CWEs
Which weakness types show up in our CVE corpus, and which controls address them?
This index covers all 748 CWEs cited by at least one CVE across the NVD records we ingest — split into frequent (420, cited ≥10 times) and rare (328, 1–9 times). Frequent weaknesses link to a detail page with the NIST 800-53 r5 controls that address them (LLM-proposed) and their top CVEs ranked by Risk Priority; rarer ones link out to MITRE. Below the search, the blind spot — 206 live weaknesses no CVE has ever been tagged with.
Search CWEs
The blind spot: 206 weaknesses no CVE reports
These are live (non-deprecated) weakness types in the MITRE catalogue that no CVE in our corpus has ever been tagged with. Many are design-level weaknesses NVD analysts rarely reach for — the kind of systemic flaw that never gets its own advisory. Each links to MITRE's canonical definition.
Show all 206 never-cited weaknesses
Class-level 11
- CWE-1061Insufficient Encapsulation
The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external components or modules to modify data unexpectedly, invoke unexpected functional.
- CWE-1093Excessively Complex Data Representation
The product uses an unnecessarily complex internal representation for its data structures or interrelationships between those structures.
- CWE-1120Excessive Code Complexity
The code is too complex, as calculated using a well-defined, quantitative measure.
- CWE-1177Use of Prohibited Code
The product uses a function, library, or third party component that has been explicitly prohibited, whether by the developer or the customer.
- CWE-1229Creation of Emergent Resource
The product manages resources or behaves in a way that indirectly creates a new, distinct resource that can be used by attackers in violation of the intended policy.
- CWE-1294Insecure Security Identifier Mechanism
The System-on-Chip (SoC) implements a Security Identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity.
- CWE-1395Dependency on Vulnerable Third-Party Component
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
- CWE-1419Incorrect Initialization of Resource
The product attempts to initialize a resource but does not correctly do so, which might leave the resource in an unexpected, incorrect, or insecure state when it is accessed.
- CWE-221Information Loss or Omission
The product does not record, or improperly records, security-relevant information that leads to an incorrect decision or hampers later analysis.
- CWE-655Insufficient Psychological Acceptability
The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.
- CWE-666Operation on Resource in Wrong Phase of Lifetime
The product performs an operation on a resource at the wrong phase of the resource's lifecycle, which can lead to unexpected behaviors.
Base-level 104
- CWE-1041Use of Redundant Code
The product has multiple functions, methods, procedures, macros, etc. that contain the same code.
- CWE-1043Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggregated objects.
- CWE-1044Architecture with Number of Horizontal Layers Outside of Expected Range
The product's architecture contains too many - or too few - horizontal layers.
- CWE-1045Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.
- CWE-1047Modules with Circular Dependencies
The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.
- CWE-1048Invokable Control Element with Large Number of Outward Calls
The code contains callable control elements that contain an excessively large number of references to other application objects external to the context of the callable, i.e.
- CWE-1052Excessive Use of Hard-Coded Literals in Initialization
The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.
- CWE-1053Missing Documentation for Design
The product does not have documentation that represents how it is designed.
- CWE-1054Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one layer, and the invoked code is not part of a vertical utility lay.
- CWE-1060Excessive Number of Inefficient Server-Side Data Accesses
The product performs too many data queries without using efficient data processing functionality such as stored procedures.
- CWE-1062Parent Class with References to Child Class
The code has a parent class that contains references to a child class, its methods, or its members.
- CWE-1063Creation of Class Instance within a Static Code Block
A static code block creates an instance of a class.
- CWE-1064Invokable Control Element with Signature Containing an Excessive Number of Parameters
The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.
- CWE-1065Runtime Resource Management Control Element in a Component Built to Run on Application Servers
The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of the API provided by the application server.
- CWE-1070Serializable Data Element Containing non-Serializable Item Elements
The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not serializable.
- CWE-1071Empty Code Block
The source code contains a block that does not contain any code, i.e., the block is empty.
- CWE-1073Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i.e., does not use efficient database capabilities.
- CWE-1074Class with Excessively Deep Inheritance
A class has an inheritance level that is too high, i.e., it has a large number of parent classes.
