CWE · MITRE source
CWE-610Externally Controlled Reference to a Resource in Another Sphere
The product uses an externally controlled name or reference that resolves to a resource that is outside of the intended control sphere.
Last updated: 04 July 2026 00:28 UTC
Cumulative inbound coverage
How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.
Collective: partial · 4 mapping(s) from 3 framework(s): ATT&CK 2 (partial) · CAPEC 1 (partial) · STIG oracle linux 8 1 (partial)
OWASP Top 10 for Web (2025)
This weakness contributes to A05:2025 Injection.
NIST 800-53 r5 controls that address this weakness (1)AI
| Control | Title | Family | Why it addresses this CWE |
|---|---|---|---|
SI-22 | Information Diversity | SI | Limits impact of an externally controlled reference to a primary information resource by switching to an identified alternative. |
MITRE ATT&CK techniques this weakness enables
Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Top CVEs of this weakness type, ranked by Risk Priority
| CVE | Risk | CVSS | EPSS | Published |
|---|---|---|---|---|
CVE-2022-27593 KEV | 10.0 | 10.0 | 0.8791 | 2022-09-08 |
CVE-2025-0111 KEV | 10.0 | 6.5 | 0.0186 | 2025-02-12 |
CVE-2017-16088 | 7.0 | 10.0 | 0.0349 | 2018-06-07 |
CVE-2019-7290 | 7.0 | 10.0 | 0.0103 | 2019-12-18 |
CVE-2020-9752 | 7.0 | 9.8 | 0.0115 | 2020-03-23 |
CVE-2020-14057 | 7.0 | 9.8 | 0.0258 | 2020-07-01 |
CVE-2021-27648 | 7.0 | 9.0 | 0.0284 | 2021-04-28 |
CVE-2021-41244 | 7.0 | 9.1 | 0.0283 | 2021-11-15 |
CVE-2021-43685 | 7.0 | 9.8 | 0.0119 | 2021-12-01 |
CVE-2021-44041 | 7.0 | 9.8 | 0.0175 | 2021-12-14 |
CVE-2022-20239 | 7.0 | 9.8 | 0.0025 | 2022-08-10 |
CVE-2022-39206 | 7.0 | 9.9 | 0.0165 | 2022-09-13 |
CVE-2024-32980 | 7.0 | 9.1 | 0.0049 | 2024-05-08 |
CVE-2024-5823 | 7.0 | 9.1 | 0.0053 | 2024-10-29 |
CVE-2025-22144 | 7.0 | 9.8 | 0.0073 | 2025-01-13 |
CVE-2026-30903 | 7.0 | 9.6 | 0.0033 | 2026-03-11 |
CVE-2026-47643 UPD | 7.0 | 9.8 | 0.0075 | 2026-06-09 |
CVE-2017-0211 | 6.0 | 5.5 | 0.1398 | 2017-04-12 |
CVE-2017-18357 | 6.0 | 6.5 | 0.2707 | 2019-01-15 |
CVE-2020-5412 | 6.0 | 6.5 | 0.1021 | 2020-08-07 |
CVE-2022-2633 | 6.0 | 7.5 | 0.2454 | 2022-09-06 |
CVE-2024-45826 | 6.0 | 6.8 | 0.1123 | 2024-09-12 |
CVE-2018-9582 | 5.5 | 7.8 | 0.0021 | 2019-02-11 |
CVE-2019-15394 | 5.5 | 7.8 | 0.0033 | 2019-11-14 |
CVE-2019-15405 | 5.5 | 7.8 | 0.0045 | 2019-11-14 |