| CWE-5 | J2EE Misconfiguration: Data Transmission Without Encryption |
| CWE-6 | J2EE Misconfiguration: Insufficient Session-ID Length |
| CWE-7 | J2EE Misconfiguration: Missing Custom Error Page |
| CWE-8 | J2EE Misconfiguration: Entity Bean Declared Remote |
| CWE-9 | J2EE Misconfiguration: Weak Access Permissions for EJB Methods |
| CWE-11 | ASP.NET Misconfiguration: Creating Debug Binary |
| CWE-12 | ASP.NET Misconfiguration: Missing Custom Error Page |
| CWE-13 | ASP.NET Misconfiguration: Password in Configuration File |
| CWE-14 | Compiler Removal of Code to Clear Buffers |
| CWE-15 | External Control of System or Configuration Setting |
| CWE-20 | Improper Input Validation |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-23 | Relative Path Traversal |
| CWE-24 | Path Traversal: '../filedir' |
| CWE-25 | Path Traversal: '/../filedir' |
| CWE-26 | Path Traversal: '/dir/../filename' |
| CWE-27 | Path Traversal: 'dir/../../filename' |
| CWE-28 | Path Traversal: '..\filedir' |
| CWE-29 | Path Traversal: '\..\filename' |
| CWE-30 | Path Traversal: '\dir\..\filename' |
| CWE-31 | Path Traversal: 'dir\..\..\filename' |
| CWE-32 | Path Traversal: '...' (Triple Dot) |
| CWE-33 | Path Traversal: '....' (Multiple Dot) |
| CWE-34 | Path Traversal: '....//' |
| CWE-35 | Path Traversal: '.../...//' |
| CWE-36 | Absolute Path Traversal |
| CWE-37 | Path Traversal: '/absolute/pathname/here' |
| CWE-38 | Path Traversal: '\absolute\pathname\here' |
| CWE-39 | Path Traversal: 'C:dirname' |
| CWE-40 | Path Traversal: '\\UNC\share\name\' (Windows UNC Share) |
| CWE-41 | Improper Resolution of Path Equivalence |
| CWE-42 | Path Equivalence: 'filename.' (Trailing Dot) |
| CWE-43 | Path Equivalence: 'filename....' (Multiple Trailing Dot) |
| CWE-44 | Path Equivalence: 'file.name' (Internal Dot) |
| CWE-45 | Path Equivalence: 'file...name' (Multiple Internal Dot) |
| CWE-46 | Path Equivalence: 'filename ' (Trailing Space) |
| CWE-47 | Path Equivalence: ' filename' (Leading Space) |
| CWE-48 | Path Equivalence: 'file name' (Internal Whitespace) |
| CWE-49 | Path Equivalence: 'filename/' (Trailing Slash) |
| CWE-50 | Path Equivalence: '//multiple/leading/slash' |
| CWE-51 | Path Equivalence: '/multiple//internal/slash' |
| CWE-52 | Path Equivalence: '/multiple/trailing/slash//' |
| CWE-53 | Path Equivalence: '\multiple\\internal\backslash' |
| CWE-54 | Path Equivalence: 'filedir\' (Trailing Backslash) |
| CWE-55 | Path Equivalence: '/./' (Single Dot Directory) |
| CWE-56 | Path Equivalence: 'filedir*' (Wildcard) |
| CWE-57 | Path Equivalence: 'fakedir/../realdir/filename' |
| CWE-58 | Path Equivalence: Windows 8.3 Filename |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
| CWE-61 | UNIX Symbolic Link (Symlink) Following |
| CWE-62 | UNIX Hard Link |
| CWE-64 | Windows Shortcut Following (.LNK) |
| CWE-65 | Windows Hard Link |
| CWE-66 | Improper Handling of File Names that Identify Virtual Resources |
| CWE-67 | Improper Handling of Windows Device Names |
| CWE-69 | Improper Handling of Windows ::DATA Alternate Data Stream |
| CWE-72 | Improper Handling of Apple HFS+ Alternate Data Stream Path |
| CWE-73 | External Control of File Name or Path |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| CWE-76 | Improper Neutralization of Equivalent Special Elements |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page |
| CWE-82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page |
| CWE-85 | Doubled Character XSS Manipulations |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| CWE-91 | XML Injection (aka Blind XPath Injection) |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-102 | Struts: Duplicate Validation Forms |
| CWE-103 | Struts: Incomplete validate() Method Definition |
| CWE-104 | Struts: Form Bean Does Not Extend Validation Class |
| CWE-105 | Struts: Form Field Without Validator |
| CWE-106 | Struts: Plug-in Framework not in Use |
| CWE-107 | Struts: Unused Validation Form |
| CWE-108 | Struts: Unvalidated Action Form |
| CWE-109 | Struts: Validator Turned Off |
| CWE-110 | Struts: Validator Without Form Field |
| CWE-111 | Direct Use of Unsafe JNI |
| CWE-112 | Missing XML Validation |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
| CWE-114 | Process Control |
| CWE-115 | Misinterpretation of Input |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-117 | Improper Output Neutralization for Logs |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-121 | Stack-based Buffer Overflow |
| CWE-122 | Heap-based Buffer Overflow |
| CWE-123 | Write-what-where Condition |
| CWE-124 | Buffer Underwrite ('Buffer Underflow') |
| CWE-125 | Out-of-bounds Read |
| CWE-126 | Buffer Over-read |
| CWE-127 | Buffer Under-read |
| CWE-128 | Wrap-around Error |
| CWE-129 | Improper Validation of Array Index |
| CWE-130 | Improper Handling of Length Parameter Inconsistency |
| CWE-131 | Incorrect Calculation of Buffer Size |
| CWE-134 | Use of Externally-Controlled Format String |
| CWE-135 | Incorrect Calculation of Multi-Byte String Length |
| CWE-138 | Improper Neutralization of Special Elements |
| CWE-140 | Improper Neutralization of Delimiters |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters |
| CWE-142 | Improper Neutralization of Value Delimiters |
| CWE-143 | Improper Neutralization of Record Delimiters |
| CWE-144 | Improper Neutralization of Line Delimiters |
| CWE-145 | Improper Neutralization of Section Delimiters |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters |
| CWE-147 | Improper Neutralization of Input Terminators |
| CWE-148 | Improper Neutralization of Input Leaders |
| CWE-149 | Improper Neutralization of Quoting Syntax |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences |
| CWE-151 | Improper Neutralization of Comment Delimiters |
| CWE-152 | Improper Neutralization of Macro Symbols |
| CWE-153 | Improper Neutralization of Substitution Characters |
| CWE-154 | Improper Neutralization of Variable Name Delimiters |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols |
| CWE-156 | Improper Neutralization of Whitespace |
| CWE-157 | Failure to Sanitize Paired Delimiters |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character |
| CWE-159 | Improper Handling of Invalid Use of Special Elements |
| CWE-160 | Improper Neutralization of Leading Special Elements |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements |
