CWE · MITRE source
CWE-449The UI Performs the Wrong Action
The UI performs the wrong action with respect to the user's request.
Last updated: 04 July 2026 11:13 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 2 mapping(s) from 2 framework(s): STIG ubuntu 22 04 1 (partial) · ATT&CK 1 (partial)
NIST 800-53 r5 controls that address this weakness (0)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
| No NIST controls proposed yet. | |||
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2023-36535 | 5.5 | 7.1 | 0.0103 | 2023-08-08 |
CVE-2023-39215 | 5.5 | 7.1 | 0.0092 | 2023-09-12 |
CVE-2023-43585 | 5.5 | 7.1 | 0.0060 | 2023-12-13 |
CVE-2023-39209 | 3.5 | 5.9 | 0.0080 | 2023-08-08 |
CVE-2024-24698 UPD | 3.5 | 4.9 | 0.0053 | 2024-02-14 |
CVE-2024-38083 | 3.5 | 4.3 | 0.0049 | 2024-06-13 |
CVE-2024-43577 | 3.5 | 4.3 | 0.0047 | 2024-10-18 |
CVE-2024-49041 | 3.5 | 4.3 | 0.0107 | 2024-12-06 |
CVE-2025-21404 | 3.5 | 4.3 | 0.0099 | 2025-02-06 |
CVE-2025-26643 | 3.5 | 5.4 | 0.0066 | 2025-03-07 |
CVE-2025-49736 UPD | 3.5 | 4.3 | 0.0046 | 2025-08-12 |
CVE-2025-56139 UPD | 3.5 | 5.3 | 0.0031 | 2025-09-03 |
CVE-2025-13637 | 3.5 | 4.3 | 0.0018 | 2025-12-02 |
CVE-2023-43588 | 1.5 | 3.5 | 0.0065 | 2023-11-15 |