{
  "meta": {
    "slug": "capec-cwe",
    "frameworks": [
      "CAPEC",
      "CWE"
    ],
    "labels": [
      "CAPEC",
      "CWE"
    ],
    "authoritative": "MITRE CAPEC\u2194CWE bridge (Related_Attack_Patterns)",
    "generated": "10 June 2026"
  },
  "metrics": {
    "pair": {
      "a": "CAPEC",
      "b": "CWE"
    },
    "counts": {
      "pairs": 1039,
      "rows": 2078,
      "present_a_to_b": 957,
      "present_b_to_a": 890
    },
    "reliability": {
      "reverse_presence_pct": 89.2,
      "extent_rank_correlation": 0.381,
      "completeness_a_to_b_pct": 3.2,
      "completeness_b_to_a_pct": 84.9,
      "none_rate_a_to_b_pct": 7.9,
      "none_rate_b_to_a_pct": 14.3,
      "counterpart_coverage_a": {
        "mapped": 431,
        "universe": null,
        "pct": null
      },
      "counterpart_coverage_b": {
        "mapped": 294,
        "universe": null,
        "pct": null
      }
    },
    "abstraction": {
      "breadth_a_to_b": 2.32,
      "breadth_b_to_a": 3.31,
      "depth_a_to_b": 1.04,
      "depth_b_to_a": 2.52,
      "verdict": "CWE sits at a higher level of abstraction (fans out more)",
      "intrinsic_a": null,
      "intrinsic_b": {
        "signal": "cwe_abstraction",
        "distribution": {
          "Base": 185,
          "Variant": 46,
          "Class": 50,
          "Pillar": 7,
          "Compound": 6
        }
      }
    },
    "diff": {
      "authoritative_pairs": 1212,
      "agreement": 993,
      "conflict": 219,
      "addition": 0,
      "examples": {
        "conflict": [
          [
            "CAPEC-1",
            "CWE-1191"
          ],
          [
            "CAPEC-1",
            "CWE-1193"
          ],
          [
            "CAPEC-1",
            "CWE-1297"
          ],
          [
            "CAPEC-1",
            "CWE-1311"
          ],
          [
            "CAPEC-1",
            "CWE-1315"
          ],
          [
            "CAPEC-1",
            "CWE-1318"
          ],
          [
            "CAPEC-1",
            "CWE-1320"
          ],
          [
            "CAPEC-1",
            "CWE-1321"
          ]
        ],
        "addition": []
      }
    },
    "ppt": null
  },
  "diff": {
    "authoritative_pairs": 1212,
    "agreement": 993,
    "conflict": 219,
    "addition": 0,
    "examples": {
      "conflict": [
        [
          "CAPEC-1",
          "CWE-1191"
        ],
        [
          "CAPEC-1",
          "CWE-1193"
        ],
        [
          "CAPEC-1",
          "CWE-1297"
        ],
        [
          "CAPEC-1",
          "CWE-1311"
        ],
        [
          "CAPEC-1",
          "CWE-1315"
        ],
        [
          "CAPEC-1",
          "CWE-1318"
        ],
        [
          "CAPEC-1",
          "CWE-1320"
        ],
        [
          "CAPEC-1",
          "CWE-1321"
        ]
      ],
      "addition": []
    }
  },
  "edges": [
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-1191",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1191 is a hardware debug-interface flaw while CAPEC-1 is a software ACL bypass pattern; neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220 enables CAPEC-1 mostly because overly-broad policies directly permit the unauthorized access the attack seeks, while CAPEC-1 exploits the CWE only partially as one narrow missing-ACL manifestation among many granularity failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-1314",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing write protection is one concrete instance of unconstrained functionality, so CWE-1314 enables CAPEC-1 only in that narrow sensor-parameter case while the broad ACL attack pattern exploits this hardware-specific weakness only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-276",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-276's permissive file defaults can indirectly aid unauthorized access to functionality (partial enablement) but CAPEC-1 targets missing functional ACLs, not file-permission surfaces (no exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 directly supplies the missing ACL enforcement that CAPEC-1 requires, yet CAPEC-1 is only one narrow ACL-specific variant among many possible authorization failures covered by CWE-285."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-1 fully because absent ACL protection failure the attack has no surface, while CAPEC-1 exploits CWE-693 only partially as one narrow ACL-specific variant among many protection-mechanism failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-1",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732's missing/incorrect permissions directly enable the ACL-bypass attack with no alternative path, while CAPEC-1 is only one narrow functional-URL variant of the broad permission-assignment weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-10",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-10 fully because any buffer overflow requires an out-of-bounds write (range error), yet CAPEC-10 exploits the weakness only partially as one narrow env-var variant among many possible range-error manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-10",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-10 fully because the buffer-boundary violation is a prerequisite for any overflow, while CAPEC-10 exploits the CWE only partially as one narrow environment-variable variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-10",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-10 fully because the attack hinges on the unchecked copy; CAPEC-10 exploits CWE-120 only partially as one narrow env-var variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-10",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-10 fully because absent any input validation the env-var buffer write succeeds; CAPEC-10 exploits CWE-20 only partially as one narrow variant among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-10",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680's allocation miscalculation is unrelated to CAPEC-10's env-var data injection, so neither enables nor is exploited by the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-10",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can contribute to faulty bounds checks that permit env-var overflows (partial enablement) while CAPEC-10 specifically targets env-var trust and buffer sizing rather than comparison logic itself (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-100",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 is the direct root weakness that fully enables any buffer overflow, yet CAPEC-100 is only one narrow variant among the many manifestations of that broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-100",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 is the exact missing-bounds-check condition that CAPEC-100 requires, enabling the pattern fully, yet CAPEC-100 also covers other buffer-overflow variants so it exploits this specific CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-100",
      "target_framework": "CWE",
      "target_id": "CWE-129",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-129 enables certain out-of-bounds writes that manifest as buffer overflows (partial) while CAPEC-100 primarily exploits broader missing bounds checks rather than array-index validation specifically (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-100",
      "target_framework": "CWE",
      "target_id": "CWE-131",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-131's size miscalculation directly supplies the missing bound that CAPEC-100 needs, enabling the pattern fully, yet the broad CAPEC only partially exploits this one narrow CWE among many buffer issues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-100",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 directly produces the buffer overflow that CAPEC-100 executes, while CAPEC-100 is a broad pattern that only partially exploits this one specific integer-overflow variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-100",
      "target_framework": "CWE",
      "target_id": "CWE-805",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-805 supplies the exact incorrect-length condition that CAPEC-100 requires to overflow, yet CAPEC-100 also encompasses many other bounds-checking failures beyond length-value errors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-101",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-101 fully because unvalidated input is the direct prerequisite for successful SSI directive execution, while CAPEC-101 exploits CWE-20 only partially as one narrow injection variant among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-101",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-101 by leaving the required neutralization failure open, while CAPEC-101 exploits that surface only partially as one narrow SSI variant among many injection families."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-101",
      "target_framework": "CWE",
      "target_id": "CWE-97",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-97 is the exact missing neutralization that CAPEC-101 requires, so the weakness enables the pattern fully and the pattern exploits that surface fully rather than as a narrow sub-variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-102",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 directly enables replay of captured tokens so CAPEC-102 cannot succeed without it; CAPEC-102 is only one narrow sniffing-based variant among many possible capture-replay manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-102",
      "target_framework": "CWE",
      "target_id": "CWE-319",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables CAPEC-102 fully because cleartext session tokens are required for sniffing to succeed, while CAPEC-102 exploits CWE-319 only partially as a narrow session-token variant among many possible sensitive-data exposures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-102",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Unprotected credential transmission fully enables sidejacking (no token to sniff without it), while CAPEC-102 only partially exploits the broader CWE-522 family as one narrow sniffing variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-102",
      "target_framework": "CWE",
      "target_id": "CWE-523",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-523 is narrowly about login credentials in transit while CAPEC-102 targets session tokens, so the weakness does not enable the attack pattern at all, yet the attack still exploits the same general unprotected-transport surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-102",
      "target_framework": "CWE",
      "target_id": "CWE-614",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing Secure flag directly exposes the cookie to any HTTP channel (enabling sidejacking fully), yet sidejacking can capture tokens via many other exposure methods (exploiting this CWE only partially)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-103",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is the exact missing frame/UI restriction that clickjacking requires, enabling CAPEC-103 fully; CAPEC-103 is only one narrow realization of the broad CWE family, exploiting it only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-104",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper output encoding can be one vector for zone bypass but is neither required nor the core of CAPEC-104; the CAPEC is a narrow zone-elevation variant that only partially maps onto the broad CWE-116 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-104",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 broadly enables zone bypasses via unvalidated URLs/headers but is not required for every CAPEC-104 vector; CAPEC-104 is one narrow variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-104",
      "target_framework": "CWE",
      "target_id": "CWE-250",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-250 amplifies post-escalation impact of CAPEC-104 but is not required for the zone bypass itself; CAPEC-104 targets zone privilege boundaries and only incidentally touches unnecessary-privilege surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-104",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 does not enable CAPEC-104 (zone bypass is a browser-enforced policy flaw independent of app authorization checks), while CAPEC-104 exploits the CWE surface only partially as one narrow client-side variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-104",
      "target_framework": "CWE",
      "target_id": "CWE-638",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-638 does not enable zone bypass (attack works via content-loading flaws regardless of repeated mediation), while CAPEC-104 only partially exploits the CWE surface as one narrow manifestation of unchecked zone assignments."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-105",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-113 enables CAPEC-105 fully because CRLF neutralization failure is the direct prerequisite for request splitting, while CAPEC-105 exploits the CWE only partially as one narrow request-oriented variant within the broader request/response family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-105",
      "target_framework": "CWE",
      "target_id": "CWE-138",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-138 enables CAPEC-105 fully because CRLF injection requires failure to neutralize those control characters, while CAPEC-105 exploits the CWE only partially as one narrow HTTP-header variant among many possible special-element contexts."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-105",
      "target_framework": "CWE",
      "target_id": "CWE-436",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-436 enables CAPEC-105 fully because the attack requires an interpretation conflict between HTTP agents, while CAPEC-105 exploits CWE-436 only partially as one narrow HTTP-specific variant among many possible conflicts."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-105",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-105 because the attack requires the ability to inject unneutralized CRLF elements into HTTP headers; CAPEC-105 exploits CWE-74 only partially as one narrow CRLF variant among many injection manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-107",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-107 mostly by leaving TRACE unprotected, yet CAPEC-107 exploits that surface only partially as one narrow XSS-assisted variant among many possible protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-108",
      "target_framework": "CWE",
      "target_id": "CWE-114",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 enables CAPEC-108 fully because the attack requires unvalidated command execution from untrusted data, while CAPEC-108 exploits CWE-114 only partially as one narrow SQL-injection variant of the broad process-control weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-108",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-108 fully because both the SQL injection step and the later command execution step require absent or incorrect input validation, while CAPEC-108 exploits CWE-20 only partially as one narrow SQL-to-shell variant among many possible manifestations of the broad weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-108",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure is the direct prerequisite for the SQLi-to-shell sequence in CAPEC-108, yet the pattern is only one narrow manifestation among many CWE-74 variants."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-108",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 is the direct, indispensable cause of the final command execution step, while CAPEC-108 is only one narrow SQL-mediated variant among many possible CWE-78 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-108",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 enables CAPEC-108 fully because the attack pattern requires successful SQL injection to reach command-line execution, yet CAPEC-108 exploits the CWE only partially as one narrow command-execution variant among many SQLi manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-109",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-109 fully because unvalidated input is the direct prerequisite for ORM-generated SQL manipulation, while CAPEC-109 exploits CWE-20 only partially as one narrow ORM-specific variant among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-109",
      "target_framework": "CWE",
      "target_id": "CWE-564",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-564 is the exact Hibernate-specific weakness that CAPEC-109 requires to succeed, yet CAPEC-109 covers many ORM frameworks so it only partially targets this one CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-109",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 supplies the missing neutralization that CAPEC-109 requires to succeed, yet CAPEC-109 is only one narrow ORM-mediated variant among many SQL-injection manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-11",
      "target_framework": "CWE",
      "target_id": "CWE-430",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-430 enables CAPEC-11 fully because wrong-handler deployment is the direct precondition the attack needs, while CAPEC-11 exploits the weakness only partially as one narrow filename/extension variant among many possible causes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-110",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-110 fully because the attack requires absent/inadequate input validation on SOAP parameters, yet CAPEC-110 exploits the CWE only partially as one narrow delivery variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-110",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 fully enables CAPEC-110 because the SOAP tampering succeeds only when neutralization fails, yet CAPEC-110 exploits the CWE only partially as one narrow delivery variant among many SQLi forms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-111",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-111 because the hijack requires the server to accept cross-origin script inclusion without authenticity checks, while CAPEC-111 is only one narrow JSON-specific variant of that broad weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-111",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-111 fully because absent any origin check the JSON endpoint can be script-included cross-domain; CAPEC-111 exploits the CWE only partially as one narrow JSON-hijacking variant among many origin-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-111",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CSRF weakness permits the credential-bearing request that JSON hijacking needs, yet the attack itself exploits SOP/script-inclusion rather than forged state-changing actions."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-112",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Inadequate key length directly shrinks the search space so brute force becomes practical (full enablement), yet CAPEC-112 is a broad trial-and-error pattern that also targets passwords, tokens, etc. and therefore only partially exploits the crypto-specific surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-112",
