | Improper Handling of Insufficient Privileges | Base | Simple | Draft | |
| Weakness | CWE-276 | Incorrect Default Permissions | Base | Simple | Draft | |
| Weakness | CWE-280 | Improper Handling of Insufficient Permissions or Privileges | Base | Simple | Draft | |
| Weakness | CWE-281 | Improper Preservation of Permissions | Base | Simple | Draft | |
| Weakness | CWE-283 | Unverified Ownership | Base | Simple | Draft | |
| Weakness | CWE-288 | Authentication Bypass Using an Alternate Path or Channel | Base | Simple | Incomplete | |
| Weakness | CWE-289 | Authentication Bypass by Alternate Name | Base | Simple | Incomplete | |
| Weakness | CWE-290 | Authentication Bypass by Spoofing | Base | Simple | Incomplete | |
| Weakness | CWE-294 | Authentication Bypass by Capture-replay | Base | Simple | Incomplete | |
| Weakness | CWE-295 | Improper Certificate Validation | Base | Simple | Draft | |
| Weakness | CWE-296 | Improper Following of a Certificate's Chain of Trust | Base | Simple | Draft | |
| Weakness | CWE-299 | Improper Check for Certificate Revocation | Base | Simple | Draft | |
| Weakness | CWE-301 | Reflection Attack in an Authentication Protocol | Base | Simple | Draft | |
| Weakness | CWE-302 | Authentication Bypass by Assumed-Immutable Data | Base | Simple | Incomplete | |
| Weakness | CWE-303 | Incorrect Implementation of Authentication Algorithm | Base | Simple | Draft | |
| Weakness | CWE-304 | Missing Critical Step in Authentication | Base | Simple | Draft | |
| Weakness | CWE-305 | Authentication Bypass by Primary Weakness | Base | Simple | Draft | |
| Weakness | CWE-306 | Missing Authentication for Critical Function | Base | Simple | Draft | |
| Weakness | CWE-307 | Improper Restriction of Excessive Authentication Attempts | Base | Simple | Draft | |
| Weakness | CWE-308 | Use of Single-factor Authentication | Base | Simple | Draft | |
| Weakness | CWE-309 | Use of Password System for Primary Authentication | Base | Simple | Draft | |
| Weakness | CWE-312 | Cleartext Storage of Sensitive Information | Base | Simple | Draft | |
| Weakness | CWE-319 | Cleartext Transmission of Sensitive Information | Base | Simple | Draft | |
| Weakness | CWE-322 | Key Exchange without Entity Authentication | Base | Simple | Draft | |
| Weakness | CWE-323 | Reusing a Nonce, Key Pair in Encryption | Base | Simple | Incomplete | |
| Weakness | CWE-324 | Use of a Key Past its Expiration Date | Base | Simple | Draft | |
| Weakness | CWE-325 | Missing Cryptographic Step | Base | Simple | Draft | |
| Weakness | CWE-328 | Use of Weak Hash | Base | Simple | Draft | |
| Weakness | CWE-331 | Insufficient Entropy | Base | Simple | Draft | |
| Weakness | CWE-334 | Small Space of Random Values | Base | Simple | Draft | |
| Weakness | CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | Base | Simple | Draft | |
| Weakness | CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | Base | Simple | Draft | |
| Weakness | CWE-341 | Predictable from Observable State | Base | Simple | Draft | |
| Weakness | CWE-342 | Predictable Exact Value from Previous Values | Base | Simple | Draft | |
| Weakness | CWE-343 | Predictable Value Range from Previous Values | Base | Simple | Draft | |
| Weakness | CWE-344 | Use of Invariant Value in Dynamically Changing Context | Base | Simple | Draft | |
| Weakness | CWE-347 | Improper Verification of Cryptographic Signature | Base | Simple | Draft | |
| Weakness | CWE-348 | Use of Less Trusted Source | Base | Simple | Draft | |
| Weakness | CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | Base | Simple | Draft | |
| Weakness | CWE-351 | Insufficient Type Distinction | Base | Simple | Draft | |
| Weakness | CWE-353 | Missing Support for Integrity Check | Base | Simple | Draft | |
| Weakness | CWE-354 | Improper Validation of Integrity Check Value | Base | Simple | Draft | |
| Weakness | CWE-356 | Product UI does not Warn User of Unsafe Actions | Base | Simple | Incomplete | |
| Weakness | CWE-357 | Insufficient UI Warning of Dangerous Operations | Base | Simple | Draft | |
| Weakness | CWE-358 | Improperly Implemented Security Check for Standard | Base | Simple | Draft | |
| Weakness | CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | Base | Simple | Incomplete | |
| Weakness | CWE-360 | Trust of System Event Data | Base | Simple | Incomplete | |
| Weakness | CWE-363 | Race Condition Enabling Link Following | Base | Simple | Draft | |
| Weakness | CWE-364 | Signal Handler Race Condition | Base | Simple | Incomplete | |
| Weakness | CWE-365 | DEPRECATED: Race Condition in Switch | Base | Simple | Deprecated | |
| Weakness | CWE-366 | Race Condition within a Thread | Base | Simple | Draft | |
| Weakness | CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | Base | Simple | Incomplete | |
| Weakness | CWE-368 | Context Switching Race Condition | Base | Simple | Draft | |
| Weakness | CWE-369 | Divide By Zero | Base | Simple | Draft | |
| Weakness | CWE-372 | Incomplete Internal State Distinction | Base | Simple | Draft | |
| Weakness | CWE-373 | DEPRECATED: State Synchronization Error | Base | Simple | Deprecated | |
| Weakness | CWE-374 | Passing Mutable Objects to an Untrusted Method | Base | Simple | Draft | |
| Weakness | CWE-375 | Returning a Mutable Object to an Untrusted Caller | Base | Simple | Draft | |
| Weakness | CWE-378 | Creation of Temporary File With Insecure Permissions | Base | Simple | Draft | |