| CWE-162 | Improper Neutralization of Trailing Special Elements |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements |
| CWE-164 | Improper Neutralization of Internal Special Elements |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements |
| CWE-166 | Improper Handling of Missing Special Element |
| CWE-167 | Improper Handling of Additional Special Element |
| CWE-168 | Improper Handling of Inconsistent Special Elements |
| CWE-170 | Improper Null Termination |
| CWE-172 | Encoding Error |
| CWE-173 | Improper Handling of Alternate Encoding |
| CWE-174 | Double Decoding of the Same Data |
| CWE-175 | Improper Handling of Mixed Encoding |
| CWE-176 | Improper Handling of Unicode Encoding |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) |
| CWE-178 | Improper Handling of Case Sensitivity |
| CWE-179 | Incorrect Behavior Order: Early Validation |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter |
| CWE-182 | Collapse of Data into Unsafe Value |
| CWE-183 | Permissive List of Allowed Inputs |
| CWE-184 | Incomplete List of Disallowed Inputs |
| CWE-185 | Incorrect Regular Expression |
| CWE-186 | Overly Restrictive Regular Expression |
| CWE-187 | Partial String Comparison |
| CWE-188 | Reliance on Data/Memory Layout |
| CWE-190 | Integer Overflow or Wraparound |
| CWE-191 | Integer Underflow (Wrap or Wraparound) |
| CWE-192 | Integer Coercion Error |
| CWE-193 | Off-by-one Error |
| CWE-194 | Unexpected Sign Extension |
| CWE-195 | Signed to Unsigned Conversion Error |
| CWE-196 | Unsigned to Signed Conversion Error |
| CWE-197 | Numeric Truncation Error |
| CWE-198 | Use of Incorrect Byte Ordering |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-201 | Insertion of Sensitive Information Into Sent Data |
| CWE-202 | Exposure of Sensitive Information Through Data Queries |
| CWE-203 | Observable Discrepancy |
| CWE-204 | Observable Response Discrepancy |
| CWE-205 | Observable Behavioral Discrepancy |
| CWE-206 | Observable Internal Behavioral Discrepancy |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products |
| CWE-208 | Observable Timing Discrepancy |
| CWE-209 | Generation of Error Message Containing Sensitive Information |
| CWE-210 | Self-generated Error Message Containing Sensitive Information |
| CWE-211 | Externally-Generated Error Message Containing Sensitive Information |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies |
| CWE-214 | Invocation of Process Using Visible Sensitive Information |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code |
| CWE-219 | Storage of File with Sensitive Data Under Web Root |
| CWE-220 | Storage of File With Sensitive Data Under FTP Root |
| CWE-221 | Information Loss or Omission |
| CWE-222 | Truncation of Security-relevant Information |
| CWE-223 | Omission of Security-relevant Information |
| CWE-224 | Obscured Security-relevant Information by Alternate Name |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse |
| CWE-228 | Improper Handling of Syntactically Invalid Structure |
| CWE-229 | Improper Handling of Values |
| CWE-230 | Improper Handling of Missing Values |
| CWE-231 | Improper Handling of Extra Values |
| CWE-232 | Improper Handling of Undefined Values |
| CWE-233 | Improper Handling of Parameters |
| CWE-234 | Failure to Handle Missing Parameter |
| CWE-235 | Improper Handling of Extra Parameters |
| CWE-236 | Improper Handling of Undefined Parameters |
| CWE-237 | Improper Handling of Structural Elements |
| CWE-238 | Improper Handling of Incomplete Structural Elements |
| CWE-239 | Failure to Handle Incomplete Element |
| CWE-240 | Improper Handling of Inconsistent Structural Elements |
| CWE-241 | Improper Handling of Unexpected Data Type |
| CWE-242 | Use of Inherently Dangerous Function |
| CWE-243 | Creation of chroot Jail Without Changing Working Directory |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
| CWE-245 | J2EE Bad Practices: Direct Management of Connections |
| CWE-246 | J2EE Bad Practices: Direct Use of Sockets |
| CWE-248 | Uncaught Exception |
| CWE-250 | Execution with Unnecessary Privileges |
| CWE-252 | Unchecked Return Value |
| CWE-253 | Incorrect Check of Function Return Value |
| CWE-256 | Plaintext Storage of a Password |
| CWE-257 | Storing Passwords in a Recoverable Format |
| CWE-258 | Empty Password in Configuration File |
| CWE-259 | Use of Hard-coded Password |
| CWE-260 | Password in Configuration File |
| CWE-261 | Weak Encoding for Password |
| CWE-262 | Not Using Password Aging |
| CWE-263 | Password Aging with Long Expiration |
| CWE-266 | Incorrect Privilege Assignment |
| CWE-267 | Privilege Defined With Unsafe Actions |
| CWE-268 | Privilege Chaining |
| CWE-269 | Improper Privilege Management |
| CWE-270 | Privilege Context Switching Error |
| CWE-271 | Privilege Dropping / Lowering Errors |
| CWE-272 | Least Privilege Violation |
| CWE-273 | Improper Check for Dropped Privileges |
| CWE-274 | Improper Handling of Insufficient Privileges |
| CWE-276 | Incorrect Default Permissions |
| CWE-277 | Insecure Inherited Permissions |
| CWE-278 | Insecure Preserved Inherited Permissions |
| CWE-279 | Incorrect Execution-Assigned Permissions |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges |
| CWE-281 | Improper Preservation of Permissions |
| CWE-282 | Improper Ownership Management |
| CWE-283 | Unverified Ownership |
| CWE-284 | Improper Access Control |
| CWE-285 | Improper Authorization |
| CWE-286 | Incorrect User Management |
| CWE-287 | Improper Authentication |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel |
| CWE-289 | Authentication Bypass by Alternate Name |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-291 | Reliance on IP Address for Authentication |
| CWE-293 | Using Referer Field for Authentication |
| CWE-294 | Authentication Bypass by Capture-replay |
| CWE-295 | Improper Certificate Validation |
| CWE-296 | Improper Following of a Certificate's Chain of Trust |
| CWE-297 | Improper Validation of Certificate with Host Mismatch |
| CWE-298 | Improper Validation of Certificate Expiration |
| CWE-299 | Improper Check for Certificate Revocation |
| CWE-300 | Channel Accessible by Non-Endpoint |
| CWE-301 | Reflection Attack in an Authentication Protocol |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data |
| CWE-303 | Incorrect Implementation of Authentication Algorithm |