      "target_framework": "CWE",
      "target_id": "CWE-330",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insufficient randomness shrinks the secret space and thereby enables practical brute force (mostly), while CAPEC-112 brute-force is a broad pattern that only sometimes targets randomness flaws and can succeed against other weaknesses such as inherently short secrets (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-112",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements shrink the search space and thereby enable rapid brute-force attempts on passwords (mostly), while CAPEC-112 brute force is a broad technique that only partially exploits the specific password-requirement surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-114",
      "target_framework": "CWE",
      "target_id": "CWE-1244",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-114 is a broad meta-pattern on auth-mechanism abuse while CWE-1244 describes a narrow hardware debug-level misassignment that only incidentally resembles one possible auth flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-114",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287's missing verification is a prerequisite that fully enables CAPEC-114's abuse sequence, yet the CAPEC is only one narrow exploitation variant among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-115",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-115 fully as the bypass cannot occur without the missing authentication proof, while CAPEC-115 exploits the CWE only partially as one broad variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-116",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is the direct precondition that lets any excavation succeed, while CAPEC-116 is only one narrow probing technique among many possible exposures of CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-117",
      "target_framework": "CWE",
      "target_id": "CWE-319",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 supplies the readable sensitive data that makes interception useful (mostly enabling) while CAPEC-117 is a broad sniffing pattern that only partially targets the cleartext surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-12",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-201 transmits sensitive data but does not create or enable identifier-selection attacks; CAPEC-12 can partially exploit the resulting exposure surface when messages are public."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-12",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-306's total lack of identity checks directly enables any identifier-based impersonation (CAPEC-12), yet CAPEC-12 is only one narrow multicast-identifier variant among many possible CWE-306 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172's failure to normalize repeated encodings directly permits the double-encoding bypass (full enablement), while CAPEC-120 is only one narrow encoding-obfuscation variant among many CWE-172 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-120 fully because double-encoding bypass requires mishandling of alternate encodings, while CAPEC-120 exploits the CWE only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-177",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-177's failure to normalize/decode URL input fully enables double-encoding bypasses, while CAPEC-120 is only one narrow encoding variant among many possible CWE-177 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Permissive allow-list (CWE-183) directly permits the doubly-encoded unsafe payload, enabling the bypass technique fully, while double-encoding (CAPEC-120) is only one narrow variant among many possible manifestations of that permissive-list flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete blacklist (CWE-184) fully enables double-encoding bypass because the attack succeeds exactly when encoded forms are absent from the list, while CAPEC-120 exploits that surface only partially as one narrow encoding variant among many possible bypasses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-120 fully because double-encoding bypass succeeds only when validation fails to normalize/decode input; CAPEC-120 exploits CWE-20 only partially as one narrow encoding variant among many possible validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-692",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist (CWE-692) fully enables double-encoding bypass (CAPEC-120) because the attack succeeds precisely when the denylist omits encoded forms; CAPEC-120 exploits that surface only partially as one narrow encoding variant among many possible XSS bypasses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison enables double-encoding bypass by failing to normalize/decode before matching (mostly), while CAPEC-120 is only one narrow encoding-specific variant of that broad CWE (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-120",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure is the direct prerequisite that lets double-encoded payloads reach the parser (full enable), while CAPEC-120 is only one narrow encoding tactic among many injection variants (partial exploit)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-121",
      "target_framework": "CWE",
      "target_id": "CWE-1295",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "A enables B only partially because debug-message leakage is one possible symptom of an exposed debug interface but the CAPEC can succeed via functionality access alone; B exploits A only partially because it targets the broader class of non-production interfaces rather than the narrow debug-message weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-121",
      "target_framework": "CWE",
      "target_id": "CWE-1313",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1313 directly supplies the enabled runtime debug surface that CAPEC-121 requires, yet CAPEC-121 covers many non-hardware interface variants beyond this specific weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-121",
      "target_framework": "CWE",
      "target_id": "CWE-489",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-489 is the exact condition (active debug code) that CAPEC-121 requires, enabling it fully, yet the CAPEC covers a broader set of non-production interfaces so exploits the CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-122",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 directly enables CAPEC-122 because absent/misconfigured privilege controls are a prerequisite for the abuse; CAPEC-122 exploits only the exposure sub-case of the broader CWE-269 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-122",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732's misconfigured permissions directly enable the described privilege abuse with no alternative path, while CAPEC-122 broadly covers multiple access-control failure modes beyond just resource permission assignment."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-123",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-123 fully because the attack cannot succeed without an out-of-bounds buffer operation, yet CAPEC-123 exploits the CWE only partially as one narrow manipulation variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-124",
      "target_framework": "CWE",
      "target_id": "CWE-1189",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1189's missing isolation is the direct prerequisite that lets CAPEC-124 succeed, yet the broad CAPEC pattern only partially targets the narrower SoC-specific surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-125",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-125 by removing any rate or allocation limits that flooding requires, while CAPEC-125 exploits that exact surface as its primary mechanism yet remains one broad variant among related resource-exhaustion patterns."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-126",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-22 is the exact class of neutralization failure that CAPEC-126 requires to succeed (full enablement), yet CAPEC-126 remains only one concrete variant (dot-dot-slash and similar) among many possible manifestations of that CWE (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-127",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization can allow an attacker to reach a directory that then lists contents, but directory indexing occurs independently via server configuration and does not specifically exploit an authorization-check surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-127",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 is an auth-bypass condition while CAPEC-127 is a directory-enumeration technique; neither depends on nor is a variant of the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-127",
      "target_framework": "CWE",
      "target_id": "CWE-424",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-424 directly enables directory listing by leaving the dir-path access unprotected, but CAPEC-127 is only one narrow manifestation of that broad weakness class."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-127",
      "target_framework": "CWE",
      "target_id": "CWE-425",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 permits direct access to protected paths but directory indexing is primarily a server-configuration behavior rather than an authorization bypass, so the weakness only partially enables the pattern and the pattern does not exploit the CWE surface at all."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-127",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-127 fully because directory listing occurs only when protective controls are absent or misconfigured; CAPEC-127 exploits the CWE only partially as one narrow variant among many possible protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-127",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 governs read/modify rights on a resource while CAPEC-127 only triggers a directory-listing response; neither the listing behavior nor its exploitation surface depends on permission mis-assignment."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-128",
      "target_framework": "CWE",
      "target_id": "CWE-682",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-682 enables CAPEC-128 fully because integer wrap/overflow directly produces the incorrect results the weakness describes, while CAPEC-128 exploits the CWE only partially as one narrow integer-specific variant among many calculation flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-129",
      "target_framework": "CWE",
      "target_id": "CWE-682",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect calculations (esp. integer errors) can supply bad pointer values and thus enable pointer manipulation as one step, while CAPEC-129 only sometimes exploits that surface via integer attacks rather than directly targeting calculation flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-129",
      "target_framework": "CWE",
      "target_id": "CWE-822",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-822 fully enables CAPEC-129 because untrusted pointer values are the direct prerequisite for the described manipulation, while CAPEC-129 exploits the CWE only partially as one broad technique among many pointer variants."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-129",
      "target_framework": "CWE",
      "target_id": "CWE-823",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-823's out-of-range arithmetic directly supplies the mechanism for CAPEC-129's unintended-memory access (full enablement), yet the broad CAPEC pattern covers many pointer techniques beyond this single offset flaw (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 fully enables CAPEC-13 because env-var tampering requires external control of a configuration setting, yet CAPEC-13 only partially exploits CWE-15 as one narrow instance among many possible settings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-13 fully because environment variables are unvalidated inputs whose subversion directly depends on that flaw, while CAPEC-13 exploits CWE-20 only partially as one narrow variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-13 exploits improper env-var handling to alter behavior and may incidentally expose data, but CWE-200 is neither required nor the hinge of the attack pattern."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 concerns missing authorization checks on resources/actions while CAPEC-13 targets untrusted environment-variable handling; neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302's core flaw (trusting mutable data for auth) directly enables env-var subversion when those vars carry auth state, but CAPEC-13 remains a narrow, non-auth-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 does not enable CAPEC-13 (env-var subversion works on many non-path settings), while CAPEC-13 exploits CWE-73 only in the narrow path-related subset of env vars."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-13",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-13 because improper neutralization of env-var inputs allows the subversion to succeed, while CAPEC-13 is only one narrow injection vector among the many covered by the broad CWE-74 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-130",
      "target_framework": "CWE",
      "target_id": "CWE-1325",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1325 directly enables CAPEC-130 by removing any total-memory bound on sequential allocations, while CAPEC-130 is a broad resource-exhaustion pattern that only partially maps onto this specific sequential-allocation flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-130",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-130 fully because unlimited allocation is the direct prerequisite for the single-request exhaustion; CAPEC-130 exploits the CWE only partially as one narrow non-flooding variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-131",
      "target_framework": "CWE",
      "target_id": "CWE-404",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 is the direct cause of the leaks CAPEC-131 triggers, enabling the pattern fully, yet CAPEC-131 remains one narrow variant of the broad CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-132",
      "target_framework": "CWE",
      "target_id": "CWE-59",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-59 enables CAPEC-132 fully because symlink attacks require the missing link-resolution check, yet CAPEC-132 exploits the CWE only partially as one narrow symlink variant within the broader link-following family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-133",
      "target_framework": "CWE",
      "target_id": "CWE-912",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Hidden functionality supplies the target surface that switch-probing seeks, enabling the pattern to succeed, yet the CAPEC remains only one narrow discovery tactic among many possible manifestations of CWE-912."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-134",
      "target_framework": "CWE",
      "target_id": "CWE-150",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 enables CAPEC-134 fully because email header injection requires unneutralized CRLF/control delimiters; CAPEC-134 exploits the CWE only partially as one narrow variant among many possible control-sequence abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-135",
      "target_framework": "CWE",
      "target_id": "CWE-134",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-134 is the exact condition (externally-controlled format string) that CAPEC-135 directly injects into, so the weakness enables the pattern fully and the pattern exploits that surface fully."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-135",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-135 fully because format-string injection requires unvalidated user input to reach a vulnerable formatting function; CAPEC-135 exploits CWE-20 only partially as one narrow variant among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-135",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-135 by omitting neutralization of format specifiers, while the CAPEC only partially exploits the CWE as one narrow injection variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-136",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-136 fully because LDAP injection requires unvalidated input to succeed, while CAPEC-136 exploits CWE-20 only partially as one narrow injection variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-136",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-136 hinges on LDAP-specific neutralization failure (CWE-90), not the broader command-oriented CWE-77."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-136",
      "target_framework": "CWE",
      "target_id": "CWE-90",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-90 is the exact root weakness that CAPEC-136 requires and directly performs, so each fully satisfies the other's definition."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-137",
      "target_framework": "CWE",
      "target_id": "CWE-88",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-88's missing delimiter neutralization directly supplies the surface CAPEC-137 needs to succeed, yet CAPEC-137 is a broad parameter-manipulation pattern of which argument injection is only one narrow realization."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-138",