| Weakness | CWE-379 | Creation of Temporary File in Directory with Insecure Permissions | Base | Simple | Incomplete | |
| Weakness | CWE-385 | Covert Timing Channel | Base | Simple | Incomplete | |
| Weakness | CWE-386 | Symbolic Name not Mapping to Correct Object | Base | Simple | Draft | |
| Weakness | CWE-390 | Detection of Error Condition Without Action | Base | Simple | Draft | |
| Weakness | CWE-391 | Unchecked Error Condition | Base | Simple | Incomplete | |
| Weakness | CWE-392 | Missing Report of Error Condition | Base | Simple | Draft | |
| Weakness | CWE-393 | Return of Wrong Status Code | Base | Simple | Draft | |
| Weakness | CWE-394 | Unexpected Status Code or Return Value | Base | Simple | Draft | |
| Weakness | CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | Base | Simple | Draft | |
| Weakness | CWE-396 | Declaration of Catch for Generic Exception | Base | Simple | Draft | |
| Weakness | CWE-397 | Declaration of Throws for Generic Exception | Base | Simple | Draft | |
| Weakness | CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | Base | Simple | Draft | |
| Weakness | CWE-408 | Incorrect Behavior Order: Early Amplification | Base | Simple | Draft | |
| Weakness | CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | Base | Simple | Incomplete | |
| Weakness | CWE-410 | Insufficient Resource Pool | Base | Simple | Incomplete | |
| Weakness | CWE-412 | Unrestricted Externally Accessible Lock | Base | Simple | Incomplete | |
| Weakness | CWE-413 | Improper Resource Locking | Base | Simple | Draft | |
| Weakness | CWE-414 | Missing Lock Check | Base | Simple | Draft | |
| Weakness | CWE-419 | Unprotected Primary Channel | Base | Simple | Draft | |
| Weakness | CWE-420 | Unprotected Alternate Channel | Base | Simple | Draft | |
| Weakness | CWE-421 | Race Condition During Access to Alternate Channel | Base | Simple | Draft | |
| Weakness | CWE-423 | DEPRECATED: Proxied Trusted Channel | Base | Simple | Deprecated | |
| Weakness | CWE-425 | Direct Request ('Forced Browsing') | Base | Simple | Incomplete | |
| Weakness | CWE-426 | Untrusted Search Path | Base | Simple | Stable | |
| Weakness | CWE-427 | Uncontrolled Search Path Element | Base | Simple | Draft | |
| Weakness | CWE-428 | Unquoted Search Path or Element | Base | Simple | Draft | |
| Weakness | CWE-430 | Deployment of Wrong Handler | Base | Simple | Incomplete | |
| Weakness | CWE-431 | Missing Handler | Base | Simple | Draft | |
| Weakness | CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations | Base | Simple | Draft | |
| Weakness | CWE-434 | Unrestricted Upload of File with Dangerous Type | Base | Simple | Draft | |
| Weakness | CWE-437 | Incomplete Model of Endpoint Features | Base | Simple | Incomplete | |
| Weakness | CWE-439 | Behavioral Change in New Version or Environment | Base | Simple | Draft | |
| Weakness | CWE-440 | Expected Behavior Violation | Base | Simple | Draft | |
| Weakness | CWE-443 | DEPRECATED: HTTP response splitting | Base | Simple | Deprecated | |
| Weakness | CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | Base | Simple | Incomplete | |
| Weakness | CWE-447 | Unimplemented or Unsupported Feature in UI | Base | Simple | Draft | |
| Weakness | CWE-448 | Obsolete Feature in UI | Base | Simple | Draft | |
| Weakness | CWE-449 | The UI Performs the Wrong Action | Base | Simple | Incomplete | |
| Weakness | CWE-450 | Multiple Interpretations of UI Input | Base | Simple | Draft | |
| Weakness | CWE-454 | External Initialization of Trusted Variables or Data Stores | Base | Simple | Draft | |
| Weakness | CWE-455 | Non-exit on Failed Initialization | Base | Simple | Draft | |
| Weakness | CWE-458 | DEPRECATED: Incorrect Initialization | Base | Simple | Deprecated | |
| Weakness | CWE-459 | Incomplete Cleanup | Base | Simple | Draft | |
| Weakness | CWE-460 | Improper Cleanup on Thrown Exception | Base | Simple | Draft | |
| Weakness | CWE-463 | Deletion of Data Structure Sentinel | Base | Simple | Incomplete | |
| Weakness | CWE-464 | Addition of Data Structure Sentinel | Base | Simple | Incomplete | |
| Weakness | CWE-466 | Return of Pointer Value Outside of Expected Range | Base | Simple | Draft | |
| Weakness | CWE-468 | Incorrect Pointer Scaling | Base | Simple | Incomplete | |
| Weakness | CWE-469 | Use of Pointer Subtraction to Determine Size | Base | Simple | Draft | |
| Weakness | CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | Base | Simple | Draft | |
| Weakness | CWE-471 | Modification of Assumed-Immutable Data (MAID) | Base | Simple | Draft | |
| Weakness | CWE-472 | External Control of Assumed-Immutable Web Parameter | Base | Simple | Draft | |
| Weakness | CWE-474 | Use of Function with Inconsistent Implementations | Base | Simple | Draft | |
| Weakness | CWE-475 | Undefined Behavior for Input to API | Base | Simple | Incomplete | |
| Weakness | CWE-476 | NULL Pointer Dereference | Base | Simple | Stable | |
| Weakness | CWE-477 | Use of Obsolete Function | Base | Simple | Draft | |
| Weakness | CWE-478 | Missing Default Case in Multiple Condition Expression | Base | Simple | Draft | |
| Weakness | CWE-480 | Use of Incorrect Operator | Base | Simple | Draft | |
| Weakness | CWE-483 | Incorrect Block Delimitation | Base | Simple | Draft | |
| Weakness | CWE-484 | Omitted Break Statement in Switch | Base | Simple | Draft | |
| Weakness | CWE-487 | Reliance on Package-level Scope | Base | Simple | Incomplete | |