- CWE-1075Unconditional Control Flow Transfer outside of Switch Block
The product performs unconditional control transfer (such as a "goto") in code outside of a branching structure such as a switch block.
- CWE-1079Parent Class without Virtual Destructor Method
A parent class contains one or more child classes, but the parent class does not have a virtual destructor method.
- CWE-1080Source Code File with Excessive Number of Lines of Code
A source code file has too many lines of code.
- CWE-1082Class Instance Self Destruction Control Element
The code contains a class instance that calls the method or function to delete or destroy itself.
- CWE-1084Invokable Control Element with Excessive File or Data Access Operations
A function or method contains too many operations that utilize a data manager or file resource.
- CWE-1085Invokable Control Element with Excessive Volume of Commented-out Code
A function, method, procedure, etc. contains an excessive amount of code that has been commented out within its body.
- CWE-1086Class with Excessive Number of Child Classes
A class contains an unnecessarily large number of children.
- CWE-1087Class with Virtual Method without a Virtual Destructor
A class contains a virtual method, but the method does not have an associated virtual destructor.
- CWE-1089Large Data Table with Excessive Number of Indices
The product uses a large data table that contains an excessively large number of indices.
- CWE-1090Method Containing Access of a Member Element from Another Class
A method for a class performs an operation that directly accesses a member element from another class.
- CWE-1092Use of Same Invokable Control Element in Multiple Architectural Layers
The product uses the same control element across multiple architectural layers.
- CWE-1094Excessive Index Range Scan for a Data Resource
The product contains an index range scan for a large data table, but the scan can cover a large number of rows.
- CWE-1095Loop Condition Value Update within the Loop
The product uses a loop with a control flow condition based on a value that is updated within the body of the loop.
- CWE-1097Persistent Storable Data Element without Associated Comparison Control Element
The product uses a storable data element that does not have all of the associated functions or methods that are necessary to support comparison.
- CWE-1098Data Element containing Pointer Item without Proper Copy Control Element
The code contains a data element with a pointer that does not have an associated copy or constructor method.
- CWE-1099Inconsistent Naming Conventions for Identifiers
The product's code, documentation, or other artifacts do not consistently use the same naming conventions for variables, callables, groups of related callables, I/O capabilities, data types, file names, or simi.
- CWE-1101Reliance on Runtime Component in Generated Code
The product uses automatically-generated code that cannot be executed without a specific runtime support component.
- CWE-1105Insufficient Encapsulation of Machine-Dependent Functionality
The product or code uses machine-dependent functionality, but it does not sufficiently encapsulate or isolate this functionality from the rest of the code.
- CWE-1109Use of Same Variable for Multiple Purposes
The code contains a callable, block, or other code element in which the same variable is used to control more than one unique task or store more than one instance of data.
- CWE-1110Incomplete Design Documentation
The product's design documentation does not adequately describe control flow, data flow, system initialization, relationships between tasks, components, rationales, or other important aspects of the design.
- CWE-1111Incomplete I/O Documentation
The product's documentation does not adequately define inputs, outputs, or system/software interfaces.
- CWE-1114Inappropriate Whitespace Style
The source code contains whitespace that is inconsistent across the code or does not follow expected standards for the product.
- CWE-1115Source Code Element without Standard Prologue
The source code contains elements such as source files that do not consistently provide a prologue or header that has been standardized for the project.
- CWE-1117Callable with Insufficient Behavioral Summary
The code contains a function or method whose signature and/or associated inline documentation does not sufficiently describe the callable's inputs, outputs, side effects, assumptions, or return codes.
- CWE-1121Excessive McCabe Cyclomatic Complexity
The code contains McCabe cyclomatic complexity that exceeds a desirable maximum.
- CWE-1122Excessive Halstead Complexity
The code is structured in a way that a Halstead complexity measure exceeds a desirable maximum.
- CWE-1123Excessive Use of Self-Modifying Code
The product uses too much self-modifying code.
- CWE-1126Declaration of Variable with Unnecessarily Wide Scope
The source code declares a variable in one scope, but the variable is only used within a narrower scope.