      "target_framework": "CWE",
      "target_id": "CWE-470",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-470 directly supplies the uncontrolled reflection surface that CAPEC-138 requires, enabling the pattern fully, while CAPEC-138 is one concrete injection variant that exploits the CWE's surface only mostly."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-139",
      "target_framework": "CWE",
      "target_id": "CWE-23",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-23 enables CAPEC-139 fully as the attack hinges directly on unneutralized relative traversal, while CAPEC-139 exploits the CWE only partially as one narrow variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 range errors directly enable buffer overflows (CAPEC-14) but are not the sole cause; CAPEC-14's narrow client-injection variant exploits that surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 fully enables CAPEC-14 because the attack cannot succeed without an out-of-bounds buffer operation, yet CAPEC-14 only partially exploits CWE-119 by instantiating one narrow client-side injection variant among many possible buffer-overflow manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 fully enables CAPEC-14 (attack cannot succeed without the unchecked buffer copy) while CAPEC-14 only partially exploits CWE-120 (narrow client-side injection variant of the broad classic buffer-overflow family)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 directly enables CAPEC-14 because missing length/format checks are what allow the injected content to overflow the buffer, yet CAPEC-14 only covers one narrow client-injection variant among many possible CWE-20 failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 produces one class of BOF that CAPEC-14 could leverage, but the attack pattern works with any client BOF and never targets the integer-calculation surface itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-14 requires a buffer-overflow vuln whose root cause may be an incorrect comparison but can equally be many other CWEs; the CAPEC itself never depends on CWE-697."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-14",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables the injection vector that CAPEC-14 requires to reach the client buffer overflow, but CAPEC-14 is only one narrow client-side manifestation of the broad CWE-74 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-140",
      "target_framework": "CWE",
      "target_id": "CWE-372",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-372's missing state tracking directly enables form-sequence bypass (full), while CAPEC-140 is only one narrow manifestation of that state flaw (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-141",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly enables cache poisoning by allowing unauthenticated data to be accepted as valid, while CAPEC-141 is only one narrow variant among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-141",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables cache poisoning mostly by allowing untrusted data to be accepted into caches, but CAPEC-141 exploits it only partially as one narrow variant among multiple poisoning techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-141",
      "target_framework": "CWE",
      "target_id": "CWE-348",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 directly enables cache poisoning by allowing attacker-controlled data from the weaker source to be cached, but CAPEC-141 is only one narrow manifestation among many possible exploits of that source-selection flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-141",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-141 relies on trusting a poisoned cache entry itself rather than mixing extraneous untrusted data with trusted data as CWE-349 describes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-142",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables CAPEC-142 fully because forged DNS responses succeed only when authenticity checks are absent, while CAPEC-142 exploits the CWE only partially as one narrow DNS-specific variant among many possible authenticity failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-142",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-142 fully because spoofed DNS responses succeed only when origin validation is absent; CAPEC-142 exploits the CWE only partially as one narrow DNS-specific variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-142",
      "target_framework": "CWE",
      "target_id": "CWE-348",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 enables CAPEC-142 fully because poisoning succeeds only when the victim accepts the less-trusted (poisoned) DNS source; CAPEC-142 exploits the CWE only partially as one narrow DNS-specific variant among many possible less-trusted-source abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-142",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-142 hinges on unauthenticated DNS response spoofing rather than mixing trusted/untrusted data, though some poisoning variants may touch CWE-349."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-142",
      "target_framework": "CWE",
      "target_id": "CWE-350",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-142 targets forward DNS A-record poisoning while CWE-350 is strictly about unverified reverse (PTR) lookups."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-143",
      "target_framework": "CWE",
      "target_id": "CWE-425",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 directly enables CAPEC-143 by exposing unpublicized resources (full); CAPEC-143 is only one reconnaissance variant among many forced-browsing manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-144",
      "target_framework": "CWE",
      "target_id": "CWE-425",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 directly enables CAPEC-144 by leaving unpublished endpoints reachable via forced browsing, while CAPEC-144 is only one narrow discovery variant among many CWE-425 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-145",
      "target_framework": "CWE",
      "target_id": "CWE-354",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-354 enables CAPEC-145 fully (spoofed checksum is accepted only when validation is absent or broken) while CAPEC-145 exploits the CWE only partially (narrow checksum spoofing is one specific variant of the broad integrity-check family)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-146",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 fully enables CAPEC-146 because schema poisoning requires external control over the schema treated as a configuration artifact, while the narrow XML-specific attack only partially exploits the broad class of externally-controlled settings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-146",
      "target_framework": "CWE",
      "target_id": "CWE-472",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 enables schema poisoning by allowing external modification of parameters assumed immutable (e.g., schema refs in hidden fields), but CAPEC-146 is one narrow XML-specific variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-147",
      "target_framework": "CWE",
      "target_id": "CWE-400",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 enables CAPEC-147 fully because the DoS hinges on absent resource controls, yet CAPEC-147 exploits the CWE only partially as one narrow XML-flooding variant among many resource-consumption manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-147",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-147 fully because unbounded allocation is required for any resource-depletion DoS to succeed, while CAPEC-147 exploits the CWE only partially as one narrow XML/SOAP flooding variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-148",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly enables CAPEC-148 by allowing spoofed content to be accepted as authentic; CAPEC-148 is only one narrow variant among many possible manifestations of insufficient authenticity checks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-149",
      "target_framework": "CWE",
      "target_id": "CWE-377",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-377's predictable-name surface is exactly what CAPEC-149 requires (full enablement), yet the CAPEC is only one narrow manifestation among the broader set of insecure-temp-file issues covered by the CWE (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-138",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-138 fully enables CAPEC-15 because the delimiter injection succeeds only when neutralization fails, yet CAPEC-15 remains one narrow variant among many possible CWE-138 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-140",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-140 fully enables CAPEC-15 because the attack cannot succeed without unneutralized delimiters, yet CAPEC-15 only covers one narrow command-injection variant of the broader delimiter-neutralization weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-146",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-146 directly enables CAPEC-15 (attack needs the delimiter neutralization failure) while CAPEC-15 exploits only one narrow slice of the broad CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-154",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-154 addresses only variable-name delimiters while CAPEC-15 requires command-separator delimiters, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-157",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-157 enables CAPEC-15 only partially because paired structural delimiters are one possible vector among many non-paired command delimiters; CAPEC-15 exploits the paired-delimiter surface only partially as a narrow command-separator variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist directly enables the delimiter injection by omitting the needed tokens, while CAPEC-15 is only one narrow variant among many possible bypasses of that weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-185",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect regex directly weakens denylist validation enough to admit unseen delimiters (mostly enabling), yet CAPEC-15 targets the broader denylist flaw rather than regex specifically (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison in denylist validation directly enables delimiter injection, yet CAPEC-15 is only one narrow variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 fully enables CAPEC-15 because delimiter injection requires the absence of neutralization, while CAPEC-15 only partially exploits CWE-77 as one narrow variant among many command-injection techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 fully enables CAPEC-15 because the delimiter attack requires the neutralization failure, while CAPEC-15 only partially exploits CWE-78 as one narrow variant among many OS command injection techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-15",
      "target_framework": "CWE",
      "target_id": "CWE-93",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CRLF is one possible command delimiter so CWE-93 enables only that variant of CAPEC-15 while CAPEC-15 only partially targets the CRLF neutralization surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-150",
      "target_framework": "CWE",
      "target_id": "CWE-1323",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1323 places trace data in unprotected locations that CAPEC-150 can target, enabling the pattern only as one possible instance, while the broad collection attack exploits this narrow weakness surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-150",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 fully enables CAPEC-150 by exposing the predictable locations the attack needs, while CAPEC-150 only partially exploits CWE-552 as one broad collection tactic among many possible weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-151",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-151 fully as spoofing requires the missing verification, yet the CAPEC is only one narrow variant among many possible exploits of the broad authentication weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-153",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-153 because the manipulation attack cannot succeed without a validation failure, yet CAPEC-153 only partially exploits CWE-20 as one narrow data-format variant among many possible input-validation weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-154",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 fully enables CAPEC-154 because resource-location spoofing cannot succeed without UI misrepresentation of the true source, yet CAPEC-154 is only one narrow variant among many CWE-451 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-155",
      "target_framework": "CWE",
      "target_id": "CWE-377",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-377 directly supplies the sensitive temp-file exposure that CAPEC-155 requires, yet CAPEC-155 is only one narrow information-disclosure variant among many possible exploits of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-157",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption lets sniffing obtain plaintext sensitive data directly (full enablement), while the broad passive sniffing pattern only partially targets the specific encryption omission surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-158",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption fully enables sniffing to obtain readable sensitive data, while sniffing only partially exploits the broad CWE as one transmission-specific variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-159",
      "target_framework": "CWE",
      "target_id": "CWE-706",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 supplies the exact incorrect-resolution surface CAPEC-159 needs, yet the CAPEC is only one narrow library-redirection variant among many CWE-706 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-16 exploits weak dictionary passwords + absent throttling/policy enforcement; password aging is only a tangential element of that policy surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration gives a dictionary attack more calendar time to succeed but is not required for the attack to run; CAPEC-16 targets guessable passwords, not the aging policy itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 fully enables CAPEC-16 by permitting unlimited guesses, yet CAPEC-16 only partially exploits the weakness as one narrow dictionary variant among many possible authentication attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-16 fully because dictionary attacks succeed only when a single password factor is sufficient, while CAPEC-16 exploits that surface only partially as one narrow password-guessing variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-16 fully because dictionary attacks require a password auth surface, yet CAPEC-16 only exploits one narrow manifestation among many possible password weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements fully enable dictionary attacks by allowing guessable words, yet the narrow CAPEC variant only partially exploits the broader CWE surface of all possible weak-password flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-16",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-16 fully because dictionary attacks succeed precisely when authentication rests on a single factor; CAPEC-16 exploits the CWE only partially as one narrow password-specific variant among many possible single-factor abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-160",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-160 exploits failures to filter script input (primarily code-injection CWEs) while CWE-346 addresses only the narrower origin-check aspect that is incidental here."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-161",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-923's missing endpoint verification directly enables routing/infra manipulation attacks, while CAPEC-161 is a broad pattern that only partially maps onto this specific CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-162",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 fully enables the attack by letting the server trust client-controlled values, while CAPEC-162 exploits that surface only partially as one narrow hidden-field variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-163",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 supplies the deceptive surface that spear-phishing messages rely on for credibility, yet CAPEC-163 is only one narrow, targeted variant among many phishing techniques that can exploit the same weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-164",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 directly supplies the spoofing surface that any phishing attack (including CAPEC-164) requires to succeed, yet CAPEC-164 is only one narrow mobile-SMS variant among many possible CWE-451 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-166",
      "target_framework": "CWE",
      "target_id": "CWE-1221",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect defaults supply one reachable bad prior state that a reset can target, yet CAPEC-166 works against any prior insecure configuration and is not limited to register defaults."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-166",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing auth on reset functions directly enables the CAPEC-166 reset-to-prior-state attack (full), while the narrow reset pattern only partially covers the broad CWE-306 surface (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-168",
      "target_framework": "CWE",
      "target_id": "CWE-69",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-69 is the direct precondition that lets CAPEC-168 succeed, yet CAPEC-168 is only one narrow ADS variant among the weakness's possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-169",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required to perform general reconnaissance (forward), yet CAPEC-169 can discover exposed sensitive data as one of many possible information-gathering steps (reverse)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-17",