| Weakness | CWE-488 | Exposure of Data Element to Wrong Session | Base | Simple | Draft | |
| Weakness | CWE-489 | Active Debug Code | Base | Simple | Draft | |
| Weakness | CWE-494 | Download of Code Without Integrity Check | Base | Simple | Draft | |
| Weakness | CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | Base | Simple | Incomplete | |
| Weakness | CWE-501 | Trust Boundary Violation | Base | Simple | Draft | |
| Weakness | CWE-502 | Deserialization of Untrusted Data | Base | Simple | Draft | |
| Weakness | CWE-507 | Trojan Horse | Base | Simple | Incomplete | |
| Weakness | CWE-508 | Non-Replicating Malicious Code | Base | Simple | Incomplete | |
| Weakness | CWE-509 | Replicating Malicious Code (Virus or Worm) | Base | Simple | Incomplete | |
| Weakness | CWE-510 | Trapdoor | Base | Simple | Incomplete | |
| Weakness | CWE-511 | Logic/Time Bomb | Base | Simple | Incomplete | |
| Weakness | CWE-512 | Spyware | Base | Simple | Incomplete | |
| Weakness | CWE-515 | Covert Storage Channel | Base | Simple | Incomplete | |
| Weakness | CWE-516 | DEPRECATED: Covert Timing Channel | Base | Simple | Deprecated | |
| Weakness | CWE-521 | Weak Password Requirements | Base | Simple | Draft | |
| Weakness | CWE-523 | Unprotected Transport of Credentials | Base | Simple | Incomplete | |
| Weakness | CWE-524 | Use of Cache Containing Sensitive Information | Base | Simple | Incomplete | |
| Weakness | CWE-532 | Insertion of Sensitive Information into Log File | Base | Simple | Incomplete | |
| Weakness | CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | Base | Simple | Draft | |
| Weakness | CWE-540 | Inclusion of Sensitive Information in Source Code | Base | Simple | Incomplete | |
| Weakness | CWE-544 | Missing Standardized Error Handling Mechanism | Base | Simple | Draft | |
| Weakness | CWE-547 | Use of Hard-coded, Security-relevant Constants | Base | Simple | Draft | |
| Weakness | CWE-549 | Missing Password Field Masking | Base | Simple | Draft | |
| Weakness | CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | Base | Simple | Incomplete | |
| Weakness | CWE-552 | Files or Directories Accessible to External Parties | Base | Simple | Draft | |
| Weakness | CWE-561 | Dead Code | Base | Simple | Draft | |
| Weakness | CWE-562 | Return of Stack Variable Address | Base | Simple | Draft | |
| Weakness | CWE-563 | Assignment to Variable without Use | Base | Simple | Draft | |
| Weakness | CWE-565 | Reliance on Cookies without Validation and Integrity Checking | Base | Simple | Incomplete | |
| Weakness | CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context | Base | Simple | Draft | |
| Weakness | CWE-570 | Expression is Always False | Base | Simple | Draft | |
| Weakness | CWE-571 | Expression is Always True | Base | Simple | Draft | |
| Weakness | CWE-584 | Return Inside Finally Block | Base | Simple | Draft | |
| Weakness | CWE-586 | Explicit Call to Finalize() | Base | Simple | Draft | |
| Weakness | CWE-596 | DEPRECATED: Incorrect Semantic Object Comparison | Base | Simple | Deprecated | |
| Weakness | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | Base | Simple | Draft | |
| Weakness | CWE-603 | Use of Client-Side Authentication | Base | Simple | Draft | |
| Weakness | CWE-606 | Unchecked Input for Loop Condition | Base | Simple | Draft | |
| Weakness | CWE-609 | Double-Checked Locking | Base | Simple | Draft | |
| Weakness | CWE-611 | Improper Restriction of XML External Entity Reference | Base | Simple | Draft | |
| Weakness | CWE-612 | Improper Authorization of Index Containing Sensitive Information | Base | Simple | Draft | |
| Weakness | CWE-613 | Insufficient Session Expiration | Base | Simple | Incomplete | |
| Weakness | CWE-617 | Reachable Assertion | Base | Simple | Draft | |
| Weakness | CWE-619 | Dangling Database Cursor ('Cursor Injection') | Base | Simple | Incomplete | |
| Weakness | CWE-620 | Unverified Password Change | Base | Simple | Draft | |
| Weakness | CWE-624 | Executable Regular Expression Error | Base | Simple | Incomplete | |
| Weakness | CWE-625 | Permissive Regular Expression | Base | Simple | Draft | |
| Weakness | CWE-628 | Function Call with Incorrectly Specified Arguments | Base | Simple | Draft | |
| Weakness | CWE-639 | Authorization Bypass Through User-Controlled Key | Base | Simple | Incomplete | |
| Weakness | CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | Base | Simple | Incomplete | |
| Weakness | CWE-641 | Improper Restriction of Names for Files and Other Resources | Base | Simple | Incomplete | |
| Weakness | CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | Base | Simple | Incomplete | |
| Weakness | CWE-645 | Overly Restrictive Account Lockout Mechanism | Base | Simple | Incomplete | |
| Weakness | CWE-648 | Incorrect Use of Privileged APIs | Base | Simple | Incomplete | |
| Weakness | CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking | Base | Simple | Incomplete | |
| Weakness | CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | Base | Simple | Incomplete | |
| Weakness | CWE-654 | Reliance on a Single Factor in a Security Decision | Base | Simple | Draft | |
| Weakness | CWE-663 | Use of a Non-reentrant Function in a Concurrent Context | Base | Simple | Draft | |
| Weakness | CWE-676 | Use of Potentially Dangerous Function | Base | Simple | Draft | |