- CWE-1127Compilation with Insufficient Warnings or Errors
The code is compiled without sufficient warnings enabled, which may prevent the detection of subtle bugs or quality issues.
- CWE-1192Improper Identifier for IP Block used in System-On-Chip (SOC)
The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.
- CWE-1193Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
The product enables components that contain untrusted firmware before memory and fabric access controls have been enabled.
- CWE-1209Failure to Disable Reserved Bits
The reserved bits in a hardware design are not disabled prior to production. Typically, reserved bits are used for future capabilities and should not support any functional logic in the design.
- CWE-1232Improper Lock Behavior After Power State Transition
Register lock bit protection disables changes to system configuration once the bit is set.
- CWE-1235Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
The code uses boxed primitives, which may introduce inefficiencies into performance-critical operations.
- CWE-1243Sensitive Non-Volatile Information Not Protected During Debug
Access to security-sensitive information stored in fuses is not limited during debug.
- CWE-1248Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
The security-sensitive hardware module contains semiconductor defects.
- CWE-1249Application-Level Admin Tool with Inconsistent View of Underlying Operating System
The product provides an application for administrators to manage parts of the underlying operating system, but the application does not accurately identify all of the relevant entities or resources that exist in the OS; .
- CWE-1252CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
The CPU is not configured to provide hardware support for exclusivity of write and execute operations on memory. This allows an attacker to execute data from all of memory.
- CWE-1261Improper Handling of Single Event Upsets
The hardware logic does not effectively handle when single-event upsets (SEUs) occur.
- CWE-1266Improper Scrubbing of Sensitive Data from Decommissioned Device
The product does not properly provide a capability for the product administrator to remove sensitive data at the time the product is decommissioned. A scrubbing capability could be missing, insufficient, or incorrect.
- CWE-1267Policy Uses Obsolete Encoding
The product uses an obsolete encoding mechanism to implement access controls.
- CWE-1271Uninitialized Value on Reset for Registers Holding Security Settings
Security-critical logic is not set to a known value on reset.
- CWE-1273Device Unlock Credential Sharing
The credentials necessary for unlocking a device are shared across multiple parties and may expose sensitive information.
- CWE-1276Hardware Child Block Incorrectly Connected to Parent System
Signals between a hardware IP and the parent system design are incorrectly connected causing security risks.
- CWE-1277Firmware Not Updateable
The product does not provide its users with the ability to update or patch its firmware to address any vulnerabilities or weaknesses that may be present.
- CWE-1290Incorrect Decoding of Security Identifiers
The product implements a decoding mechanism to decode certain bus-transaction signals to security identifiers.
- CWE-1292Incorrect Conversion of Security Identifiers
The product implements a conversion mechanism to map certain bus-transaction signals to security identifiers.
- CWE-1293Missing Source Correlation of Multiple Independent Data
The product relies on one source of data, preventing the ability to detect if an adversary has compromised a data source.
- CWE-1296Incorrect Chaining or Granularity of Debug Components
The product's debug components contain incorrect chaining or granularity of debug components.
- CWE-1297Unprotected Confidential Information on Device is Accessible by OSAT Vendors
The product does not adequately protect confidential information on the device from being accessed by Outsourced Semiconductor Assembly and Test (OSAT) vendors.
- CWE-1302Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)
The product implements a security identifier mechanism to differentiate what actions are allowed or disallowed when a transaction originates from an entity. A transaction is sent without a security identifier.
- CWE-1311Improper Translation of Security Attributes by Fabric Bridge
The bridge incorrectly translates security attributes from either trusted to untrusted or from untrusted to trusted when converting from one fabric protocol to another.
- CWE-1315Improper Setting of Bus Controlling Capability in Fabric End-point
The bus controller enables bits in the fabric end-point to allow responder devices to control transactions on the fabric.
- CWE-1317Improper Access Control in Fabric Bridge
The product uses a fabric bridge for transactions between two Intellectual Property (IP) blocks, but the bridge does not properly perform the expected privilege, identity, or other access control checks between those IP .
- CWE-1318Missing Support for Security Features in On-chip Fabrics or Buses
On-chip fabrics or buses either do not support or are not configured to support privilege separation or other security features, such as access control.