| CWE-304 | Missing Critical Step in Authentication |
| CWE-305 | Authentication Bypass by Primary Weakness |
| CWE-306 | Missing Authentication for Critical Function |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| CWE-308 | Use of Single-factor Authentication |
| CWE-309 | Use of Password System for Primary Authentication |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-312 | Cleartext Storage of Sensitive Information |
| CWE-313 | Cleartext Storage in a File or on Disk |
| CWE-314 | Cleartext Storage in the Registry |
| CWE-315 | Cleartext Storage of Sensitive Information in a Cookie |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory |
| CWE-317 | Cleartext Storage of Sensitive Information in GUI |
| CWE-318 | Cleartext Storage of Sensitive Information in Executable |
| CWE-319 | Cleartext Transmission of Sensitive Information |
| CWE-321 | Use of Hard-coded Cryptographic Key |
| CWE-322 | Key Exchange without Entity Authentication |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption |
| CWE-324 | Use of a Key Past its Expiration Date |
| CWE-325 | Missing Cryptographic Step |
| CWE-326 | Inadequate Encryption Strength |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| CWE-328 | Use of Weak Hash |
| CWE-329 | Generation of Predictable IV with CBC Mode |
| CWE-330 | Use of Insufficiently Random Values |
| CWE-331 | Insufficient Entropy |
| CWE-332 | Insufficient Entropy in PRNG |
| CWE-333 | Improper Handling of Insufficient Entropy in TRNG |
| CWE-334 | Small Space of Random Values |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
| CWE-336 | Same Seed in Pseudo-Random Number Generator (PRNG) |
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| CWE-339 | Small Seed Space in PRNG |
| CWE-340 | Generation of Predictable Numbers or Identifiers |
| CWE-341 | Predictable from Observable State |
| CWE-342 | Predictable Exact Value from Previous Values |
| CWE-343 | Predictable Value Range from Previous Values |
| CWE-344 | Use of Invariant Value in Dynamically Changing Context |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-347 | Improper Verification of Cryptographic Signature |
| CWE-348 | Use of Less Trusted Source |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action |
| CWE-351 | Insufficient Type Distinction |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-353 | Missing Support for Integrity Check |
| CWE-354 | Improper Validation of Integrity Check Value |
| CWE-356 | Product UI does not Warn User of Unsafe Actions |
| CWE-357 | Insufficient UI Warning of Dangerous Operations |
| CWE-358 | Improperly Implemented Security Check for Standard |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor |
| CWE-360 | Trust of System Event Data |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| CWE-363 | Race Condition Enabling Link Following |
| CWE-364 | Signal Handler Race Condition |
| CWE-366 | Race Condition within a Thread |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |
| CWE-368 | Context Switching Race Condition |
| CWE-369 | Divide By Zero |
| CWE-370 | Missing Check for Certificate Revocation after Initial Check |
| CWE-372 | Incomplete Internal State Distinction |
| CWE-374 | Passing Mutable Objects to an Untrusted Method |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller |
| CWE-377 | Insecure Temporary File |
| CWE-378 | Creation of Temporary File With Insecure Permissions |
| CWE-379 | Creation of Temporary File in Directory with Insecure Permissions |
| CWE-382 | J2EE Bad Practices: Use of System.exit() |
| CWE-383 | J2EE Bad Practices: Direct Use of Threads |
| CWE-384 | Session Fixation |
| CWE-385 | Covert Timing Channel |
| CWE-386 | Symbolic Name not Mapping to Correct Object |
| CWE-390 | Detection of Error Condition Without Action |
| CWE-391 | Unchecked Error Condition |
| CWE-392 | Missing Report of Error Condition |
| CWE-393 | Return of Wrong Status Code |
| CWE-394 | Unexpected Status Code or Return Value |
| CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference |
| CWE-396 | Declaration of Catch for Generic Exception |
| CWE-397 | Declaration of Throws for Generic Exception |
| CWE-400 | Uncontrolled Resource Consumption |
| CWE-401 | Missing Release of Memory after Effective Lifetime |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
| CWE-404 | Improper Resource Shutdown or Release |
| CWE-405 | Asymmetric Resource Consumption (Amplification) |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) |
| CWE-407 | Inefficient Algorithmic Complexity |
| CWE-408 | Incorrect Behavior Order: Early Amplification |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) |
| CWE-410 | Insufficient Resource Pool |
| CWE-412 | Unrestricted Externally Accessible Lock |
| CWE-413 | Improper Resource Locking |
| CWE-414 | Missing Lock Check |
| CWE-415 | Double Free |
| CWE-416 | Use After Free |
| CWE-419 | Unprotected Primary Channel |
| CWE-420 | Unprotected Alternate Channel |
| CWE-421 | Race Condition During Access to Alternate Channel |
| CWE-422 | Unprotected Windows Messaging Channel ('Shatter') |
| CWE-424 | Improper Protection of Alternate Path |
| CWE-425 | Direct Request ('Forced Browsing') |
| CWE-426 | Untrusted Search Path |
| CWE-427 | Uncontrolled Search Path Element |
| CWE-428 | Unquoted Search Path or Element |
| CWE-430 | Deployment of Wrong Handler |
| CWE-431 | Missing Handler |
| CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations |
| CWE-433 | Unparsed Raw Web Content Delivery |
| CWE-434 | Unrestricted Upload of File with Dangerous Type |
| CWE-435 | Improper Interaction Between Multiple Correctly-Behaving Entities |
| CWE-436 | Interpretation Conflict |
| CWE-437 | Incomplete Model of Endpoint Features |
| CWE-439 | Behavioral Change in New Version or Environment |
| CWE-440 | Expected Behavior Violation |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
| CWE-446 | UI Discrepancy for Security Feature |
| CWE-447 | Unimplemented or Unsupported Feature in UI |
| CWE-448 | Obsolete Feature in UI |
| CWE-449 | The UI Performs the Wrong Action |
| CWE-450 | Multiple Interpretations of UI Input |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information |
| CWE-453 | Insecure Default Variable Initialization |
| CWE-454 | External Initialization of Trusted Variables or Data Stores |
| CWE-455 | Non-exit on Failed Initialization |