| Weakness | CWE-681 | Incorrect Conversion between Numeric Types | Base | Simple | Draft | |
| Weakness | CWE-694 | Use of Multiple Resources with Duplicate Identifier | Base | Simple | Incomplete | |
| Weakness | CWE-695 | Use of Low-Level Functionality | Base | Simple | Incomplete | |
| Weakness | CWE-698 | Execution After Redirect (EAR) | Base | Simple | Incomplete | |
| Weakness | CWE-708 | Incorrect Ownership Assignment | Base | Simple | Incomplete | |
| Weakness | CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code | Base | Simple | Incomplete | |
| Weakness | CWE-749 | Exposed Dangerous Method or Function | Base | Simple | Incomplete | |
| Weakness | CWE-756 | Missing Custom Error Page | Base | Simple | Incomplete | |
| Weakness | CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | Base | Simple | Incomplete | |
| Weakness | CWE-763 | Release of Invalid Pointer or Reference | Base | Simple | Incomplete | |
| Weakness | CWE-764 | Multiple Locks of a Critical Resource | Base | Simple | Incomplete | |
| Weakness | CWE-765 | Multiple Unlocks of a Critical Resource | Base | Simple | Incomplete | |
| Weakness | CWE-766 | Critical Data Element Declared Public | Base | Simple | Incomplete | |
| Weakness | CWE-767 | Access to Critical Private Variable via Public Method | Base | Simple | Incomplete | |
| Weakness | CWE-769 | DEPRECATED: Uncontrolled File Descriptor Consumption | Base | Simple | Deprecated | |
| Weakness | CWE-770 | Allocation of Resources Without Limits or Throttling | Base | Simple | Incomplete | |
| Weakness | CWE-771 | Missing Reference to Active Allocated Resource | Base | Simple | Incomplete | |
| Weakness | CWE-772 | Missing Release of Resource after Effective Lifetime | Base | Simple | Draft | |
| Weakness | CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | Base | Simple | Draft | |
| Weakness | CWE-778 | Insufficient Logging | Base | Simple | Draft | |
| Weakness | CWE-779 | Logging of Excessive Data | Base | Simple | Draft | |
| Weakness | CWE-783 | Operator Precedence Logic Error | Base | Simple | Draft | |
| Weakness | CWE-786 | Access of Memory Location Before Start of Buffer | Base | Simple | Incomplete | |
| Weakness | CWE-787 | Out-of-bounds Write | Base | Simple | Draft | |
| Weakness | CWE-788 | Access of Memory Location After End of Buffer | Base | Simple | Incomplete | |
| Weakness | CWE-791 | Incomplete Filtering of Special Elements | Base | Simple | Incomplete | |
| Weakness | CWE-795 | Only Filtering Special Elements at a Specified Location | Base | Simple | Incomplete | |
| Weakness | CWE-798 | Use of Hard-coded Credentials | Base | Simple | Draft | |
| Weakness | CWE-804 | Guessable CAPTCHA | Base | Simple | Incomplete | |
| Weakness | CWE-805 | Buffer Access with Incorrect Length Value | Base | Simple | Incomplete | |
| Weakness | CWE-807 | Reliance on Untrusted Inputs in a Security Decision | Base | Simple | Incomplete | |
| Weakness | CWE-820 | Missing Synchronization | Base | Simple | Incomplete | |
| Weakness | CWE-821 | Incorrect Synchronization | Base | Simple | Incomplete | |
| Weakness | CWE-822 | Untrusted Pointer Dereference | Base | Simple | Incomplete | |
| Weakness | CWE-823 | Use of Out-of-range Pointer Offset | Base | Simple | Incomplete | |
| Weakness | CWE-824 | Access of Uninitialized Pointer | Base | Simple | Incomplete | |
| Weakness | CWE-825 | Expired Pointer Dereference | Base | Simple | Incomplete | |
| Weakness | CWE-826 | Premature Release of Resource During Expected Lifetime | Base | Simple | Incomplete | |
| Weakness | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | Base | Simple | Incomplete | |
| Weakness | CWE-832 | Unlock of a Resource that is not Locked | Base | Simple | Incomplete | |
| Weakness | CWE-833 | Deadlock | Base | Simple | Incomplete | |
| Weakness | CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | Base | Simple | Incomplete | |
| Weakness | CWE-836 | Use of Password Hash Instead of Password for Authentication | Base | Simple | Incomplete | |
| Weakness | CWE-837 | Improper Enforcement of a Single, Unique Action | Base | Simple | Incomplete | |
| Weakness | CWE-838 | Inappropriate Encoding for Output Context | Base | Simple | Incomplete | |
| Weakness | CWE-839 | Numeric Range Comparison Without Minimum Check | Base | Simple | Incomplete | |
| Weakness | CWE-841 | Improper Enforcement of Behavioral Workflow | Base | Simple | Incomplete | |
| Weakness | CWE-842 | Placement of User into Incorrect Group | Base | Simple | Incomplete | |
| Weakness | CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | Base | Simple | Incomplete | |
| Weakness | CWE-908 | Use of Uninitialized Resource | Base | Simple | Incomplete | |
| Weakness | CWE-910 | Use of Expired File Descriptor | Base | Simple | Incomplete | |
| Weakness | CWE-911 | Improper Update of Reference Count | Base | Simple | Incomplete | |
| Weakness | CWE-914 | Improper Control of Dynamically-Identified Variables | Base | Simple | Incomplete | |
| Weakness | CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | Base | Simple | Incomplete | |
| Weakness | CWE-916 | Use of Password Hash With Insufficient Computational Effort | Base | Simple | Incomplete | |
| Weakness | CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | Base | Simple | Incomplete | |
| Weakness | CWE-918 | Server-Side Request Forgery (SSRF) | Base | Simple | Incomplete | |
| Weakness | CWE-920 | Improper Restriction of Power Consumption | Base | Simple | Incomplete | |
