Cyber Resilience

CWE · MITRE source

CWE-804Guessable CAPTCHA

Abstraction: Base · CVEs in our corpus: 15

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

An automated attacker could bypass the intended protection of the CAPTCHA challenge and perform actions at a higher frequency than humanly possible, such as launching spam attacks. There can be several different causes of a guessable CAPTCHA:

Last updated: 04 July 2026 11:13 UTC

Cumulative inbound coverage

How completely the frameworks we cross-walk collectively cover this — the verdict is the strongest single mapping (overlapping partials are not summed); breadth shows the corroboration behind it.

Collective: partial · 3 mapping(s) from 1 framework(s): ATT&CK 3 (partial)

See the full cumulative-coverage rollup →

NIST 800-53 r5 controls that address this weakness (0)AI

Control Title Family Why it addresses this CWE
No NIST controls proposed yet.

MITRE ATT&CK techniques this weakness enables

Our own two-way CWE↔ATT&CK cross-walk — a direct mapping with no public source (the CWE→CAPEC→ATT&CK chain leaves most top weaknesses, incl. XSS and SQLi, mapped to nothing). Drafted by Grok and spot-checked by Claude Opus 4.8.

Direction: other covers this; this covers other (F/M/P = full / mostly / partial).

Top CVEs of this weakness type, ranked by Risk Priority

CVE Risk CVSS EPSS Published
CVE-2025-40916 UPD7.09.10.00332025-06-16
CVE-2022-18015.57.50.01162022-06-20
CVE-2025-50850 UPD5.58.60.00242025-07-31
CVE-2022-40363.55.30.00442022-11-29
CVE-2023-69633.55.30.00532024-02-05
CVE-2024-305403.55.30.00492024-05-17
CVE-2024-312953.55.30.00382024-05-17
CVE-2025-12623.55.30.00322025-02-25
CVE-2025-320363.54.20.00272025-04-08
CVE-2025-8546 UPD3.55.30.00422025-08-05
CVE-2026-274113.55.30.00192026-03-05
CVE-2025-701293.55.30.00292026-03-10
CVE-2026-409353.55.30.00222026-04-21
CVE-2026-499533.56.50.00362026-06-15
CVE-2025-104231.53.70.00422025-09-15