| CWE-456 | Missing Initialization of a Variable |
| CWE-457 | Use of Uninitialized Variable |
| CWE-459 | Incomplete Cleanup |
| CWE-460 | Improper Cleanup on Thrown Exception |
| CWE-462 | Duplicate Key in Associative List (Alist) |
| CWE-463 | Deletion of Data Structure Sentinel |
| CWE-464 | Addition of Data Structure Sentinel |
| CWE-466 | Return of Pointer Value Outside of Expected Range |
| CWE-467 | Use of sizeof() on a Pointer Type |
| CWE-468 | Incorrect Pointer Scaling |
| CWE-469 | Use of Pointer Subtraction to Determine Size |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| CWE-471 | Modification of Assumed-Immutable Data (MAID) |
| CWE-472 | External Control of Assumed-Immutable Web Parameter |
| CWE-473 | PHP External Variable Modification |
| CWE-474 | Use of Function with Inconsistent Implementations |
| CWE-475 | Undefined Behavior for Input to API |
| CWE-476 | NULL Pointer Dereference |
| CWE-477 | Use of Obsolete Function |
| CWE-478 | Missing Default Case in Multiple Condition Expression |
| CWE-479 | Signal Handler Use of a Non-reentrant Function |
| CWE-480 | Use of Incorrect Operator |
| CWE-481 | Assigning instead of Comparing |
| CWE-482 | Comparing instead of Assigning |
| CWE-483 | Incorrect Block Delimitation |
| CWE-484 | Omitted Break Statement in Switch |
| CWE-486 | Comparison of Classes by Name |
| CWE-487 | Reliance on Package-level Scope |
| CWE-488 | Exposure of Data Element to Wrong Session |
| CWE-489 | Active Debug Code |
| CWE-491 | Public cloneable() Method Without Final ('Object Hijack') |
| CWE-492 | Use of Inner Class Containing Sensitive Data |
| CWE-493 | Critical Public Variable Without Final Modifier |
| CWE-494 | Download of Code Without Integrity Check |
| CWE-495 | Private Data Structure Returned From A Public Method |
| CWE-496 | Public Data Assigned to Private Array-Typed Field |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere |
| CWE-498 | Cloneable Class Containing Sensitive Information |
| CWE-499 | Serializable Class Containing Sensitive Data |
| CWE-500 | Public Static Field Not Marked Final |
| CWE-501 | Trust Boundary Violation |
| CWE-502 | Deserialization of Untrusted Data |
| CWE-506 | Embedded Malicious Code |
| CWE-507 | Trojan Horse |
| CWE-508 | Non-Replicating Malicious Code |
| CWE-509 | Replicating Malicious Code (Virus or Worm) |
| CWE-510 | Trapdoor |
| CWE-511 | Logic/Time Bomb |
| CWE-512 | Spyware |
| CWE-514 | Covert Channel |
| CWE-515 | Covert Storage Channel |
| CWE-520 | .NET Misconfiguration: Use of Impersonation |
| CWE-521 | Weak Password Requirements |
| CWE-522 | Insufficiently Protected Credentials |
| CWE-523 | Unprotected Transport of Credentials |
| CWE-524 | Use of Cache Containing Sensitive Information |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable |
| CWE-527 | Exposure of Version-Control Repository to an Unauthorized Control Sphere |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere |
| CWE-529 | Exposure of Access Control List Files to an Unauthorized Control Sphere |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere |
| CWE-531 | Inclusion of Sensitive Information in Test Code |
| CWE-532 | Insertion of Sensitive Information into Log File |
| CWE-535 | Exposure of Information Through Shell Error Message |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory |
| CWE-539 | Use of Persistent Cookies Containing Sensitive Information |
| CWE-540 | Inclusion of Sensitive Information in Source Code |
| CWE-541 | Inclusion of Sensitive Information in an Include File |
| CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
| CWE-544 | Missing Standardized Error Handling Mechanism |
| CWE-546 | Suspicious Comment |
| CWE-547 | Use of Hard-coded, Security-relevant Constants |
| CWE-548 | Exposure of Information Through Directory Listing |
| CWE-549 | Missing Password Field Masking |
| CWE-550 | Server-generated Error Message Containing Sensitive Information |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization |
| CWE-552 | Files or Directories Accessible to External Parties |
| CWE-553 | Command Shell in Externally Accessible Directory |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework |
| CWE-555 | J2EE Misconfiguration: Plaintext Password in Configuration File |
| CWE-556 | ASP.NET Misconfiguration: Use of Identity Impersonation |
| CWE-558 | Use of getlogin() in Multithreaded Application |
| CWE-560 | Use of umask() with chmod-style Argument |
| CWE-561 | Dead Code |
| CWE-562 | Return of Stack Variable Address |
| CWE-563 | Assignment to Variable without Use |
| CWE-564 | SQL Injection: Hibernate |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
| CWE-566 | Authorization Bypass Through User-Controlled SQL Primary Key |
| CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context |
| CWE-568 | finalize() Method Without super.finalize() |
| CWE-570 | Expression is Always False |
| CWE-571 | Expression is Always True |
| CWE-572 | Call to Thread run() instead of start() |
| CWE-573 | Improper Following of Specification by Caller |
| CWE-574 | EJB Bad Practices: Use of Synchronization Primitives |
| CWE-575 | EJB Bad Practices: Use of AWT Swing |
| CWE-576 | EJB Bad Practices: Use of Java I/O |
| CWE-577 | EJB Bad Practices: Use of Sockets |
| CWE-578 | EJB Bad Practices: Use of Class Loader |
| CWE-579 | J2EE Bad Practices: Non-serializable Object Stored in Session |
| CWE-580 | clone() Method Without super.clone() |
| CWE-581 | Object Model Violation: Just One of Equals and Hashcode Defined |
| CWE-582 | Array Declared Public, Final, and Static |
| CWE-583 | finalize() Method Declared Public |
| CWE-584 | Return Inside Finally Block |
| CWE-585 | Empty Synchronized Block |
| CWE-586 | Explicit Call to Finalize() |
| CWE-587 | Assignment of a Fixed Address to a Pointer |
| CWE-588 | Attempt to Access Child of a Non-structure Pointer |
| CWE-589 | Call to Non-ubiquitous API |
| CWE-590 | Free of Memory not on the Heap |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk |
| CWE-595 | Comparison of Object References Instead of Object Contents |
| CWE-597 | Use of Wrong Operator in String Comparison |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings |
| CWE-599 | Missing Validation of OpenSSL Certificate |
| CWE-600 | Uncaught Exception in Servlet |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-603 | Use of Client-Side Authentication |