| Weakness | CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | Base | Simple | Incomplete | |
| Weakness | CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | Base | Simple | Incomplete | |
| Weakness | CWE-939 | Improper Authorization in Handler for Custom URL Scheme | Base | Simple | Incomplete | |
| Weakness | CWE-940 | Improper Verification of Source of a Communication Channel | Base | Simple | Incomplete | |
| Weakness | CWE-941 | Incorrectly Specified Destination in a Communication Channel | Base | Simple | Incomplete | |
| Weakness | CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User | Base | Simple | Incomplete | |
| Weakness | CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | Base | Simple | Incomplete | |
| Weakness | CWE-1024 | Comparison of Incompatible Types | Base | Simple | Incomplete | |
| Weakness | CWE-1025 | Comparison Using Wrong Factors | Base | Simple | Incomplete | |
| Weakness | CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | Base | Simple | Incomplete | |
| Weakness | CWE-1041 | Use of Redundant Code | Base | Simple | Incomplete | |
| Weakness | CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements | Base | Simple | Incomplete | |
| Weakness | CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range | Base | Simple | Incomplete | |
| Weakness | CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor | Base | Simple | Incomplete | |
| Weakness | CWE-1046 | Creation of Immutable Text Using String Concatenation | Base | Simple | Incomplete | |
| Weakness | CWE-1047 | Modules with Circular Dependencies | Base | Simple | Incomplete | |
| Weakness | CWE-1048 | Invokable Control Element with Large Number of Outward Calls | Base | Simple | Incomplete | |
| Weakness | CWE-1049 | Excessive Data Query Operations in a Large Data Table | Base | Simple | Incomplete | |
| Weakness | CWE-1050 | Excessive Platform Resource Consumption within a Loop | Base | Simple | Incomplete | |
| Weakness | CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data | Base | Simple | Incomplete | |
| Weakness | CWE-1052 | Excessive Use of Hard-Coded Literals in Initialization | Base | Simple | Incomplete | |
| Weakness | CWE-1053 | Missing Documentation for Design | Base | Simple | Incomplete | |
| Weakness | CWE-1054 | Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer | Base | Simple | Incomplete | |
| Weakness | CWE-1055 | Multiple Inheritance from Concrete Classes | Base | Simple | Incomplete | |
| Weakness | CWE-1056 | Invokable Control Element with Variadic Parameters | Base | Simple | Incomplete | |
| Weakness | CWE-1057 | Data Access Operations Outside of Expected Data Manager Component | Base | Simple | Incomplete | |
| Weakness | CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element | Base | Simple | Incomplete | |
| Weakness | CWE-1060 | Excessive Number of Inefficient Server-Side Data Accesses | Base | Simple | Incomplete | |
| Weakness | CWE-1062 | Parent Class with References to Child Class | Base | Simple | Incomplete | |
| Weakness | CWE-1063 | Creation of Class Instance within a Static Code Block | Base | Simple | Incomplete | |
| Weakness | CWE-1064 | Invokable Control Element with Signature Containing an Excessive Number of Parameters | Base | Simple | Incomplete | |
| Weakness | CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers | Base | Simple | Incomplete | |
| Weakness | CWE-1066 | Missing Serialization Control Element | Base | Simple | Incomplete | |
| Weakness | CWE-1067 | Excessive Execution of Sequential Searches of Data Resource | Base | Simple | Incomplete | |
| Weakness | CWE-1068 | Inconsistency Between Implementation and Documented Design | Base | Simple | Incomplete | |
| Weakness | CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements | Base | Simple | Incomplete | |
| Weakness | CWE-1071 | Empty Code Block | Base | Simple | Incomplete | |
| Weakness | CWE-1072 | Data Resource Access without Use of Connection Pooling | Base | Simple | Incomplete | |
| Weakness | CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses | Base | Simple | Incomplete | |
| Weakness | CWE-1074 | Class with Excessively Deep Inheritance | Base | Simple | Incomplete | |
| Weakness | CWE-1075 | Unconditional Control Flow Transfer outside of Switch Block | Base | Simple | Incomplete | |
| Weakness | CWE-1079 | Parent Class without Virtual Destructor Method | Base | Simple | Incomplete | |
| Weakness | CWE-1080 | Source Code File with Excessive Number of Lines of Code | Base | Simple | Incomplete | |
| Weakness | CWE-1082 | Class Instance Self Destruction Control Element | Base | Simple | Incomplete | |
| Weakness | CWE-1083 | Data Access from Outside Expected Data Manager Component | Base | Simple | Incomplete | |
| Weakness | CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations | Base | Simple | Incomplete | |
| Weakness | CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code | Base | Simple | Incomplete | |
| Weakness | CWE-1086 | Class with Excessive Number of Child Classes | Base | Simple | Incomplete | |
| Weakness | CWE-1087 | Class with Virtual Method without a Virtual Destructor | Base | Simple | Incomplete | |
| Weakness | CWE-1088 | Synchronous Access of Remote Resource without Timeout | Base | Simple | Incomplete | |
| Weakness | CWE-1089 | Large Data Table with Excessive Number of Indices | Base | Simple | Incomplete | |