      "target_framework": "CWE",
      "target_id": "CWE-270",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-17 exploits broad file-permission misconfigurations, not context-switching errors, so the CWE is neither required nor the hinge of the attack pattern."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-17",
      "target_framework": "CWE",
      "target_id": "CWE-272",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-272's failure to drop privileges directly enables file upload/execution attacks by granting the needed access surface, while CAPEC-17 is only one narrow manifestation among many possible least-privilege violations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-17",
      "target_framework": "CWE",
      "target_id": "CWE-282",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper ownership directly enables unauthorized file execution in many cases, while CAPEC-17 is only one narrow variant among many possible ownership-related exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-17",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization directly enables file upload/execution attacks by omitting privilege checks, but CAPEC-17 is only one narrow manifestation among many authorization failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-17",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Absence of any protection mechanism directly enables arbitrary malicious-file execution, while CAPEC-17 is only one narrow variant among the many ways CWE-693 can be manifested."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-17",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions directly grant the file access/execution surface CAPEC-17 needs, while the pattern itself is broader than permission errors alone."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-170",
      "target_framework": "CWE",
      "target_id": "CWE-497",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-497 directly supplies the sensitive version/implementation data that CAPEC-170 probes for, enabling the pattern to a high degree, yet the narrow fingerprinting variant only partially exploits the broad exposure surface of CWE-497."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-173",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 enables CAPEC-173 mostly via technical/UI vectors such as clickjacking but not social-engineering variants; CAPEC-173 exploits the CWE only partially because it is one narrow manifestation among several possible UI-misrepresentation abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-174",
      "target_framework": "CWE",
      "target_id": "CWE-88",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-174 exploits unsanitized FlashVars in an HTML/Flash context (leading to script injection), which only tangentially overlaps the general command-argument delimiter weakness described by CWE-88."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-175",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables CAPEC-175 fully because the attack cannot succeed without importing executable code from an untrusted sphere, while CAPEC-175 exploits the CWE only partially as one narrow reference-replacement variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-176",
      "target_framework": "CWE",
      "target_id": "CWE-1233",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-176 is a meta pattern centered on external software config files, only tangentially related to this hardware register lock flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-176",
      "target_framework": "CWE",
      "target_id": "CWE-1234",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-176 is a broad meta pattern centered on external config files/libraries while CWE-1234 describes a narrow hardware debug-mode bypass, so the weakness is irrelevant to the attack but the attack could touch the weakness via environment manipulation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-176",
      "target_framework": "CWE",
      "target_id": "CWE-1304",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-176 is a broad meta pattern for any external config tampering while CWE-1304 describes one narrow hardware power-state integrity flaw that the meta pattern might incidentally touch."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-176",
      "target_framework": "CWE",
      "target_id": "CWE-1328",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Mutable version numbers let config manipulation achieve rollback (partial enablement) while config manipulation is only one narrow way to target this specific weakness (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-176",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 directly supplies the external controllability that CAPEC-176 requires to succeed, while CAPEC-176 is the canonical manipulation pattern that exercises that surface rather than one narrow sub-variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-177",
      "target_framework": "CWE",
      "target_id": "CWE-706",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-706's incorrect name resolution is the direct prerequisite that lets CAPEC-177 succeed (full enablement), yet CAPEC-177 is only one narrow file-name-collision variant among many CWE-706 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-178",
      "target_framework": "CWE",
      "target_id": "CWE-601",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Open redirect supplies one possible vector for attacker-controlled external URLs referenced by Flash, but CAPEC-178 fundamentally exploits Flash's own URL-handling surface rather than depending on CWE-601."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-18",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-80's neutralization failure directly enables script injection via unexpected tags (mostly), while CAPEC-18 is only one narrow non-script variant among many CWE-80 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-180",
      "target_framework": "CWE",
      "target_id": "CWE-1190",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-180 broadly covers access-control misconfigurations; CWE-1190 is a narrow boot-order/DMA timing flaw that only incidentally resembles one such misconfiguration."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-180",
      "target_framework": "CWE",
      "target_id": "CWE-1191",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1191 directly supplies the missing access-control surface that CAPEC-180 requires, yet CAPEC-180 remains a broad pattern that only partially maps onto this hardware-specific weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-180",
      "target_framework": "CWE",
      "target_id": "CWE-1220",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220 supplies one specific misconfiguration vector that CAPEC-180 can use, yet the attack pattern neither requires nor is limited to insufficient granularity."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-180",
      "target_framework": "CWE",
      "target_id": "CWE-1268",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1268 is a direct hardware access-control misconfiguration that enables the bypass in CAPEC-180, yet CAPEC-180 is a broad pattern that only partially targets this narrow inconsistency."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-180",
      "target_framework": "CWE",
      "target_id": "CWE-1320",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1320 concerns alert-signal protection while CAPEC-180 targets access-control misconfiguration; neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-180",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 directly supplies the misconfigured permissions that CAPEC-180 requires, enabling the pattern fully, yet CAPEC-180 is a broad access-control family that only partially covers this specific permission-assignment weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-181",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 enables CAPEC-181 fully because absent UI-layer restrictions the Flash overlay has no surface to hijack, while CAPEC-181 exploits the CWE only partially as one narrow Flash-specific variant among many clickjacking techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-182",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input list directly permits attacker-controlled flash references (mostly enabling), while Flash Injection is only one narrow manifestation among many possible blacklist evasions (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-182",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-182 fully because unvalidated parameters are required for attacker-controlled Flash references, yet CAPEC-182 exploits only one narrow slice of the broad CWE-20 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-182",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can be one enabling factor for loading attacker-controlled Flash references but is not required for the pattern, while CAPEC-182 is a narrow injection variant that only sometimes exploits comparison flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-183",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 directly supplies the missing neutralization that CAPEC-183 requires, yet CAPEC-183 is only one narrow IMAP/SMTP variant of the broad command-injection family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-184",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 directly supplies the missing verification step that most download-based instances of CAPEC-184 rely on, yet CAPEC-184 remains a broad family that also covers non-download integrity violations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-185",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is the direct precondition that lets CAPEC-185 succeed, yet CAPEC-185 is a broad social-engineering pattern that can also exploit other weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-186",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-186 fully because absent any integrity/origin check the spoofed update executes; CAPEC-186 exploits the CWE only partially as one narrow update-spoofing variant among many possible downloads."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-187",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 fully enables CAPEC-187 because the attack cannot succeed without the missing integrity validation on downloaded code, while CAPEC-187 exploits the CWE only partially as one narrow redirection-based update variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-188",
      "target_framework": "CWE",
      "target_id": "CWE-1278",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1278 enables one specific hardware imaging technique within the broad CAPEC-188 pattern (hence partial) while CAPEC-188 only touches this narrow IC-imaging surface among many RE variants (hence partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-189",
      "target_framework": "CWE",
      "target_id": "CWE-1255",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-189 is a broad reverse-engineering pattern that lists physical side-effects only as one possible technique among many, while CWE-1255 describes one narrow power-analysis weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-189",
      "target_framework": "CWE",
      "target_id": "CWE-1300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1300 directly supplies the unprotected emissions that CAPEC-189's physical-side-effect step requires, yet black-box RE can still succeed via non-physical I/O methods, so the pattern exploits only one narrow slice of the weakness surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-189",
      "target_framework": "CWE",
      "target_id": "CWE-203",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Observable discrepancy supplies useful behavioral signals that aid black-box analysis but is neither required nor the sole technique; CAPEC-189 therefore only partially exploits this particular CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-19",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-19 mostly by permitting unauthorized script execution; CAPEC-19 exploits that surface only partially as one narrow injection variant among many access-control failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-190",
      "target_framework": "CWE",
      "target_id": "CWE-912",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-912 supplies the hidden functionality that CAPEC-190 is designed to locate, enabling the pattern fully, yet the pattern itself is only one narrow reverse-engineering technique among many possible ways to surface such functionality."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-191",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Hard-coded credentials are the canonical sensitive constant targeted by CAPEC-191, enabling the pattern fully, yet the pattern only covers the executable-analysis slice of the CWE's broader exploitation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-192",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-192 is broad protocol reverse-engineering that may incidentally exploit weak crypto but does not rely on it."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-193",
      "target_framework": "CWE",
      "target_id": "CWE-98",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-98 is the exact weakness that CAPEC-193 is written to exploit, so the weakness enables the pattern fully and the pattern exploits that weakness's surface fully."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-194",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 is a prerequisite for the attack to succeed at all, yet CAPEC-194 represents only one narrow manifestation among many possible authentication exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-196",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384's failure to invalidate existing SIDs directly supplies the post-auth surface a forged credential needs (mostly), while CAPEC-196's forging variant only exercises one narrow slice of that surface (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-196",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664's lifetime-control failure directly supplies the surface needed to forge usable credentials (mostly enabling), yet CAPEC-196 is only one narrow forgery variant among many possible resource-control failures (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-197",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 directly enables CAPEC-197 by allowing unbounded growth from nested expansions, while CAPEC-197 is only one narrow variant among many possible resource-exhaustion techniques covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-197",
      "target_framework": "CWE",
      "target_id": "CWE-776",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-776 directly permits the nested DTD expansion that CAPEC-197 performs, so the weakness enables the pattern fully; CAPEC-197 however describes the general exponential-expansion technique across multiple data formats and therefore exploits only one narrow manifestation of CWE-776."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-198",
      "target_framework": "CWE",
      "target_id": "CWE-81",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-81 fully enables CAPEC-198 because the attack requires unneutralized script in error pages, while CAPEC-198 exploits the CWE only partially as one narrow error-page variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-199",
      "target_framework": "CWE",
      "target_id": "CWE-87",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-87 is the exact neutralization failure that CAPEC-199 relies on, so the weakness enables the pattern fully and the pattern exploits that surface fully."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-2",
      "target_framework": "CWE",
      "target_id": "CWE-645",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-645's overly-sensitive lockout is the exact condition the CAPEC-2 attack requires, yet CAPEC-2 remains only one narrow manifestation among the broader family of lockout-abuse techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-20",
      "target_framework": "CWE",
      "target_id": "CWE-326",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-326 fully enables CAPEC-20 by shrinking the key space to a brute-forceable size, while CAPEC-20 only partially exploits CWE-326 as one narrow attack variant among other possible cryptanalytic approaches."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-20",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 makes exhaustive key search practically viable (mostly enables), while CAPEC-20 is only one narrow brute-force variant among many possible exploits of weak crypto (partially exploits)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-20",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 does not enable CAPEC-20 (brute-force key search succeeds or fails based on key space size alone), while CAPEC-20 exploits the CWE only narrowly when the protection in question is the cipher itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-201",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 concerns executable code inclusion from untrusted sources while CAPEC-201 exploits parser handling of external entity references in data files; neither direction shows enablement or exploitation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-202",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-202 fully because server reliance on client enforcement is the direct precondition the malicious client violates, while CAPEC-202 exploits the CWE only partially as one narrow client-creation variant among many possible exploitation surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-203",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 directly supplies the external-control surface that CAPEC-203 needs to alter registry entries, yet CAPEC-203 is only one narrow authorization-based variant among many possible CWE-15 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-204",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables cache lifting by leaving readable sensitive data in storage (mostly), while the CAPEC is only one narrow cache-specific variant among many possible exposures of unencrypted data (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-204",