| CWE-605 | Multiple Binds to the Same Port |
| CWE-606 | Unchecked Input for Loop Condition |
| CWE-607 | Public Static Final Field References Mutable Object |
| CWE-608 | Struts: Non-private Field in ActionForm Class |
| CWE-609 | Double-Checked Locking |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere |
| CWE-611 | Improper Restriction of XML External Entity Reference |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information |
| CWE-613 | Insufficient Session Expiration |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
| CWE-615 | Inclusion of Sensitive Information in Source Code Comments |
| CWE-616 | Incomplete Identification of Uploaded File Variables (PHP) |
| CWE-617 | Reachable Assertion |
| CWE-618 | Exposed Unsafe ActiveX Method |
| CWE-619 | Dangling Database Cursor ('Cursor Injection') |
| CWE-620 | Unverified Password Change |
| CWE-621 | Variable Extraction Error |
| CWE-622 | Improper Validation of Function Hook Arguments |
| CWE-623 | Unsafe ActiveX Control Marked Safe For Scripting |
| CWE-624 | Executable Regular Expression Error |
| CWE-625 | Permissive Regular Expression |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) |
| CWE-627 | Dynamic Variable Evaluation |
| CWE-628 | Function Call with Incorrectly Specified Arguments |
| CWE-636 | Not Failing Securely ('Failing Open') |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
| CWE-638 | Not Using Complete Mediation |
| CWE-639 | Authorization Bypass Through User-Controlled Key |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
| CWE-641 | Improper Restriction of Names for Files and Other Resources |
| CWE-642 | External Control of Critical State Data |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax |
| CWE-645 | Overly Restrictive Account Lockout Mechanism |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File |
| CWE-647 | Use of Non-Canonical URL Paths for Authorization Decisions |
| CWE-648 | Incorrect Use of Privileged APIs |
| CWE-649 | Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side |
| CWE-651 | Exposure of WSDL File Containing Sensitive Information |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') |
| CWE-653 | Improper Isolation or Compartmentalization |
| CWE-654 | Reliance on a Single Factor in a Security Decision |
| CWE-655 | Insufficient Psychological Acceptability |
| CWE-656 | Reliance on Security Through Obscurity |
| CWE-657 | Violation of Secure Design Principles |
| CWE-662 | Improper Synchronization |
| CWE-663 | Use of a Non-reentrant Function in a Concurrent Context |
| CWE-664 | Improper Control of a Resource Through its Lifetime |
| CWE-665 | Improper Initialization |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime |
| CWE-667 | Improper Locking |
| CWE-668 | Exposure of Resource to Wrong Sphere |
| CWE-669 | Incorrect Resource Transfer Between Spheres |
| CWE-670 | Always-Incorrect Control Flow Implementation |
| CWE-671 | Lack of Administrator Control over Security |
| CWE-672 | Operation on a Resource after Expiration or Release |
| CWE-673 | External Influence of Sphere Definition |
| CWE-674 | Uncontrolled Recursion |
| CWE-675 | Multiple Operations on Resource in Single-Operation Context |
| CWE-676 | Use of Potentially Dangerous Function |
| CWE-680 | Integer Overflow to Buffer Overflow |
| CWE-681 | Incorrect Conversion between Numeric Types |
| CWE-682 | Incorrect Calculation |
| CWE-683 | Function Call With Incorrect Order of Arguments |
| CWE-684 | Incorrect Provision of Specified Functionality |
| CWE-685 | Function Call With Incorrect Number of Arguments |
| CWE-686 | Function Call With Incorrect Argument Type |
| CWE-687 | Function Call With Incorrectly Specified Argument Value |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument |
| CWE-689 | Permission Race Condition During Resource Copy |
| CWE-690 | Unchecked Return Value to NULL Pointer Dereference |
| CWE-691 | Insufficient Control Flow Management |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting |
| CWE-693 | Protection Mechanism Failure |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier |
| CWE-695 | Use of Low-Level Functionality |
| CWE-696 | Incorrect Behavior Order |
| CWE-697 | Incorrect Comparison |
| CWE-698 | Execution After Redirect (EAR) |
| CWE-703 | Improper Check or Handling of Exceptional Conditions |
| CWE-704 | Incorrect Type Conversion or Cast |
| CWE-705 | Incorrect Control Flow Scoping |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference |
| CWE-707 | Improper Neutralization |
| CWE-708 | Incorrect Ownership Assignment |
| CWE-710 | Improper Adherence to Coding Standards |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
| CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code |
| CWE-749 | Exposed Dangerous Method or Function |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions |
| CWE-755 | Improper Handling of Exceptional Conditions |
| CWE-756 | Missing Custom Error Page |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| CWE-759 | Use of a One-Way Hash without a Salt |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt |
| CWE-761 | Free of Pointer not at Start of Buffer |
| CWE-762 | Mismatched Memory Management Routines |
| CWE-763 | Release of Invalid Pointer or Reference |
| CWE-764 | Multiple Locks of a Critical Resource |
| CWE-765 | Multiple Unlocks of a Critical Resource |
| CWE-766 | Critical Data Element Declared Public |
| CWE-767 | Access to Critical Private Variable via Public Method |
| CWE-768 | Incorrect Short Circuit Evaluation |
| CWE-770 | Allocation of Resources Without Limits or Throttling |
| CWE-771 | Missing Reference to Active Allocated Resource |
| CWE-772 | Missing Release of Resource after Effective Lifetime |
| CWE-773 | Missing Reference to Active File Descriptor or Handle |
| CWE-774 | Allocation of File Descriptors or Handles Without Limits or Throttling |
| CWE-775 | Missing Release of File Descriptor or Handle after Effective Lifetime |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
| CWE-777 | Regular Expression without Anchors |
| CWE-778 | Insufficient Logging |
| CWE-779 | Logging of Excessive Data |
| CWE-780 | Use of RSA Algorithm without OAEP |
| CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code |
| CWE-782 | Exposed IOCTL with Insufficient Access Control |
| CWE-783 | Operator Precedence Logic Error |