| Weakness | CWE-1090 | Method Containing Access of a Member Element from Another Class | Base | Simple | Incomplete | |
| Weakness | CWE-1091 | Use of Object without Invoking Destructor Method | Base | Simple | Incomplete | |
| Weakness | CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers | Base | Simple | Incomplete | |
| Weakness | CWE-1094 | Excessive Index Range Scan for a Data Resource | Base | Simple | Incomplete | |
| Weakness | CWE-1095 | Loop Condition Value Update within the Loop | Base | Simple | Incomplete | |
| Weakness | CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | Base | Simple | Incomplete | |
| Weakness | CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | Base | Simple | Incomplete | |
| Weakness | CWE-1099 | Inconsistent Naming Conventions for Identifiers | Base | Simple | Incomplete | |
| Weakness | CWE-1100 | Insufficient Isolation of System-Dependent Functions | Base | Simple | Incomplete | |
| Weakness | CWE-1101 | Reliance on Runtime Component in Generated Code | Base | Simple | Incomplete | |
| Weakness | CWE-1102 | Reliance on Machine-Dependent Data Representation | Base | Simple | Incomplete | |
| Weakness | CWE-1103 | Use of Platform-Dependent Third Party Components | Base | Simple | Incomplete | |
| Weakness | CWE-1104 | Use of Unmaintained Third Party Components | Base | Simple | Incomplete | |
| Weakness | CWE-1105 | Insufficient Encapsulation of Machine-Dependent Functionality | Base | Simple | Incomplete | |
| Weakness | CWE-1106 | Insufficient Use of Symbolic Constants | Base | Simple | Incomplete | |
| Weakness | CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions | Base | Simple | Incomplete | |
| Weakness | CWE-1108 | Excessive Reliance on Global Variables | Base | Simple | Incomplete | |
| Weakness | CWE-1109 | Use of Same Variable for Multiple Purposes | Base | Simple | Incomplete | |
| Weakness | CWE-1110 | Incomplete Design Documentation | Base | Simple | Incomplete | |
| Weakness | CWE-1111 | Incomplete I/O Documentation | Base | Simple | Incomplete | |
| Weakness | CWE-1112 | Incomplete Documentation of Program Execution | Base | Simple | Incomplete | |
| Weakness | CWE-1113 | Inappropriate Comment Style | Base | Simple | Incomplete | |
| Weakness | CWE-1114 | Inappropriate Whitespace Style | Base | Simple | Incomplete | |
| Weakness | CWE-1115 | Source Code Element without Standard Prologue | Base | Simple | Incomplete | |
| Weakness | CWE-1116 | Inaccurate Comments | Base | Simple | Incomplete | |
| Weakness | CWE-1117 | Callable with Insufficient Behavioral Summary | Base | Simple | Incomplete | |
| Weakness | CWE-1118 | Insufficient Documentation of Error Handling Techniques | Base | Simple | Incomplete | |
| Weakness | CWE-1119 | Excessive Use of Unconditional Branching | Base | Simple | Incomplete | |
| Weakness | CWE-1121 | Excessive McCabe Cyclomatic Complexity | Base | Simple | Incomplete | |
| Weakness | CWE-1122 | Excessive Halstead Complexity | Base | Simple | Incomplete | |
| Weakness | CWE-1123 | Excessive Use of Self-Modifying Code | Base | Simple | Incomplete | |
| Weakness | CWE-1124 | Excessively Deep Nesting | Base | Simple | Incomplete | |
| Weakness | CWE-1125 | Excessive Attack Surface | Base | Simple | Incomplete | |
| Weakness | CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope | Base | Simple | Incomplete | |
| Weakness | CWE-1127 | Compilation with Insufficient Warnings or Errors | Base | Simple | Incomplete | |
| Weakness | CWE-1173 | Improper Use of Validation Framework | Base | Simple | Draft | |
| Weakness | CWE-1187 | DEPRECATED: Use of Uninitialized Resource | Base | Simple | Deprecated | |
| Weakness | CWE-1188 | Initialization of a Resource with an Insecure Default | Base | Simple | Incomplete | |
| Weakness | CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) | Base | Simple | Stable | |
| Weakness | CWE-1190 | DMA Device Enabled Too Early in Boot Phase | Base | Simple | Draft | |
| Weakness | CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | Base | Simple | Stable | |
| Weakness | CWE-1192 | Improper Identifier for IP Block used in System-On-Chip (SOC) | Base | Simple | Draft | |
| Weakness | CWE-1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control | Base | Simple | Draft | |
| Weakness | CWE-1204 | Generation of Weak Initialization Vector (IV) | Base | Simple | Incomplete | |
| Weakness | CWE-1209 | Failure to Disable Reserved Bits | Base | Simple | Incomplete | |
| Weakness | CWE-1220 | Insufficient Granularity of Access Control | Base | Simple | Incomplete | |
| Weakness | CWE-1221 | Incorrect Register Defaults or Module Parameters | Base | Simple | Incomplete | |
| Weakness | CWE-1223 | Race Condition for Write-Once Attributes | Base | Simple | Incomplete | |
| Weakness | CWE-1224 | Improper Restriction of Write-Once Bit Fields | Base | Simple | Incomplete | |
| Weakness | CWE-1230 | Exposure of Sensitive Information Through Metadata | Base | Simple | Incomplete | |
| Weakness | CWE-1231 | Improper Prevention of Lock Bit Modification | Base | Simple | Stable | |
| Weakness | CWE-1232 | Improper Lock Behavior After Power State Transition | Base | Simple | Incomplete | |
| Weakness | CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection | Base | Simple | Stable | |
| Weakness | CWE-1234 | Hardware Internal or Debug Modes Allow Override of Locks | Base | Simple | Incomplete | |