      "target_framework": "CWE",
      "target_id": "CWE-524",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-524 directly supplies the unprotected sensitive cache that CAPEC-204 reads, enabling the attack fully, yet CAPEC-204 remains one narrow manifestation among possible cache exposures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-206",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Bad perms directly enable credential extraction for the attack (full), yet CAPEC-206 is only one narrow signing variant among many possible exploits of CWE-732 (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-207",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-207 fully because the attack directly removes client functionality the server trusts, while CAPEC-207 exploits the CWE only partially as one narrow removal variant among many possible bypasses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-208",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 fully enables CAPEC-208 because the attack requires server trust in client-side monetary logic, while CAPEC-208 exploits the CWE only partially as one narrow monetary variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-209",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 broadly enables CAPEC-209 by allowing malicious content to reach the browser, yet the attack hinges more directly on MIME handling than on validation alone; CAPEC-209 exploits CWE-20 only partially as one narrow MIME-mismatch variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-209",
      "target_framework": "CWE",
      "target_id": "CWE-646",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-646's extension-based misclassification can aid dangerous file handling in some upload scenarios but is not required for CAPEC-209's MIME/browser-autodetect vector; CAPEC-209 targets MIME handling, not name/extension surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-209",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 enables CAPEC-209 fully (neutralization failure is required for the MIME trick to execute), while CAPEC-209 exploits CWE-79 only partially (narrow MIME variant among many XSS forms)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth directly enables any trusted-ID attack (full), while CAPEC-21 is only one narrow variant among many possible spoofs (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 fully enables CAPEC-21 because the attack requires the system to trust modifiable identifiers, while CAPEC-21 only partially exploits CWE-302 as one narrow variant among many possible trusted-identifier abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-21 only partially because identifier guessing/stealing can succeed without origin flaws; CAPEC-21 exploits the CWE surface only partially as a narrow identifier-trust variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 directly supplies the known session ID that CAPEC-21 rides, yet CAPEC-21 also covers guessing and other acquisition methods unrelated to fixation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies the exact sensitive cookie value that CAPEC-21 needs, enabling the pattern fully, yet CAPEC-21 only partially exploits this CWE because it also covers many other identifier types."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-6",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insufficient session-ID length directly enables guessing (a core step in CAPEC-21) but the pattern also covers sniffing/riding and many non-session identifiers, so exploitation of this specific CWE surface remains only partial."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602's reliance on client-supplied checks directly enables tampering with trusted identifiers, but CAPEC-21 is only one narrow variant among many possible CWE-602 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 enables CAPEC-21 fully because external access to trusted identifiers is a direct prerequisite, while CAPEC-21 exploits the CWE only partially as one narrow variant of broader critical-state exposures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-21",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables CAPEC-21 mostly via lifetime mismanagement of identifiers (no expiry, reuse); CAPEC-21 exploits that surface only partially as one narrow variant among many resource-control failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-212",
      "target_framework": "CWE",
      "target_id": "CWE-1242",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Undocumented chicken bits directly supply the hidden entry points that enable Functionality Misuse, yet the broad CAPEC-212 pattern only partially targets this specific weakness among many possible design flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-212",
      "target_framework": "CWE",
      "target_id": "CWE-1246",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1246 supplies one specific design flaw that a misuse attack can leverage as a step, while CAPEC-212 is a broad pattern that only partially maps onto this narrow NVM weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-212",
      "target_framework": "CWE",
      "target_id": "CWE-1281",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-212 is a meta pattern about application-level misuse; CWE-1281 is a narrow processor-instruction flaw that could be one of many possible enablers but is not required by the CAPEC."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-215",
      "target_framework": "CWE",
      "target_id": "CWE-209",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-209 directly supplies the sensitive error content that makes CAPEC-215's observation goal effective (mostly enables), yet CAPEC-215 is only one narrow fuzzing variant among many possible CWE-209 exploitations (partially exploits)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-215",
      "target_framework": "CWE",
      "target_id": "CWE-532",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-532 does not enable CAPEC-215 (fuzzing succeeds against any informative logs), yet CAPEC-215 can partially exploit the weakness by surfacing sensitive entries during log observation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-217",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-217 exploits TLS misconfiguration weaknesses to expose intended encrypted streams, only incidentally touching one narrow slice of CWE-201's broader sensitive-data exposure surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-218",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-218 since spoofed messages succeed only when authenticity checks are absent, while CAPEC-218 exploits the broad weakness only partially as one narrow UDDI/ebXML variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-219",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-441's failure to preserve request source directly supplies the unintended-intermediary surface that CAPEC-219 needs to subvert, yet the CAPEC is only one narrow XML-routing variant among many possible confused-deputy abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-219",
      "target_framework": "CWE",
      "target_id": "CWE-610",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-610 directly supplies the external reference control that WS-Routing detours rely on, yet CAPEC-219 is only one narrow XML-intermediary variant among many possible CWE-610 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-22",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-22 mostly because the attack succeeds only when the server fails to validate client-supplied data it should not trust; CAPEC-22 exploits CWE-20 only partially as a narrow trust-bypass variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-22",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is an information-disclosure consequence, not an authentication or channel-integrity flaw, so it neither enables nor is exploited by CAPEC-22's client-impersonation vector."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-22",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287's missing authentication is the direct prerequisite that lets CAPEC-22 succeed (full enablement), yet CAPEC-22 is only one narrow client-trust variant among many possible authentication failures (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-22",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth directly enables CAPEC-22's client-trust exploitation (no bypass, no attack), yet CAPEC-22 encompasses many auth-integrity variants beyond spoofing alone."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-22",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-22 fully because the attack requires a missing or broken protection mechanism (e.g., client authentication); CAPEC-22 exploits CWE-693 only partially as one narrow variant among many protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-220",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 supplies one specific negotiable-algorithm flaw among many protocol weaknesses usable by the broad CAPEC-220 pattern, so each direction rates only partial."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-221",
      "target_framework": "CWE",
      "target_id": "CWE-611",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-611 fully enables CAPEC-221 because the DoS attack requires unrestricted external entity resolution, yet CAPEC-221 only partially exploits CWE-611 by covering one narrow DoS variant among many possible XXE abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-222",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 enables CAPEC-222 fully because the overlay attack cannot succeed without unrestricted cross-domain frames, while CAPEC-222 exploits the CWE only partially as one narrow iFrame variant among several possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-224",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure surface directly supplies the identifying details that make fingerprinting succeed, yet CAPEC-224 is only one narrow reconnaissance technique among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-226",
      "target_framework": "CWE",
      "target_id": "CWE-472",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 fully enables CAPEC-226 because the attack requires the server to trust externally-manipulated assumed-immutable values such as cookies; CAPEC-226 exploits CWE-472 only partially as it is one narrow credential-falsification variant among many possible immutable-parameter abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-226",
      "target_framework": "CWE",
      "target_id": "CWE-565",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-565 directly supplies the missing cookie validation that CAPEC-226 requires to succeed, yet CAPEC-226 is only one narrow manipulation variant among many possible exploitations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-227",
      "target_framework": "CWE",
      "target_id": "CWE-400",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 is a direct prerequisite for CAPEC-227 to succeed, yet the CAPEC is only one narrow sustained-engagement variant among many resource-consumption attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-229",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 directly supplies the unbounded allocation surface the parser blow-up attack needs to reach DoS, while CAPEC-229 is only one narrow serialized-data manifestation of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-23",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-23 mostly because absent proper validation the poisoned file content is accepted and processed; CAPEC-23 exploits CWE-20 only partially as a narrow file-injection variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-230",
      "target_framework": "CWE",
      "target_id": "CWE-112",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing validation fully enables the nested-payload resource attack because the malicious XML is accepted and expanded; CAPEC-230 exploits that surface only partially as one narrow variant of many possible CWE-112 abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-230",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-230 fully because absent any input validation the nested-payload DoS is possible, yet CAPEC-230 only partially exploits the broad CWE-20 surface by targeting one specific structural-validation failure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-230",
      "target_framework": "CWE",
      "target_id": "CWE-674",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-674 enables CAPEC-230 fully because the attack's resource exhaustion depends on absent recursion controls, while CAPEC-230 exploits the CWE only partially as one narrow nesting variant among many recursion issues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-230",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-230 because unbounded allocation is required for the nesting to exhaust resources, while CAPEC-230 only partially exploits CWE-770 as one narrow variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-231",
      "target_framework": "CWE",
      "target_id": "CWE-112",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing schema validation can incidentally permit oversized XML but does not directly enable resource-exhaustion attacks that hinge on absent size limits; CAPEC-231 targets parser resource handling rather than schema-validation surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-231",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-231 fully because absent size validation the oversized payload attack succeeds, yet the narrow serialized-data variant exploits only one slice of the broad input-validation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-231",
      "target_framework": "CWE",
      "target_id": "CWE-674",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Uncontrolled recursion enables only the deep-nesting subset of oversized-payload attacks and only in recursive parsers, while CAPEC-231 is a broad payload-size pattern that exploits the recursion surface only incidentally."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-231",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-231 fully because unbounded allocation is a prerequisite for serialized-payload exhaustion, while CAPEC-231 exploits the CWE only partially as one narrow variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-233",
      "target_framework": "CWE",
      "target_id": "CWE-1264",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1264 supplies one hardware bypass step usable for privilege escalation but is not required for CAPEC-233; CAPEC-233 is a broad category that only narrowly matches this specific de-synchronization surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-233",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 is the direct prerequisite for any privilege escalation, enabling CAPEC-233 fully, yet CAPEC-233 remains one broad attack pattern among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-234",
      "target_framework": "CWE",
      "target_id": "CWE-648",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-648 permits privilege escalation via API misuse but is not required for process hijacking (forward partial); CAPEC-234 can leverage that misuse surface among many others (reverse partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-234",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions can serve as one enabling step for process hijacking (e.g., via binary replacement) but are not required for all variants, while the narrow CAPEC-234 pattern only partially covers the broad CWE-732 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-237",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693's missing protection fully enables the sandbox escape (attack cannot succeed without it), yet CAPEC-237 is only one narrow cross-language variant among many possible protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-24 fully because the attack hinges on an exploitable range error to produce the overflow that bypasses the filter, while CAPEC-24 exploits CWE-118 only partially as one narrow filter-failure variant among many range-error manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-24 fully because the attack requires a successful buffer overflow to bypass the filter, while CAPEC-24 exploits CWE-119 only partially as one narrow filter-failure variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 directly supplies the unchecked oversized copy that CAPEC-24 requires to make the filter fail, but CAPEC-24 is only one narrow filter-bypass usage of that weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-24 fully because the overflow-to-bypass attack cannot succeed without a validation failure, while CAPEC-24 exploits CWE-20 only partially as one narrow buffer-overflow variant among many possible input-validation flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies one specific route to the buffer overflow required by CAPEC-24 (hence partial enablement) while CAPEC-24 never targets the allocation-arithmetic flaw itself (hence no exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-24 hinges on buffer overflow plus insecure failure handling, not on an incorrect comparison."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-24",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-24 exploits buffer overflow to bypass filtering and is not an instance of improper neutralization of special elements."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-240",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-99 enables CAPEC-240 fully as the exact underlying flaw required for resource identifier manipulation, while CAPEC-240 exploits the CWE only partially as one narrow attack variant among the weakness's broader surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-242",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-94 directly supplies the missing neutralization that CAPEC-242 requires to succeed (full enablement), yet CAPEC-242 remains one narrow execution-focused variant among the broader family of code-injection manifestations covered by CWE-94 (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-243",
      "target_framework": "CWE",