| CWE-784 | Reliance on Cookies without Validation and Integrity Checking in a Security Decision |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer |
| CWE-786 | Access of Memory Location Before Start of Buffer |
| CWE-787 | Out-of-bounds Write |
| CWE-788 | Access of Memory Location After End of Buffer |
| CWE-789 | Memory Allocation with Excessive Size Value |
| CWE-790 | Improper Filtering of Special Elements |
| CWE-791 | Incomplete Filtering of Special Elements |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements |
| CWE-793 | Only Filtering One Instance of a Special Element |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements |
| CWE-795 | Only Filtering Special Elements at a Specified Location |
| CWE-796 | Only Filtering Special Elements Relative to a Marker |
| CWE-797 | Only Filtering Special Elements at an Absolute Position |
| CWE-798 | Use of Hard-coded Credentials |
| CWE-799 | Improper Control of Interaction Frequency |
| CWE-804 | Guessable CAPTCHA |
| CWE-805 | Buffer Access with Incorrect Length Value |
| CWE-806 | Buffer Access Using Size of Source Buffer |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| CWE-820 | Missing Synchronization |
| CWE-821 | Incorrect Synchronization |
| CWE-822 | Untrusted Pointer Dereference |
| CWE-823 | Use of Out-of-range Pointer Offset |
| CWE-824 | Access of Uninitialized Pointer |
| CWE-825 | Expired Pointer Dereference |
| CWE-826 | Premature Release of Resource During Expected Lifetime |
| CWE-827 | Improper Control of Document Type Definition |
| CWE-828 | Signal Handler with Functionality that is not Asynchronous-Safe |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source |
| CWE-831 | Signal Handler Function Associated with Multiple Signals |
| CWE-832 | Unlock of a Resource that is not Locked |
| CWE-833 | Deadlock |
| CWE-834 | Excessive Iteration |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
| CWE-836 | Use of Password Hash Instead of Password for Authentication |
| CWE-837 | Improper Enforcement of a Single, Unique Action |
| CWE-838 | Inappropriate Encoding for Output Context |
| CWE-839 | Numeric Range Comparison Without Minimum Check |
| CWE-841 | Improper Enforcement of Behavioral Workflow |
| CWE-842 | Placement of User into Incorrect Group |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
| CWE-862 | Missing Authorization |
| CWE-863 | Incorrect Authorization |
| CWE-908 | Use of Uninitialized Resource |
| CWE-909 | Missing Initialization of Resource |
| CWE-910 | Use of Expired File Descriptor |
| CWE-911 | Improper Update of Reference Count |
| CWE-912 | Hidden Functionality |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources |
| CWE-914 | Improper Control of Dynamically-Identified Variables |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
| CWE-918 | Server-Side Request Forgery (SSRF) |
| CWE-920 | Improper Restriction of Power Consumption |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control |
| CWE-922 | Insecure Storage of Sensitive Information |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
| CWE-925 | Improper Verification of Intent by Broadcast Receiver |
| CWE-926 | Improper Export of Android Application Components |
| CWE-927 | Use of Implicit Intent for Sensitive Communication |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme |
| CWE-940 | Improper Verification of Source of a Communication Channel |
| CWE-941 | Incorrectly Specified Destination in a Communication Channel |
| CWE-942 | Permissive Cross-domain Policy with Untrusted Domains |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic |
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag |
| CWE-1007 | Insufficient Visual Distinction of Homoglyphs Presented to User |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames |
| CWE-1022 | Use of Web Link to Untrusted Target with window.opener Access |
| CWE-1023 | Incomplete Comparison with Missing Factors |
| CWE-1024 | Comparison of Incompatible Types |
| CWE-1025 | Comparison Using Wrong Factors |
| CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code |
| CWE-1038 | Insecure Automated Optimizations |
| CWE-1039 | Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism,Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations |
| CWE-1041 | Use of Redundant Code |
| CWE-1042 | Static Member Data Element outside of a Singleton Class Element |
| CWE-1043 | Data Element Aggregating an Excessively Large Number of Non-Primitive Elements |
| CWE-1044 | Architecture with Number of Horizontal Layers Outside of Expected Range |
| CWE-1045 | Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor |
| CWE-1046 | Creation of Immutable Text Using String Concatenation |
| CWE-1047 | Modules with Circular Dependencies |
| CWE-1048 | Invokable Control Element with Large Number of Outward Calls |
| CWE-1049 | Excessive Data Query Operations in a Large Data Table |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop |
| CWE-1051 | Initialization with Hard-Coded Network Resource Configuration Data |
| CWE-1052 | Excessive Use of Hard-Coded Literals in Initialization |
| CWE-1053 | Missing Documentation for Design |
| CWE-1054 | Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer |
| CWE-1055 | Multiple Inheritance from Concrete Classes |
| CWE-1056 | Invokable Control Element with Variadic Parameters |
| CWE-1057 | Data Access Operations Outside of Expected Data Manager Component |
| CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element |
| CWE-1059 | Insufficient Technical Documentation |
| CWE-1060 | Excessive Number of Inefficient Server-Side Data Accesses |
| CWE-1061 | Insufficient Encapsulation |
| CWE-1062 | Parent Class with References to Child Class |
| CWE-1063 | Creation of Class Instance within a Static Code Block |
| CWE-1064 | Invokable Control Element with Signature Containing an Excessive Number of Parameters |
| CWE-1065 | Runtime Resource Management Control Element in a Component Built to Run on Application Servers |
| CWE-1066 | Missing Serialization Control Element |
| CWE-1067 | Excessive Execution of Sequential Searches of Data Resource |
| CWE-1068 | Inconsistency Between Implementation and Documented Design |
| CWE-1069 | Empty Exception Block |
| CWE-1070 | Serializable Data Element Containing non-Serializable Item Elements |
| CWE-1071 | Empty Code Block |
| CWE-1072 | Data Resource Access without Use of Connection Pooling |