| Weakness | CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations | Base | Simple | Incomplete | |
| Weakness | CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | Base | Simple | Incomplete | |
| Weakness | CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | Base | Simple | Draft | |
| Weakness | CWE-1241 | Use of Predictable Algorithm in Random Number Generator | Base | Simple | Draft | |
| Weakness | CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | Base | Simple | Incomplete | |
| Weakness | CWE-1243 | Sensitive Non-Volatile Information Not Protected During Debug | Base | Simple | Incomplete | |
| Weakness | CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | Base | Simple | Stable | |
| Weakness | CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic | Base | Simple | Incomplete | |
| Weakness | CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories | Base | Simple | Incomplete | |
| Weakness | CWE-1247 | Improper Protection Against Voltage and Clock Glitches | Base | Simple | Stable | |
| Weakness | CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications | Base | Simple | Incomplete | |
| Weakness | CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System | Base | Simple | Incomplete | |
| Weakness | CWE-1250 | Improper Preservation of Consistency Between Independent Representations of Shared State | Base | Simple | Incomplete | |
| Weakness | CWE-1251 | Mirrored Regions with Different Values | Base | Simple | Incomplete | |
| Weakness | CWE-1252 | CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations | Base | Simple | Incomplete | |
| Weakness | CWE-1253 | Incorrect Selection of Fuse Values | Base | Simple | Draft | |
| Weakness | CWE-1254 | Incorrect Comparison Logic Granularity | Base | Simple | Draft | |
| Weakness | CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features | Base | Simple | Stable | |
| Weakness | CWE-1257 | Improper Access Control Applied to Mirrored or Aliased Memory Regions | Base | Simple | Incomplete | |
| Weakness | CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | Base | Simple | Draft | |
| Weakness | CWE-1259 | Improper Restriction of Security Token Assignment | Base | Simple | Incomplete | |
| Weakness | CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | Base | Simple | Stable | |
| Weakness | CWE-1261 | Improper Handling of Single Event Upsets | Base | Simple | Draft | |
| Weakness | CWE-1262 | Improper Access Control for Register Interface | Base | Simple | Stable | |
| Weakness | CWE-1264 | Hardware Logic with Insecure De-Synchronization between Control and Data Channels | Base | Simple | Incomplete | |
| Weakness | CWE-1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls | Base | Simple | Draft | |
| Weakness | CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device | Base | Simple | Incomplete | |
| Weakness | CWE-1267 | Policy Uses Obsolete Encoding | Base | Simple | Draft | |
| Weakness | CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents | Base | Simple | Draft | |
| Weakness | CWE-1269 | Product Released in Non-Release Configuration | Base | Simple | Incomplete | |
| Weakness | CWE-1270 | Generation of Incorrect Security Tokens | Base | Simple | Incomplete | |
| Weakness | CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings | Base | Simple | Incomplete | |
| Weakness | CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition | Base | Simple | Stable | |
| Weakness | CWE-1273 | Device Unlock Credential Sharing | Base | Simple | Incomplete | |
| Weakness | CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code | Base | Simple | Stable | |
| Weakness | CWE-1276 | Hardware Child Block Incorrectly Connected to Parent System | Base | Simple | Incomplete | |
| Weakness | CWE-1277 | Firmware Not Updateable | Base | Simple | Draft | |
| Weakness | CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques | Base | Simple | Incomplete | |
| Weakness | CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready | Base | Simple | Incomplete | |
| Weakness | CWE-1280 | Access Control Check Implemented After Asset is Accessed | Base | Simple | Incomplete | |
| Weakness | CWE-1281 | Sequence of Processor Instructions Leads to Unexpected Behavior | Base | Simple | Incomplete | |
| Weakness | CWE-1282 | Assumed-Immutable Data is Stored in Writable Memory | Base | Simple | Incomplete | |
| Weakness | CWE-1283 | Mutable Attestation or Measurement Reporting Data | Base | Simple | Incomplete | |
| Weakness | CWE-1284 | Improper Validation of Specified Quantity in Input | Base | Simple | Incomplete | |
| Weakness | CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | Base | Simple | Incomplete | |
| Weakness | CWE-1286 | Improper Validation of Syntactic Correctness of Input | Base | Simple | Incomplete | |
| Weakness | CWE-1287 | Improper Validation of Specified Type of Input | Base | Simple | Incomplete | |
| Weakness | CWE-1288 | Improper Validation of Consistency within Input | Base | Simple | Incomplete | |
| Weakness | CWE-1289 | Improper Validation of Unsafe Equivalence in Input | Base | Simple | Incomplete | |
| Weakness | CWE-1290 | Incorrect Decoding of Security Identifiers | Base | Simple | Incomplete | |
| Weakness | CWE-1291 | Public Key Re-Use for Signing both Debug and Production Code | Base | Simple | Draft | |
| Weakness | CWE-1292 | Incorrect Conversion of Security Identifiers | Base | Simple | Draft | |