      "target_id": "CWE-83",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-83 directly supplies the attribute neutralization failure CAPEC-243 requires (full enablement), yet CAPEC-243 is only one narrow attribute-vector variant among many possible CWE-83 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-244",
      "target_framework": "CWE",
      "target_id": "CWE-83",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-83 fully enables the attack by permitting unneutralized javascript:/data: URIs in attributes, while CAPEC-244 only partially exploits it as one narrow URI-placeholder variant of the broader weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-245",
      "target_framework": "CWE",
      "target_id": "CWE-85",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-85 is the exact missing filter the CAPEC-245 bypass requires, enabling the pattern fully, yet the CAPEC remains one narrow variant among the broader XSS family and therefore exploits the CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-247",
      "target_framework": "CWE",
      "target_id": "CWE-86",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-86 enables CAPEC-247 fully because the attack cannot succeed without the missing neutralization of invalid identifier characters, while CAPEC-247 exploits the CWE only partially as one narrow invalid-character variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-248",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 is the precise neutralization failure that CAPEC-248 requires, enabling it fully, yet CAPEC-248 remains one canonical pattern among the CWE family and therefore exploits the surface only mostly."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-25",
      "target_framework": "CWE",
      "target_id": "CWE-1322",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1322 produces single-thread hangs from blocking calls, not multi-action deadlocks, so it neither enables nor is exploited by CAPEC-25."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-25",
      "target_framework": "CWE",
      "target_id": "CWE-412",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-412 directly supplies the external lock control surface that CAPEC-25 requires to induce deadlock, while CAPEC-25 is only one narrow deadlock variant among many possible misuses of that surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-25",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-662 creates the deadlock conditions that CAPEC-25 directly requires, while CAPEC-25 is only one narrow variant among many synchronization flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-25",
      "target_framework": "CWE",
      "target_id": "CWE-667",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper locking directly creates the deadlock state that Forced Deadlock requires, yet CAPEC-25 is only one narrow way to trigger that CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-25",
      "target_framework": "CWE",
      "target_id": "CWE-833",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-833 enables CAPEC-25 fully because the attack cannot succeed without an existing deadlock condition, while CAPEC-25 exploits the weakness only partially as one narrow forcing variant among possible deadlock manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-250",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-250 fully because XML injection requires unvalidated input to succeed, while CAPEC-250 exploits CWE-20 only partially as one narrow XML-specific variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-250",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-250 fully because XML injection requires failure to neutralize structured input, yet CAPEC-250 exploits the broad CWE only partially as one narrow variant among many neutralization failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-250",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-250 because XML injection requires unneutralized special elements, while CAPEC-250 only partially exploits CWE-74 as one narrow XML variant among many injection families."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-250",
      "target_framework": "CWE",
      "target_id": "CWE-91",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-91's missing neutralization directly supplies the entire attack surface CAPEC-250 needs, yet CAPEC-250 is one concrete XML-database variant among the broader family of XML-injection behaviors covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-251",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly supplies the untrusted-include surface that CAPEC-251 requires, yet the CAPEC is only one narrow (local-file) variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-252",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables CAPEC-252 fully because LFI is a direct realization of including executable code from outside the intended control sphere, while CAPEC-252 exploits the CWE only partially as one narrow PHP-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-253",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables CAPEC-253 fully because remote arbitrary-code loading is impossible without importing from an untrusted sphere, while CAPEC-253 exploits the CWE only partially as one narrow remote variant among broader inclusion scenarios."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-256",
      "target_framework": "CWE",
      "target_id": "CWE-805",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-805 enables CAPEC-256 fully because the attack depends on the server using the understated length for buffer operations, while CAPEC-256 exploits CWE-805 only partially as one narrow SOAP-array manifestation among many possible length-value errors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-1223",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1223 is one specific hardware race-condition instance that CAPEC-26 can leverage, but the general attack pattern neither depends exclusively on it nor targets its surface exclusively."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-1254",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1254's stepwise comparison timing side-channel has no bearing on CAPEC-26's concurrent resource-modification race, so neither enables nor is exploited by the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-1298",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1298 supplies one hardware-specific race surface that CAPEC-26 can leverage, yet CAPEC-26 executes fully on software races alone; conversely the broad CAPEC only partially matches the narrow hardware CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-362 supplies the exact timing window the CAPEC-26 adversary must occupy, enabling the pattern fully, yet CAPEC-26 only instantiates one broad family of race surfaces and is therefore only a partial-to-mostly exploitation of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-363",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-363 is one narrow TOCTOU instance that enables only a subset of CAPEC-26 variants, while the broad CAPEC-26 pattern covers that weakness among many other race conditions."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-366",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-366 supplies one thread-specific race surface that CAPEC-26 can leverage, yet the attack pattern is defined for concurrent processes and can succeed against other race conditions."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-368",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-368 is one narrow race-condition instance that CAPEC-26 can target, but the broad attack pattern neither requires nor is limited to this specific weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-370",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-370 is a time-of-check/time-of-use revocation gap unrelated to concurrent resource manipulation, so neither direction holds."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-662's missing synchronization is the direct prerequisite that makes any race condition possible (full enablement), yet CAPEC-26 only exercises one narrow manifestation of that broad weakness family (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-665",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper initialization can create an exploitable window during concurrent access but is not required for race conditions, while CAPEC-26 targets ordering/synchronization flaws rather than initialization surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-667",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper locking is a primary cause of exploitable race conditions so enables the pattern mostly, yet CAPEC-26 covers many synchronization flaws beyond locking and therefore exploits CWE-667 only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-26",
      "target_framework": "CWE",
      "target_id": "CWE-689",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-689 is one narrow race-condition instance that partially enables the broad CAPEC-26 pattern while the pattern itself only partially exploits this specific permission-copy surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-261",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-261 fully because the fuzzing attack hinges on absent template/input verification, while CAPEC-261 exploits CWE-20 only partially as one narrow fuzzing variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-263",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly supplies the untrusted executable surface that CAPEC-263 corrupts, yet the attack pattern remains only one narrow file-based variant among many possible manifestations of the weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-267 fully because the attack hinges on improper encoding/decoding allowing bypass, while CAPEC-267 exploits the broad CWE only partially as one narrow alternate-encoding variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 is the direct precondition that makes CAPEC-267 possible (full enablement), yet CAPEC-267 is only one narrow encoding-based variant among many possible manifestations of the CWE (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180's validate-before-canonicalize ordering directly enables any alternate-encoding bypass (full), while CAPEC-267 is only one narrow encoding variant among many possible manifestations of that weakness (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-267 fully because alternate-encoding bypasses require a validation failure to succeed, while the narrow encoding variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-692",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist (CWE-692) directly permits alternate-encoding XSS to succeed, enabling CAPEC-267 fully, yet the encoding technique only exploits one narrow gap among many possible denylist deficiencies."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables alternate-encoding bypass (full) while CAPEC-267 is only one narrow manifestation of that CWE (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 permits externally supplied paths but does not itself require or depend on encoding bypasses, while CAPEC-267 is a generic encoding technique that can contribute to path-control flaws yet applies equally to many other input-validation surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-267",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure directly enables any encoding-based bypass (full), while CAPEC-267 is only one narrow encoding variant among many CWE-74 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-268",
      "target_framework": "CWE",
      "target_id": "CWE-117",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 enables log manipulation via unneutralized input but access-control paths also permit CAPEC-268, while the CAPEC only narrowly exploits the neutralization surface among other vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-27",
      "target_framework": "CWE",
      "target_id": "CWE-367",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-367 enables CAPEC-27 fully because the symlink race is a direct TOCTOU instance, while CAPEC-27 exploits CWE-367 only partially as one narrow symlink variant among many TOCTOU manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-27",
      "target_framework": "CWE",
      "target_id": "CWE-61",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-61 fully enables CAPEC-27 because the attack cannot succeed without improper symlink resolution to an unauthorized target, while CAPEC-27 exploits the CWE only partially as one narrow TOCTOU race variant among many symlink-following manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-27",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-662's missing synchronization is the direct root of the race the CAPEC-27 symlink attack requires, yet the attack is only one narrow manifestation of that broad weakness class."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-27",
      "target_framework": "CWE",
      "target_id": "CWE-667",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper locking enables the TOCTOU race that CAPEC-27 relies on (mostly) while the symlink-specific pattern only exercises one narrow slice of locking failures (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-270",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 directly supplies the external config control surface that CAPEC-270 requires to write run keys, yet CAPEC-270 is only one narrow registry variant among many possible CWE-15 abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-271",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables CAPEC-271 fully because external control of the schema (a config setting) is a prerequisite for poisoning it; CAPEC-271 exploits CWE-15 only partially as one narrow schema-specific variant among many possible config manipulations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-273",
      "target_framework": "CWE",
      "target_id": "CWE-436",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-436 supplies the exact semantic gap HTTP agents need for response smuggling to succeed, yet CAPEC-273 is only one narrow realization among many possible interpretation conflicts."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-273",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-444 enables CAPEC-273 fully because inconsistent HTTP interpretation is the direct prerequisite for response smuggling, while CAPEC-273 exploits the CWE only partially as one narrow response-focused variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-273",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization is the direct prerequisite that lets an attacker craft the duplicate-header or CRLF payload, yet CAPEC-273 is only one narrow HTTP-response variant among many possible CWE-74 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-274",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 fully enables CAPEC-274 because verb tampering succeeds only when the implementation treats the HTTP method as immutable data; CAPEC-274 exploits that CWE only partially as one narrow variant among many possible assumed-immutable data attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-274",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 directly enables CAPEC-274 because verb-based access control is a canonical single-factor decision, yet the CAPEC is only one narrow manifestation among many possible single-factor flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-275",
      "target_framework": "CWE",
      "target_id": "CWE-350",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-275 exploits dynamic forward DNS resolution to bypass hostname-based checks, only partially overlapping the reverse-DNS-specific weakness in CWE-350."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-276",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper neutralization directly enables protocol manipulation by allowing malformed inter-component messages, yet the CAPEC is only one narrow variant among many possible protocol flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-277",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 is the direct root cause that lets protocol data be altered or misinterpreted, enabling CAPEC-277 fully, while the CAPEC only partially exploits that surface as one of several possible protocol weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-278",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-278 mostly because unsanitized inputs let unexpected protocol values succeed, while the narrow CAPEC variant exploits that surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-279",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-279 mostly because SOAP parameter tampering directly depends on missing XML neutralization, yet CAPEC-279 exploits only one narrow XML/SOAP slice of the broad CWE-707 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-28",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 does not enable fuzzing (CAPEC-28 probes for validation flaws rather than requiring them), while fuzzing only partially exploits the CWE-20 surface as one of many discovery targets."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-28",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 does not enable fuzzing (a discovery technique usable against any interface), while fuzzing can partially surface injection flaws by probing input handling without targeting the CWE specifically."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-285",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Ping reconnaissance leaks only host existence (narrow info leak) and hinges primarily on absent ICMP filtering rather than CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-362",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-362 enables CAPEC-29 fully because TOCTOU is a direct instance of the improper shared-resource synchronization; CAPEC-29 exploits CWE-362 only partially as one narrow TOCTOU variant among many race-condition manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-366",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-366's thread race condition is a prerequisite for any TOCTOU execution (full enablement), yet CAPEC-29 is only one narrow TOCTOU variant and not limited to intra-thread races (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-367",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-367 is the exact condition the attack requires, so it enables CAPEC-29 fully; CAPEC-29 is one concrete exploitation variant of that weakness family and therefore exploits it only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-368",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-368's non-atomic context-switch surface directly supplies the timing window TOCTOU needs (mostly enabling), yet CAPEC-29 is the classic file-system variant that only partially maps onto the narrower context-switch CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-370",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-370 is itself a TOCTOU instance on certificate state, directly enabling CAPEC-29's race window while CAPEC-29 remains a broad pattern that only partially targets this specific revocation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-662",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-662 enables CAPEC-29 fully because TOCTOU is a direct consequence of missing synchronization on a shared resource, while CAPEC-29 exploits the broad CWE only partially as one narrow race-condition variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-29",