- CWE-1331Improper Isolation of Shared Resources in Network On Chip (NoC)
The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted agents, creating timing channels.
- CWE-1338Improper Protections Against Hardware Overheating
A hardware device is missing or has inadequate protection features to prevent overheating.
- CWE-1339Insufficient Precision or Accuracy of a Real Number
The product processes a real number with an implementation in which the number's representation does not preserve required accuracy and precision in its fractional part, causing an incorrect result.
- CWE-1351Improper Handling of Hardware Behavior in Exceptionally Cold Environments
A hardware device, or the firmware running on it, is missing or has incorrect protection features to maintain goals of security primitives when the device is cooled below s.
- CWE-1420Exposure of Sensitive Information during Transient Execution
A processor event or prediction may allow incorrect operations (or correct operations with incorrect data) to execute transiently, potentially exposing data over a covert channel.
- CWE-1421Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
A processor event may allow transient operations to access architecturally restricted data (for example, in another address space) in a shared microarchitectural structure (for example, a CPU cache), potentially.
- CWE-1422Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
A processor event or prediction may allow incorrect or stale data to be forwarded to transient operations, potentially exposing data over a covert channel.
- CWE-1423Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
Shared microarchitectural predictor state may allow code to influence transient execution across a hardware boundary, potentially exposing data that is accessible beyond the boundary over a covert channel.
- CWE-1426Improper Validation of Generative AI Output
The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align .
- CWE-1427Improper Neutralization of Input Used for LLM Prompting
The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and develo.
- CWE-1428Reliance on HTTP instead of HTTPS
The product provides or relies on use of HTTP communications when HTTPS is available.
- CWE-1429Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
The product has a hardware interface that silently discards operations in situations for which feedback would be security-relevant, such as the timely detection of failures or attacks.
- CWE-1431Driving Intermediate Cryptographic State/Results to Hardware Module Outputs
The product uses a hardware module implementing a cryptographic algorithm that writes sensitive information about the intermediate state or results of its cryptographic operations via one of its output wires .
- CWE-1434Insecure Setting of Generative AI/ML Model Inference Parameters
The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.
- CWE-211Externally-Generated Error Message Containing Sensitive Information
The product performs an operation that triggers an external diagnostic or error message that is not directly generated or controlled by the product, such as an error generated by the programming language interpreter that.
- CWE-224Obscured Security-relevant Information by Alternate Name
The product records security-relevant information according to an alternate name of the affected entity, instead of the canonical name.
- CWE-375Returning a Mutable Object to an Untrusted Caller
Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.
- CWE-397Declaration of Throws for Generic Exception
The product throws or raises an overly broad exceptions that can hide important details and produce inappropriate responses to certain conditions.
- CWE-432Dangerous Signal Handler not Disabled During Sensitive Operations
The product uses a signal handler that shares state with other signal handlers, but it does not properly mask or prevent those signal handlers from being invoked while the original signal handler is still running.
- CWE-439Behavioral Change in New Version or Environment
A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.
- CWE-464Addition of Data Structure Sentinel
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
- CWE-483Incorrect Block Delimitation
The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
- CWE-487Reliance on Package-level Scope
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
- CWE-510Trapdoor
A trapdoor is a hidden piece of code that responds to a special input, allowing its user access to resources without passing through the normal security enforcement mechanism.
- CWE-512Spyware
The product collects personally identifiable information about a human user or the user's activities, but the product accesses this information using other resources besides itself, and it does not require that user's ex.
- CWE-584Return Inside Finally Block
The code has a return statement inside a finally block, which will cause any thrown exception in the try block to be discarded.
- CWE-586Explicit Call to Finalize()
The product makes an explicit call to the finalize() method from outside the finalizer.
- CWE-609Double-Checked Locking
The product uses double-checked locking to access a resource without the overhead of explicit synchronization, but the locking is insufficient.
- CWE-619Dangling Database Cursor ('Cursor Injection')
If a database cursor is not closed properly, then it could become accessible to other users while retaining the same privileges that were originally assigned, leaving the cursor "dangling."
- CWE-766Critical Data Element Declared Public
The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.