| CWE-1073 | Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses |
| CWE-1074 | Class with Excessively Deep Inheritance |
| CWE-1075 | Unconditional Control Flow Transfer outside of Switch Block |
| CWE-1076 | Insufficient Adherence to Expected Conventions |
| CWE-1077 | Floating Point Comparison with Incorrect Operator |
| CWE-1078 | Inappropriate Source Code Style or Formatting |
| CWE-1079 | Parent Class without Virtual Destructor Method |
| CWE-1080 | Source Code File with Excessive Number of Lines of Code |
| CWE-1082 | Class Instance Self Destruction Control Element |
| CWE-1083 | Data Access from Outside Expected Data Manager Component |
| CWE-1084 | Invokable Control Element with Excessive File or Data Access Operations |
| CWE-1085 | Invokable Control Element with Excessive Volume of Commented-out Code |
| CWE-1086 | Class with Excessive Number of Child Classes |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor |
| CWE-1088 | Synchronous Access of Remote Resource without Timeout |
| CWE-1089 | Large Data Table with Excessive Number of Indices |
| CWE-1090 | Method Containing Access of a Member Element from Another Class |
| CWE-1091 | Use of Object without Invoking Destructor Method |
| CWE-1092 | Use of Same Invokable Control Element in Multiple Architectural Layers |
| CWE-1093 | Excessively Complex Data Representation |
| CWE-1094 | Excessive Index Range Scan for a Data Resource |
| CWE-1095 | Loop Condition Value Update within the Loop |
| CWE-1096 | Singleton Class Instance Creation without Proper Locking or Synchronization |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element |
| CWE-1099 | Inconsistent Naming Conventions for Identifiers |
| CWE-1100 | Insufficient Isolation of System-Dependent Functions |
| CWE-1101 | Reliance on Runtime Component in Generated Code |
| CWE-1102 | Reliance on Machine-Dependent Data Representation |
| CWE-1103 | Use of Platform-Dependent Third Party Components |
| CWE-1104 | Use of Unmaintained Third Party Components |
| CWE-1105 | Insufficient Encapsulation of Machine-Dependent Functionality |
| CWE-1106 | Insufficient Use of Symbolic Constants |
| CWE-1107 | Insufficient Isolation of Symbolic Constant Definitions |
| CWE-1108 | Excessive Reliance on Global Variables |
| CWE-1109 | Use of Same Variable for Multiple Purposes |
| CWE-1110 | Incomplete Design Documentation |
| CWE-1111 | Incomplete I/O Documentation |
| CWE-1112 | Incomplete Documentation of Program Execution |
| CWE-1113 | Inappropriate Comment Style |
| CWE-1114 | Inappropriate Whitespace Style |
| CWE-1115 | Source Code Element without Standard Prologue |
| CWE-1116 | Inaccurate Comments |
| CWE-1117 | Callable with Insufficient Behavioral Summary |
| CWE-1118 | Insufficient Documentation of Error Handling Techniques |
| CWE-1119 | Excessive Use of Unconditional Branching |
| CWE-1120 | Excessive Code Complexity |
| CWE-1121 | Excessive McCabe Cyclomatic Complexity |
| CWE-1122 | Excessive Halstead Complexity |
| CWE-1123 | Excessive Use of Self-Modifying Code |
| CWE-1124 | Excessively Deep Nesting |
| CWE-1125 | Excessive Attack Surface |
| CWE-1126 | Declaration of Variable with Unnecessarily Wide Scope |
| CWE-1127 | Compilation with Insufficient Warnings or Errors |
| CWE-1164 | Irrelevant Code |
| CWE-1173 | Improper Use of Validation Framework |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation |
| CWE-1176 | Inefficient CPU Computation |
| CWE-1177 | Use of Prohibited Code |
| CWE-1188 | Insecure Default Initialization of Resource,Initialization of a Resource with an Insecure Default |
| CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) |
| CWE-1190 | DMA Device Enabled Too Early in Boot Phase |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control |
| CWE-1192 | Improper Identifier for IP Block used in System-On-Chip (SOC),System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers |
| CWE-1193 | Power-On of Untrusted Execution Core Before Enabling Fabric Access Control |
| CWE-1204 | Generation of Weak Initialization Vector (IV) |
| CWE-1209 | Failure to Disable Reserved Bits |
| CWE-1220 | Insufficient Granularity of Access Control |
| CWE-1221 | Incorrect Register Defaults or Module Parameters |
| CWE-1222 | Insufficient Granularity of Address Regions Protected by Register Locks |
| CWE-1223 | Race Condition for Write-Once Attributes |
| CWE-1224 | Improper Restriction of Write-Once Bit Fields |
| CWE-1229 | Creation of Emergent Resource |
| CWE-1230 | Exposure of Sensitive Information Through Metadata |
| CWE-1231 | Improper Prevention of Lock Bit Modification |
| CWE-1232 | Improper Lock Behavior After Power State Transition |
| CWE-1233 | Security-Sensitive Hardware Controls with Missing Lock Bit Protection |
| CWE-1234 | Hardware Internal or Debug Modes Allow Override of Locks |
| CWE-1235 | Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File |
| CWE-1239 | Improper Zeroization of Hardware Register |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation |
| CWE-1241 | Use of Predictable Algorithm in Random Number Generator |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits |
| CWE-1243 | Sensitive Non-Volatile Information Not Protected During Debug |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State |
| CWE-1245 | Improper Finite State Machines (FSMs) in Hardware Logic |
| CWE-1246 | Improper Write Handling in Limited-write Non-Volatile Memories |
| CWE-1247 | Improper Protection Against Voltage and Clock Glitches |
| CWE-1248 | Semiconductor Defects in Hardware Logic with Security-Sensitive Implications |
| CWE-1249 | Application-Level Admin Tool with Inconsistent View of Underlying Operating System |
| CWE-1250 | Improper Preservation of Consistency Between Independent Representations of Shared State |
| CWE-1251 | Mirrored Regions with Different Values |
| CWE-1252 | CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations |
| CWE-1253 | Incorrect Selection of Fuse Values |
| CWE-1254 | Incorrect Comparison Logic Granularity |
| CWE-1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks |
| CWE-1256 | Improper Restriction of Software Interfaces to Hardware Features |
| CWE-1257 | Improper Access Control Applied to Mirrored or Aliased Memory Regions |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information |