      "target_framework": "CWE",
      "target_id": "CWE-691",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-691 enables CAPEC-29 fully because absent proper control-flow management the TOCTOU window cannot be closed; CAPEC-29 exploits CWE-691 only partially as one narrow race-condition variant among many control-flow failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-290",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-290 only partially because MX queries can be issued regardless, yet yield sensitive internal addresses solely when the exposure exists; CAPEC-290 exploits CWE-200 only partially as a narrow DNS-specific enumeration among many information-disclosure vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-291",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is the direct outcome the zone-transfer attack hinges on, enabling it mostly, while CAPEC-291 is only one narrow DNS-specific variant that exploits the broad CWE partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-292",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required for CAPEC-292 probes to succeed, yet host-discovery responses inherently leak presence information that CWE-200 would classify as sensitive."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-293",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the route topology data that CAPEC-293 is designed to obtain, yet the CAPEC is only one narrow, protocol-specific instance of information disclosure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-294",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the sensitive network data that CAPEC-294 is designed to obtain, enabling the pattern fully, yet the CAPEC remains only one narrow probe among many possible exposures of CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-295",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the timestamp that CAPEC-295 needs, enabling the pattern almost completely, yet the narrow timestamp-request variant only partially exploits the broad CWE-200 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-296",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-296 fully because a response to the deprecated request directly constitutes the unauthorized exposure, while CAPEC-296 exploits only one narrow variant of the broad CWE-200 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-297",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "TCP ACK ping is pure protocol-behavior reconnaissance that neither requires nor produces exposure of sensitive information."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-298",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure surface (ICMP responses revealing host/port state) directly enables the UDP ping reconnaissance, but CAPEC-298 is only one narrow variant among many information-disclosure techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-299",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-299 performs host discovery via protocol responses, disclosing existence but not relying on CWE-200's typical sensitive-data exposure surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-3 only as one possible processing step among syntactic-form mismatches, while CAPEC-3 is a narrow leading-character variant that exploits the broader CWE surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 fully enables CAPEC-3 because the attack requires the product to accept equivalent syntactic forms the filter fails to normalize; CAPEC-3 exploits the CWE only partially as one narrow leading-character variant among many possible alternate encodings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-179's early-validation ordering directly supplies the precondition the ghost-character attack needs to reach the later modification step, while CAPEC-3 is only one narrow syntactic variant among many possible manifestations of that ordering error."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 enables CAPEC-3 fully because validating before canonicalization lets ghost-character variants slip past filters, while CAPEC-3 exploits the CWE only partially as one narrow syntactic bypass among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-183's overly broad allow-list directly enables the ghost-character bypass (attack fails without it), while CAPEC-3 is only one narrow syntactic variant among many possible permissive-list failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input lists fully enable ghost-character bypass because the filter cannot recognize every syntactic form the API accepts, yet CAPEC-3 is only one narrow manifestation of that broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-3 fully because the ghost-character bypass requires absent or incomplete validation, while CAPEC-3 exploits CWE-20 only partially as one narrow syntactic-filter variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-41",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-41's failure to canonicalize equivalent path forms directly supplies the surface that leading-ghost bypasses rely on, yet CAPEC-3 is only one narrow syntactic variant among many possible path-equivalence manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison enables the ghost-character bypass because the filter must equate semantically identical syntactic forms and fails to do so; the CAPEC is only one narrow syntactic variant among many possible incorrect-comparison failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to handle alternate syntactic forms fully enables the ghost-character bypass, while CAPEC-3 is only one narrow variant among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-3",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization directly enables the ghost-character bypass (full), yet CAPEC-3 is only one narrow filter-evasion variant among many CWE-74 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-30",
      "target_framework": "CWE",
      "target_id": "CWE-270",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-270's failure to manage privileges across thread/context switches directly enables thread hijacking (mostly), while CAPEC-30 is only one narrow injection-based variant that exploits that surface (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-300",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Port scanning executes and gathers basic reachability data without depending on or targeting unintended sensitive-information exposure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-301",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 leaks data but supplies no prerequisite for TCP handshakes; CAPEC-301 merely probes ports and never targets an information-exposure surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-302",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is an information-exposure flaw inside an application; CAPEC-302 is a transport-layer port-probing technique that relies only on RFC 793 RST behavior and neither requires nor targets any such flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-303",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is irrelevant to the TCP-stack behavior that CAPEC-303 directly abuses, so neither enabling nor exploitation occurs in either direction."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-304",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is a product flaw exposing data; CAPEC-304 is a protocol-conformant port probe that neither requires nor targets any such flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-305",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required for CAPEC-305 (scan works on standard RFC 793 RST behavior), yet the scan partially exploits the same information-disclosure surface by leaking ACL details via responses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-306",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "TCP Window Scan infers port/OS state from normal RST responses and neither requires nor targets any sensitive-information exposure surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-307",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is a possible outcome of the scan rather than a prerequisite for executing it, while CAPEC-307 directly probes for and records service information that constitutes a narrow form of exposure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-308",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "UDP scanning succeeds against normal protocol behavior with no need for an exposure weakness, yet the pattern directly probes the information-exposure surface that CWE-200 describes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-309",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable CAPEC-309 (scanning works regardless of any exposure flaw), yet topology mapping can partially exploit exposed network details as a side-effect of reconnaissance."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-31 targets cookie access/tampering via unrelated vectors (sniffing, XSS, etc.) while CWE-113 enables header splitting that can incidentally set malicious cookies."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables cookie modification acceptance but not client-side access/interception forms; CAPEC-31 is a narrow cookie variant that only partially maps onto the broad CWE-20 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 fully enables CAPEC-31 because cookie modification succeeds only when the auth scheme assumes cookie contents are immutable; CAPEC-31 exploits that weakness only partially as one narrow cookie-specific variant among many possible assumed-immutable data elements."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables cookie interception attacks by exposing sensitive values in transit/storage, but CAPEC-31 is only one narrow cookie-specific variant among many ways CWE-311 can be exploited."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-315",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Cleartext sensitive cookie storage enables cookie-access attacks to succeed in data theft (but attack forms like modification can occur regardless), while CAPEC-31 broadly covers interception/modification variants that only partially target this specific CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 enables cookie-based session impersonation only as one possible vector while CAPEC-31 executes independently via direct cookie access/modification, and the narrow cookie pattern only partially overlaps the fixation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-472",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 enables cookie modification attacks by allowing client tampering of assumed-immutable state, but CAPEC-31 only partially exploits it as one narrow variant among several cookie attack forms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies the sensitive persistent-cookie data that CAPEC-31 directly mines, enabling the access form of the attack (mostly) while the broader CAPEC pattern only partially maps onto this single CWE manifestation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-565",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-565's missing validation directly enables cookie modification/impersonation attacks to succeed, while CAPEC-31 is only one narrow variant among many possible exploits of that weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables cookie tampering fully because the attack succeeds only when the server trusts client-controlled cookie state; CAPEC-31 exploits that surface only partially as one narrow variant among many client-trust failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-31",
      "target_framework": "CWE",
      "target_id": "CWE-642",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 enables CAPEC-31 fully because the attack cannot occur without external storage of critical state in accessible cookies, while CAPEC-31 exploits CWE-642 only partially as one narrow cookie-specific variant of the broader weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-310",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable reconnaissance scanning, yet CAPEC-310 can partially exploit exposed version banners or service details."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-312",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-312 fully because the attack depends on protocol responses exposing OS details; CAPEC-312 exploits CWE-200 only partially as one narrow fingerprinting variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-313",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 supplies the exposed OS artifacts that CAPEC-313 directly observes, yet the CAPEC is only one narrow passive variant among many possible information exposures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-317",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is a software flaw exposing data via improper protection; CAPEC-317 is passive network reconnaissance of inherent protocol behavior that neither requires nor targets that flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-318",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-318 mostly because the probe directly depends on the OS exposing ID-field details via ICMP; CAPEC-318 exploits CWE-200 only partially as one narrow fingerprinting variant among many information-disclosure manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-319",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure behavior is the direct prerequisite that makes the DF-bit distinction observable (full enablement), while CAPEC-319 is only one narrow probe among many possible information-gathering techniques that could leverage such exposure (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-32",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-80 fully enables CAPEC-32 because the neutralization failure is required for any query-string XSS to succeed, while CAPEC-32 only partially exploits CWE-80 as one narrow delivery variant among many XSS forms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-320",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-320 gathers OS info via normal TCP behavior with no dependence on an exposure flaw (forward none), yet still constitutes one narrow form of sensitive-information disclosure (reverse partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-321",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable the TCP probe (sequence behavior is observable regardless), while CAPEC-321 exploits the exposure surface only partially as one narrow reconnaissance variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-322",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-322 performs passive TCP ISN analysis on standard protocol responses and neither requires nor targets any sensitive-information exposure flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-323",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 exposure is irrelevant to CAPEC-323's passive TCP ISN timing observation, which neither depends on nor targets an information-disclosure flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-324",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable CAPEC-324's network-probing technique at all, while the probe can partially exploit the weakness by revealing OS-identifying sequence data."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-325",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-325 performs active TCP/ECN probing for OS fingerprinting and neither depends on nor targets any sensitive-information exposure surface described by CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-326",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-326 performs passive TCP stack fingerprinting via protocol behavior and has no dependence on or exploitation of any sensitive-information exposure surface described by CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-327",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable the TCP probe (which works on any compliant stack), while CAPEC-327 is one narrow reconnaissance variant that produces the exposure described by CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-328",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of RST payload text directly enables the fingerprinting probe (mostly), while CAPEC-328 is only one narrow RST-checksum variant among many possible information exposures (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-329",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of implementation details in ICMP error quotes directly enables the probe, yet CAPEC-329 is only one narrow variant among many possible information disclosures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-33",
      "target_framework": "CWE",
      "target_id": "CWE-444",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-444 is the exact inconsistent-interpretation condition the smuggling attack requires, yet CAPEC-33 is only one narrow request-focused variant of that broad weakness family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-330",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 fully enables CAPEC-330 because the probe succeeds only by exposing OS/protocol details in ICMP quotes, while CAPEC-330 exploits CWE-200 only partially as one narrow variant among many exposure surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-331",