- CWE-795Only Filtering Special Elements at a Specified Location
The product receives data from an upstream component, but only accounts for special elements at a specified location, thereby missing remaining special elements that may exist before sending it to a downstream component.
Variant-level 91
- CWE-103Struts: Incomplete validate() Method Definition
The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().
- CWE-104Struts: Form Bean Does Not Extend Validation Class
If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insufficient input validation.
- CWE-1042Static Member Data Element outside of a Singleton Class Element
The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class - that is, a class element that can be used only once in the 'to' .
- CWE-105Struts: Form Field Without Validator
The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
- CWE-106Struts: Plug-in Framework not in Use
When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses related to insufficient input validation.
- CWE-1069Empty Exception Block
An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.
- CWE-107Struts: Unused Validation Form
An unused validation form indicates that validation logic is not up-to-date.
- CWE-108Struts: Unvalidated Action Form
Every Action Form must have a corresponding validation form.
- CWE-109Struts: Validator Turned Off
Automatic filtering via a Struts bean has been turned off, which disables the Struts Validator and custom validation logic. This exposes the application to other weaknesses related to insufficient input validation.
- CWE-1096Singleton Class Instance Creation without Proper Locking or Synchronization
The product implements a Singleton design pattern but does not use appropriate locking or other synchronization mechanism to ensure that the singleton class is only instantiated once.
- CWE-110Struts: Validator Without Form Field
Validation fields that do not appear in forms they are associated with indicate that the validation logic is out of date.
- CWE-1239Improper Zeroization of Hardware Register
The hardware product does not properly clear sensitive information from built-in registers when the user of the hardware block changes.
- CWE-13ASP.NET Misconfiguration: Password in Configuration File
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
- CWE-1330Remanent Data Readable after Memory Erase
Confidential information stored in memory circuits is readable or recoverable after being cleared or erased.
- CWE-145Improper Neutralization of Section Delimiters
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as section delimiters when they are sent to a downstream component.
- CWE-151Improper Neutralization of Comment Delimiters
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as comment delimiters when they are sent to a downstream component.
- CWE-152Improper Neutralization of Macro Symbols
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could be interpreted as macro symbols when they are sent to a downstream component.
- CWE-161Improper Neutralization of Multiple Leading Special Elements
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple leading special elements that could be interpreted in unexpected ways when they are sent to a downstre.
- CWE-163Improper Neutralization of Multiple Trailing Special Elements
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple trailing special elements that could be interpreted in unexpected ways when they are sent to a downstr.
- CWE-165Improper Neutralization of Multiple Internal Special Elements
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes multiple internal special elements that could be interpreted in unexpected ways when they are sent to a downstr.
- CWE-174Double Decoding of the Same Data
The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.
- CWE-175Improper Handling of Mixed Encoding
The product does not properly handle when the same input uses several different (mixed) encodings.
- CWE-181Incorrect Behavior Order: Validate Before Filter
The product validates data before it has been filtered, which prevents the product from detecting data that becomes invalid after the filtering step.
- CWE-206Observable Internal Behavioral Discrepancy
The product performs multiple behaviors that are combined to produce a single result, but the individual behaviors are observable separately in a way that allows attackers to reveal internal state or internal decision po.
- CWE-220Storage of File With Sensitive Data Under FTP Root
The product stores sensitive data under the FTP server root with insufficient access control, which might make it accessible to untrusted parties.
- CWE-238Improper Handling of Incomplete Structural Elements
The product does not handle or incorrectly handles when a particular structural element is not completely specified.
- CWE-243Creation of chroot Jail Without Changing Working Directory
The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.
- CWE-245J2EE Bad Practices: Direct Management of Connections
The J2EE application directly manages connections, instead of using the container's connection management facilities.
- CWE-246J2EE Bad Practices: Direct Use of Sockets
The J2EE application directly uses sockets instead of using framework method calls.
- CWE-33Path Traversal: '....' (Multiple Dot)
The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize '....' (multiple dot) sequences that can resolve to a location that is outside of .
- CWE-382J2EE Bad Practices: Use of System.exit()
A J2EE application uses System.exit(), which also shuts down its container.
