Cyber Resilience

CWE · MITRE source

CWE-394Unexpected Status Code or Return Value

Abstraction: Base · CVEs in our corpus: 14

The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.

Last updated: 04 July 2026 08:17 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: mostly · 1 mapping(s) from 1 framework(s): OWASP-Web 1 (mostly)

See the full cumulative-coverage rollup →

OWASP Top 10 for Web (2025)

This weakness contributes to A10:2025 Mishandling of Exceptional Conditions.

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-125157.09.80.00342025-10-30
CVE-2025-125167.09.80.00342025-10-30
CVE-2019-00665.57.50.01362019-10-09
CVE-2023-259485.57.50.00482023-07-13
CVE-2024-1713 UPD5.57.20.00552024-03-14
CVE-2025-485105.57.10.00112025-11-24
CVE-2026-250855.58.60.00462026-02-27
CVE-2018-208023.56.50.01462020-11-23
CVE-2019-209243.56.50.01282020-11-23
CVE-2022-248803.55.30.01132022-04-25
CVE-2023-289753.54.60.00292023-04-17
CVE-2023-484291.52.70.00592023-12-12