| CWE-1259 | Improper Restriction of Security Token Assignment |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges |
| CWE-1261 | Improper Handling of Single Event Upsets |
| CWE-1262 | Improper Access Control for Register Interface |
| CWE-1263 | Improper Physical Access Control |
| CWE-1264 | Hardware Logic with Insecure De-Synchronization between Control and Data Channels |
| CWE-1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls |
| CWE-1266 | Improper Scrubbing of Sensitive Data from Decommissioned Device |
| CWE-1267 | Policy Uses Obsolete Encoding |
| CWE-1268 | Policy Privileges are not Assigned Consistently Between Control and Data Agents |
| CWE-1269 | Product Released in Non-Release Configuration |
| CWE-1270 | Generation of Incorrect Security Tokens |
| CWE-1271 | Uninitialized Value on Reset for Registers Holding Security Settings |
| CWE-1272 | Sensitive Information Uncleared Before Debug/Power State Transition |
| CWE-1273 | Device Unlock Credential Sharing |
| CWE-1274 | Improper Access Control for Volatile Memory Containing Boot Code |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute |
| CWE-1276 | Hardware Child Block Incorrectly Connected to Parent System |
| CWE-1277 | Firmware Not Updateable |
| CWE-1278 | Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques |
| CWE-1279 | Cryptographic Operations are run Before Supporting Units are Ready |
| CWE-1280 | Access Control Check Implemented After Asset is Accessed |
| CWE-1281 | Sequence of Processor Instructions Leads to Unexpected Behavior |
| CWE-1282 | Assumed-Immutable Data is Stored in Writable Memory |
| CWE-1283 | Mutable Attestation or Measurement Reporting Data |
| CWE-1284 | Improper Validation of Specified Quantity in Input |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input |
| CWE-1287 | Improper Validation of Specified Type of Input |
| CWE-1288 | Improper Validation of Consistency within Input |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input |
| CWE-1290 | Incorrect Decoding of Security Identifiers |
| CWE-1291 | Public Key Re-Use for Signing both Debug and Production Code |
| CWE-1292 | Incorrect Conversion of Security Identifiers |
| CWE-1293 | Missing Source Correlation of Multiple Independent Data |
| CWE-1294 | Insecure Security Identifier Mechanism |
| CWE-1295 | Debug Messages Revealing Unnecessary Information |
| CWE-1296 | Incorrect Chaining or Granularity of Debug Components |
| CWE-1297 | Unprotected Confidential Information on Device is Accessible by OSAT Vendors |
| CWE-1298 | Hardware Logic Contains Race Conditions |
| CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface |
| CWE-1300 | Improper Protection of Physical Side Channels |
| CWE-1301 | Insufficient or Incomplete Data Removal within Hardware Component |
| CWE-1302 | Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC),Missing Security Identifier |
| CWE-1303 | Non-Transparent Sharing of Microarchitectural Resources |
| CWE-1304 | Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation |
| CWE-1310 | Missing Ability to Patch ROM Code |
| CWE-1311 | Improper Translation of Security Attributes by Fabric Bridge |
| CWE-1312 | Missing Protection for Mirrored Regions in On-Chip Fabric Firewall |
| CWE-1313 | Hardware Allows Activation of Test or Debug Logic at Runtime |
| CWE-1314 | Missing Write Protection for Parametric Data Values |
| CWE-1315 | Improper Setting of Bus Controlling Capability in Fabric End-point |
| CWE-1316 | Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges |
| CWE-1317 | Improper Access Control in Fabric Bridge |
| CWE-1318 | Missing Support for Security Features in On-chip Fabrics or Buses |
| CWE-1319 | Improper Protection against Electromagnetic Fault Injection (EM-FI) |
| CWE-1320 | Improper Protection for Outbound Error Messages and Alert Signals |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
| CWE-1322 | Use of Blocking Code in Single-threaded, Non-blocking Context |
| CWE-1323 | Improper Management of Sensitive Trace Data |
| CWE-1325 | Improperly Controlled Sequential Memory Allocation |
| CWE-1326 | Missing Immutable Root of Trust in Hardware |
| CWE-1327 | Binding to an Unrestricted IP Address |
| CWE-1328 | Security Version Number Mutable to Older Versions |
| CWE-1329 | Reliance on Component That is Not Updateable |
| CWE-1330 | Remanent Data Readable after Memory Erase |
| CWE-1331 | Improper Isolation of Shared Resources in Network On Chip (NoC) |
| CWE-1332 | Improper Handling of Faults that Lead to Instruction Skips |
| CWE-1333 | Inefficient Regular Expression Complexity |
| CWE-1334 | Unauthorized Error Injection Can Degrade Hardware Redundancy |
| CWE-1335 | Incorrect Bitwise Shift of Integer |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine |
| CWE-1338 | Improper Protections Against Hardware Overheating |
| CWE-1339 | Insufficient Precision or Accuracy of a Real Number |
| CWE-1341 | Multiple Releases of Same Resource or Handle |
| CWE-1342 | Information Exposure through Microarchitectural State after Transient Execution |
| CWE-1351 | Improper Handling of Hardware Behavior in Exceptionally Cold Environments |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component |
| CWE-1384 | Improper Handling of Physical or Environmental Conditions |
| CWE-1385 | Missing Origin Validation in WebSockets |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point |
| CWE-1389 | Incorrect Parsing of Numbers with Different Radices |
| CWE-1390 | Weak Authentication |
| CWE-1391 | Use of Weak Credentials |
| CWE-1392 | Use of Default Credentials |
| CWE-1393 | Use of Default Password |
| CWE-1394 | Use of Default Cryptographic Key |
| CWE-1395 | Dependency on Vulnerable Third-Party Component |
| CWE-1419 | Incorrect Initialization of Resource |
| CWE-1420 | Exposure of Sensitive Information during Transient Execution |
| CWE-1421 | Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution |
| CWE-1422 | Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution |
| CWE-1423 | Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution |
| CWE-1426 | Improper Validation of Generative AI Output |
| CWE-1427 | Improper Neutralization of Input Used for LLM Prompting |
| CWE-1428 | Reliance on HTTP instead of HTTPS |
| CWE-1429 | Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface |
| CWE-1431 | Driving Intermediate Cryptographic State/Results to Hardware Module Outputs |