- CWE-383J2EE Bad Practices: Direct Use of Threads
Thread management in a Web application is forbidden in some circumstances and is always highly error prone.
- CWE-45Path Equivalence: 'file...name' (Multiple Internal Dot)
The product accepts path input in the form of multiple internal dot ('file...dir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintend.
- CWE-46Path Equivalence: 'filename ' (Trailing Space)
The product accepts path input in the form of trailing space ('filedir ') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locati.
- CWE-47Path Equivalence: ' filename' (Leading Space)
The product accepts path input in the form of leading space (' filedir') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locatio.
- CWE-48Path Equivalence: 'file name' (Internal Whitespace)
The product accepts path input in the form of internal space ('file(SPACE)name') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended.
- CWE-481Assigning instead of Comparing
The code uses an operator for assignment when the intention was to perform a comparison.
- CWE-486Comparison of Classes by Name
The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
- CWE-49Path Equivalence: 'filename/' (Trailing Slash)
The product accepts path input in the form of trailing slash ('filedir/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended locati.
- CWE-492Use of Inner Class Containing Sensitive Data
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
- CWE-493Critical Public Variable Without Final Modifier
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
- CWE-496Public Data Assigned to Private Array-Typed Field
Assigning public data to a private array is equivalent to giving public access to the array.
- CWE-498Cloneable Class Containing Sensitive Information
The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
- CWE-500Public Static Field Not Marked Final
An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
- CWE-51Path Equivalence: '/multiple//internal/slash'
The product accepts path input in the form of multiple internal slash ('/multiple//internal/slash/') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file .
- CWE-52Path Equivalence: '/multiple/trailing/slash//'
The product accepts path input in the form of multiple trailing slash ('/multiple/trailing/slash//') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file .
- CWE-53Path Equivalence: '\multiple\\internal\backslash'
The product accepts path input in the form of multiple internal backslash ('\multiple\trailing\\slash') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the fi.
- CWE-536Servlet Runtime Error Message Containing Sensitive Information
A servlet error message indicates that there exists an unhandled exception in the web application code and may provide useful information to an attacker.
- CWE-537Java Runtime Error Message Containing Sensitive Information
In many cases, an attacker can leverage the conditions that cause unhandled exception errors in order to gain unauthorized access to the system.
- CWE-54Path Equivalence: 'filedir\' (Trailing Backslash)
The product accepts path input in the form of trailing backslash ('filedir\') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended lo.
- CWE-543Use of Singleton Pattern Without Synchronization in a Multithreaded Context
The product uses the singleton pattern when creating a resource within a multithreaded environment.
- CWE-546Suspicious Comment
The code contains comments that suggest the presence of bugs, incomplete functionality, or weaknesses.
- CWE-55Path Equivalence: '/./' (Single Dot Directory)
The product accepts path input in the form of single dot directory exploit ('/./') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintend.
- CWE-554ASP.NET Misconfiguration: Not Using Input Validation Framework
The ASP.NET application does not use an input validation framework.
- CWE-558Use of getlogin() in Multithreaded Application
The product uses the getlogin() function in a multithreaded context, potentially causing it to return incorrect values.
- CWE-56Path Equivalence: 'filedir*' (Wildcard)
The product accepts path input in the form of asterisk wildcard ('filedir*') without appropriate validation, which can lead to ambiguous path resolution and allow an attacker to traverse the file system to unintended loc.
- CWE-560Use of umask() with chmod-style Argument
The product calls umask() with an incorrect argument that is specified as if it is an argument to chmod().
- CWE-568finalize() Method Without super.finalize()
The product contains a finalize() method that does not call super.finalize().
- CWE-572Call to Thread run() instead of start()
The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
- CWE-574EJB Bad Practices: Use of Synchronization Primitives
The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.
- CWE-575EJB Bad Practices: Use of AWT Swing
The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
- CWE-576EJB Bad Practices: Use of Java I/O
The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.
- CWE-577EJB Bad Practices: Use of Sockets
The product violates the Enterprise JavaBeans (EJB) specification by using sockets.
- CWE-578EJB Bad Practices: Use of Class Loader
The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.