| Weakness | CWE-1293 | Missing Source Correlation of Multiple Independent Data | Base | Simple | Draft | |
| Weakness | CWE-1295 | Debug Messages Revealing Unnecessary Information | Base | Simple | Incomplete | |
| Weakness | CWE-1296 | Incorrect Chaining or Granularity of Debug Components | Base | Simple | Incomplete | |
| Weakness | CWE-1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors | Base | Simple | Incomplete | |
| Weakness | CWE-1298 | Hardware Logic Contains Race Conditions | Base | Simple | Draft | |
| Weakness | CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface | Base | Simple | Draft | |
| Weakness | CWE-1300 | Improper Protection of Physical Side Channels | Base | Simple | Stable | |
| Weakness | CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component | Base | Simple | Incomplete | |
| Weakness | CWE-1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC) | Base | Simple | Incomplete | |
| Weakness | CWE-1303 | Non-Transparent Sharing of Microarchitectural Resources | Base | Simple | Draft | |
| Weakness | CWE-1304 | Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation | Base | Simple | Draft | |
| Weakness | CWE-1310 | Missing Ability to Patch ROM Code | Base | Simple | Draft | |
| Weakness | CWE-1311 | Improper Translation of Security Attributes by Fabric Bridge | Base | Simple | Draft | |
| Weakness | CWE-1312 | Missing Protection for Mirrored Regions in On-Chip Fabric Firewall | Base | Simple | Draft | |
| Weakness | CWE-1313 | Hardware Allows Activation of Test or Debug Logic at Runtime | Base | Simple | Draft | |
| Weakness | CWE-1314 | Missing Write Protection for Parametric Data Values | Base | Simple | Draft | |
| Weakness | CWE-1315 | Improper Setting of Bus Controlling Capability in Fabric End-point | Base | Simple | Incomplete | |
| Weakness | CWE-1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges | Base | Simple | Draft | |
| Weakness | CWE-1317 | Improper Access Control in Fabric Bridge | Base | Simple | Draft | |
| Weakness | CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses | Base | Simple | Incomplete | |
| Weakness | CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) | Base | Simple | Incomplete | |
| Weakness | CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals | Base | Simple | Draft | |
| Weakness | CWE-1322 | Use of Blocking Code in Single-threaded, Non-blocking Context | Base | Simple | Incomplete | |
| Weakness | CWE-1323 | Improper Management of Sensitive Trace Data | Base | Simple | Draft | |
| Weakness | CWE-1324 | DEPRECATED: Sensitive Information Accessible by Physical Probing of JTAG Interface | Base | Simple | Deprecated | |
| Weakness | CWE-1325 | Improperly Controlled Sequential Memory Allocation | Base | Simple | Incomplete | |
| Weakness | CWE-1326 | Missing Immutable Root of Trust in Hardware | Base | Simple | Draft | |
| Weakness | CWE-1327 | Binding to an Unrestricted IP Address | Base | Simple | Incomplete | |
| Weakness | CWE-1328 | Security Version Number Mutable to Older Versions | Base | Simple | Draft | |
| Weakness | CWE-1329 | Reliance on Component That is Not Updateable | Base | Simple | Incomplete | |
| Weakness | CWE-1331 | Improper Isolation of Shared Resources in Network On Chip (NoC) | Base | Simple | Stable | |
| Weakness | CWE-1332 | Improper Handling of Faults that Lead to Instruction Skips | Base | Simple | Stable | |
| Weakness | CWE-1333 | Inefficient Regular Expression Complexity | Base | Simple | Draft | |
| Weakness | CWE-1334 | Unauthorized Error Injection Can Degrade Hardware Redundancy | Base | Simple | Draft | |
| Weakness | CWE-1335 | Incorrect Bitwise Shift of Integer | Base | Simple | Draft | |
| Weakness | CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | Base | Simple | Incomplete | |
| Weakness | CWE-1338 | Improper Protections Against Hardware Overheating | Base | Simple | Draft | |
| Weakness | CWE-1339 | Insufficient Precision or Accuracy of a Real Number | Base | Simple | Draft | |
| Weakness | CWE-1341 | Multiple Releases of Same Resource or Handle | Base | Simple | Incomplete | |
| Weakness | CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution | Base | Simple | Incomplete | |
| Weakness | CWE-1351 | Improper Handling of Hardware Behavior in Exceptionally Cold Environments | Base | Simple | Incomplete | |
| Weakness | CWE-1386 | Insecure Operation on Windows Junction / Mount Point | Base | Simple | Incomplete | |
| Weakness | CWE-1389 | Incorrect Parsing of Numbers with Different Radices | Base | Simple | Incomplete | |
| Weakness | CWE-1392 | Use of Default Credentials | Base | Simple | Incomplete | |
| Weakness | CWE-1393 | Use of Default Password | Base | Simple | Incomplete | |
| Weakness | CWE-1394 | Use of Default Cryptographic Key | Base | Simple | Incomplete | |
| Weakness | CWE-1420 | Exposure of Sensitive Information during Transient Execution | Base | Simple | Incomplete | |
| Weakness | CWE-1421 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution | Base | Simple | Incomplete | |
| Weakness | CWE-1422 | Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution | Base | Simple | Incomplete | |
| Weakness | CWE-1423 | Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution | Base | Simple | Incomplete | |
| Weakness | CWE-1426 | Improper Validation of Generative AI Output | Base | Simple | Incomplete |
Loading...