- CWE-579J2EE Bad Practices: Non-serializable Object Stored in Session
The product stores a non-serializable object as an HttpSession attribute, which can hurt reliability.
- CWE-58Path Equivalence: Windows 8.3 Filename
The product contains a protection mechanism that restricts access to a long filename on a Windows operating system, but it does not properly restrict access to the equivalent short "8.3" filename.
- CWE-580clone() Method Without super.clone()
The product contains a clone() method that does not call super.clone() to obtain the new object.
- CWE-581Object Model Violation: Just One of Equals and Hashcode Defined
The product does not maintain equal hashcodes for equal objects.
- CWE-582Array Declared Public, Final, and Static
The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
- CWE-583finalize() Method Declared Public
The product violates secure coding principles for mobile code by declaring a finalize() method public.
- CWE-585Empty Synchronized Block
The product contains an empty synchronized block.
- CWE-589Call to Non-ubiquitous API
The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
- CWE-593Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
The product modifies the SSL context after connection creation has begun.
- CWE-594J2EE Framework: Saving Unserializable Objects to Disk
When the J2EE container attempts to write unserializable objects to disk there is no guarantee that the process will complete successfully.
- CWE-595Comparison of Object References Instead of Object Contents
The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
- CWE-607Public Static Final Field References Mutable Object
A public or protected static final field references a mutable object, which allows the object to be changed by malicious code, or accidentally from another package.
- CWE-608Struts: Non-private Field in ActionForm Class
An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.
- CWE-651Exposure of WSDL File Containing Sensitive Information
The Web services architecture may require exposing a Web Service Definition Language (WSDL) file that contains information on the publicly accessible services and how callers of these services should interact with them (.
- CWE-685Function Call With Incorrect Number of Arguments
The product calls a function, procedure, or routine, but the caller specifies too many arguments, or too few arguments, which may lead to undefined behavior and resultant weaknesses.
- CWE-7J2EE Misconfiguration: Missing Custom Error Page
The default error page of a web application should not display sensitive information about the product.
- CWE-72Improper Handling of Apple HFS+ Alternate Data Stream Path
The product does not properly handle special paths that may identify the data or resource fork of a file on the HFS+ file system.
- CWE-773Missing Reference to Active File Descriptor or Handle
The product does not properly maintain references to a file descriptor or handle, which prevents that file descriptor/handle from being reclaimed.
- CWE-781Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
The product defines an IOCTL that uses METHOD_NEITHER for I/O, but it does not validate or incorrectly validates the addresses that are provided.
- CWE-785Use of Path Manipulation Function without Maximum-sized Buffer
The product invokes a function for normalizing paths or file names, but it provides an output buffer that is smaller than the maximum possible size, such as PATH_MAX.
- CWE-793Only Filtering One Instance of a Special Element
The product receives data from an upstream component, but only filters a single instance of a special element before sending it to a downstream component.
- CWE-796Only Filtering Special Elements Relative to a Marker
The product receives data from an upstream component, but only accounts for special elements positioned relative to a marker (e.g.
- CWE-797Only Filtering Special Elements at an Absolute Position
The product receives data from an upstream component, but only accounts for special elements at an absolute position (e.g.
- CWE-8J2EE Misconfiguration: Entity Bean Declared Remote
When an application exposes a remote interface for an entity bean, it might also expose methods that get or set the bean's data.
- CWE-806Buffer Access Using Size of Source Buffer
The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.
- CWE-831Signal Handler Function Associated with Multiple Signals
The product defines a function that is used as a handler for more than one signal.
- CWE-9J2EE Misconfiguration: Weak Access Permissions for EJB Methods
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.
Catalogue summary
Mapped weaknesses by abstraction level. Coverage is heavily concentrated: 64.1% of all 321,047 CVE→CWE tags land on just the top 20 CWEs. A further 14,280 tags point at 42 retired category ids MITRE prohibits for mapping (e.g. CWE-264, CWE-399) — those CVEs carry no usable weakness mapping and are excluded here.
| Abstraction level | CWEs |
|---|---|
| Base | 423 |
| Variant | 205 |
| Class | 103 |
| Pillar | 10 |
| Compound | 7 |