      "target_framework": "CWE",
      "target_id": "CWE-204",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-204's response discrepancies directly enable the fingerprinting probe (no distinguishable error data = no attack), while CAPEC-331 is only one narrow ICMP/UDP variant among many possible CWE-204 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-332",
      "target_framework": "CWE",
      "target_id": "CWE-204",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-204 directly supplies the observable response differences the probe requires, while CAPEC-332 is only one narrow ICMP-ID variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-34",
      "target_framework": "CWE",
      "target_id": "CWE-113",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-113's missing CRLF neutralization directly supplies the injection surface CAPEC-34 requires, enabling the pattern fully, while CAPEC-34 itself is one narrow manifestation of that CWE and therefore exploits it only mostly."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-34",
      "target_framework": "CWE",
      "target_id": "CWE-138",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-138 fully enables CAPEC-34 because the attack requires unneutralized CRLF/special chars, while CAPEC-34 exploits only one narrow slice of the broad CWE-138 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-34",
      "target_framework": "CWE",
      "target_id": "CWE-436",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-436 enables CAPEC-34 fully because the attack requires conflicting HTTP interpretations to succeed, while CAPEC-34 exploits the broad CWE only partially as one narrow header-injection variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-34",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-34 fully because response splitting requires unneutralized CR/LF injection, while CAPEC-34 exploits the broad CWE-74 family only partially as one narrow HTTP variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-35",
      "target_framework": "CWE",
      "target_id": "CWE-282",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Wrong ownership can let an attacker modify a resource file and thereby enable CAPEC-35, yet the attack pattern itself targets file-trust behavior rather than ownership verification."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-35",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-94 directly enables CAPEC-35 by allowing unneutralized external input to become executable code, while CAPEC-35 is only one narrow file-based variant among many CWE-94 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-35",
      "target_framework": "CWE",
      "target_id": "CWE-95",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-35 exploits file-trust issues via multiple mechanisms, only occasionally using dynamic eval, while CWE-95 is not a primary vector for this file-based pattern."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-35",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-96's failure to neutralize injected directives in config/resource files directly enables CAPEC-35's file-trust abuse, but CAPEC-35 is only one narrow manifestation among many possible static-injection variants."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-36",
      "target_framework": "CWE",
      "target_id": "CWE-1242",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1242 supplies the hidden chicken-bit surface that CAPEC-36 can invoke, yet CAPEC-36 also succeeds via other unpublished interfaces; conversely the CAPEC directly targets the exact weakness surface described by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-36",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-306 enables CAPEC-36 fully because unpublished interfaces succeed only when auth is absent, while CAPEC-36 exploits the CWE only partially as one narrow variant among many auth failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-36",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-36 fully because absent any protection failure the unpublished interfaces cannot be invoked; CAPEC-36 exploits CWE-693 only partially as one narrow discovery+invocation variant among many protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-36",
      "target_framework": "CWE",
      "target_id": "CWE-695",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-695 directly supplies the prohibited low-level surface that CAPEC-36 requires, enabling the pattern fully, while CAPEC-36 is only one narrow variant among many possible low-level misuse cases."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1258 directly supplies the uncleared sensitive values that CAPEC-37 seeks, enabling the pattern in debug scenarios, yet CAPEC-37 remains a broad retrieval technique that only partially maps onto this specific hardware exposure surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-1272",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-37 is a broad software reverse-engineering pattern while CWE-1272 describes one narrow hardware/firmware uncleared-data scenario that the CAPEC could incidentally exploit."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-1278",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "A enables one specific hardware-imaging method within the broader CAPEC-37 pattern (hence partial) while CAPEC-37 only touches this narrow IC-imaging surface among many possible retrieval techniques (hence partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-1301",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1301's incomplete hardware erasure directly supplies the sensitive data that CAPEC-37 retrieves, yet CAPEC-37 is a broad retrieval pattern that can exploit many other embedding vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-226",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-226 leaves data in reusable resources that CAPEC-37 directly retrieves, yet the attack pattern also covers other embedding sources while only one narrow variant targets reuse failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables retrieval of usable embedded secrets (full), while CAPEC-37 is only one narrow manifestation of that broad weakness (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-312",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-312's cleartext storage directly enables CAPEC-37's retrieval (no readable data exists without it), yet CAPEC-37 is only one narrow embedding/retrieval variant among many possible CWE-312 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-314",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Cleartext registry storage directly supplies the accessible sensitive data that CAPEC-37 retrieves, yet the attack pattern also covers many other embedding locations so the match is not exhaustive in either direction."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-315",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-315 supplies one possible embedding location that CAPEC-37 can read, but the attack pattern neither requires cookies nor is limited to them, so each direction rates only partial."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-318",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 directly supplies the cleartext executable data that CAPEC-37 retrieves, enabling the pattern fully, yet CAPEC-37 also targets many other embedding locations and formats so exploits this CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-37",
      "target_framework": "CWE",
      "target_id": "CWE-525",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-525 places sensitive data in an accessible client cache (one embedding location among many), enabling CAPEC-37 only for cache-based retrievals, while the broad CAPEC-37 pattern exploits this CWE only when it specifically targets cached data."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-38",
      "target_framework": "CWE",
      "target_id": "CWE-426",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-426 fully enables CAPEC-38 because the attack cannot succeed without an untrusted search path, while CAPEC-38 exploits the CWE only partially as one narrow manipulation variant among many possible search-path weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-38",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 fully enables CAPEC-38 (attack cannot execute without the uncontrolled path), while CAPEC-38 only partially exploits the broader CWE family as one narrow search-path variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-383",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly exposes the sensitive values that CAPEC-383's event monitoring is designed to harvest, yet the CAPEC remains only one narrow transmission-monitoring variant among many possible manifestations of CWE-311."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-383",
      "target_framework": "CWE",
      "target_id": "CWE-319",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables CAPEC-383 fully because event monitoring can only harvest the sensitive values when they traverse the channel in cleartext; CAPEC-383 exploits the CWE only partially because it is one narrow monitoring technique among many possible manifestations of cleartext exposure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-383",
      "target_framework": "CWE",
      "target_id": "CWE-419",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-383 exploits information leakage via framework event monitoring/AiTM and is unrelated to admin or primary-channel protection."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-384",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables MITM message tampering by exposing plaintext, while CAPEC-384 is only one narrow variant among many possible exploits of that weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-384",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-384 because message manipulation via MITM succeeds only when authenticity checks are absent, yet CAPEC-384 remains one narrow MITM variant among many manifestations of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-384",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is a prerequisite for successful MITM message tampering (full enablement) yet CAPEC-384 is only one narrow AiTM variant among many possible origin-validation failures (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-384",
      "target_framework": "CWE",
      "target_id": "CWE-471",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "MAID directly supplies the modifiable-assumed-immutable surface that MITM message tampering needs, yet CAPEC-384 is only one narrow delivery technique among many possible MAID manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-384",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 is a prerequisite for CAPEC-384 success (server must trust manipulated client messages), yet the CAPEC is only one narrow MITM variant among many CWE-602 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-385",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-385 performs tampering via API-level MITM; missing encryption can aid interception but is neither required nor the hinge of the pattern."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-385",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 is a direct prerequisite for any successful tampering (full enablement), yet CAPEC-385 is only one narrow API-manipulation variant among many possible authenticity failures (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-385",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-385 fully because absent origin checks the MITM tampering succeeds directly; CAPEC-385 exploits the CWE only partially as a narrow API-tampering variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-385",
      "target_framework": "CWE",
      "target_id": "CWE-471",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 directly enables CAPEC-385 by permitting modification of transaction data assumed immutable, while the CAPEC is only one narrow API-manipulation variant among many possible MAID manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-385",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-385 fully because absent server-side validation the MITM tampering succeeds; CAPEC-385 exploits the CWE only partially as one narrow API-manipulation variant among many possible client-trust abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-386",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables CAPEC-386 fully because manipulated navigation data is accepted only when authenticity checks are absent, yet CAPEC-386 exploits the CWE only partially as one narrow remapping variant among many possible authenticity failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-386",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-386 fully because absent origin checks the attacker can freely substitute authentic-looking navigation targets; CAPEC-386 exploits the CWE only partially as a narrow navigation-remapping variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-386",
      "target_framework": "CWE",
      "target_id": "CWE-471",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 fully enables CAPEC-386 because the attack requires successful modification of assumed-immutable navigation data; CAPEC-386 exploits the CWE only partially as one narrow API-remapping variant among many MAID manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-386",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-386 mostly by letting client-supplied navigation data control outcomes the server should enforce, while the narrow remapping variant exploits that surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-387",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables the attack by letting unauthenticated manipulated messages be accepted, while CAPEC-387 exploits that surface only as one narrow navigation-remapping variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-387",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-387 fully because absent origin checks let remapped navigation appear authentic; CAPEC-387 exploits the CWE only partially as one narrow navigation-specific variant among many possible origin failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-387",
      "target_framework": "CWE",
      "target_id": "CWE-471",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 fully enables the attack because navigation/content remapping cannot succeed without the ability to alter assumed-immutable data, yet CAPEC-387 is only one narrow variant among many possible MAID manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-387",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602's client-side trust directly enables CAPEC-387's client-data manipulation to succeed, while the CAPEC is only one narrow navigation-remapping variant among many CWE-602 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-388",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-388 because the attack cannot succeed if manipulated API data is rejected, yet the narrow button-hijacking variant exploits only one slice of the broad authenticity-verification surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-388",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing origin checks directly enable an attacker to alter API message destinations, yet CAPEC-388 is only one narrow button-focused variant of such origin abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-388",
      "target_framework": "CWE",
      "target_id": "CWE-471",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 enables CAPEC-388 fully because button hijacking requires the ability to modify data the app treats as immutable; CAPEC-388 exploits CWE-471 only partially as one narrow API-specific variant among many MAID manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-388",
      "target_framework": "CWE",
      "target_id": "CWE-602",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 fully enables CAPEC-388 because button-destination manipulation succeeds only when the server trusts client-side API handling; CAPEC-388 exploits the CWE only partially as one narrow API-framework variant among many client-enforcement failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-389",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing transmission integrity enables undetected message tampering (partial) while the API-manipulation pattern only incidentally relies on that surface rather than exploiting the CWE family directly."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 fully enables CAPEC-39 because tampered tokens succeed only when server-side authorization is missing or broken; CAPEC-39 exploits that surface only partially as one narrow client-token variant among many authorization failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302's assumed-immutable data directly enables the token-manipulation attack with no alternative path, while CAPEC-39 is only one narrow client-token variant of that broad CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-315",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Cleartext cookie storage directly supplies readable data an attacker can alter, enabling most of CAPEC-39, yet CAPEC-39 only partially exploits this CWE because it also covers encrypted but unsigned tokens."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-353 directly enables CAPEC-39 by removing the integrity verification that would otherwise block token tampering, while CAPEC-39 is only one narrow client-token variant among many possible integrity failures covered by CWE-353."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384's missing session invalidation does not enable token tampering (CAPEC-39 works on any client-side state regardless), while CAPEC-39 can exploit session-ID tokens only as one narrow case among many data-token targets."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-472",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 fully enables CAPEC-39 because the attack requires the app to trust unverified client-side tokens, while CAPEC-39 exploits the CWE only partially as one narrow variant among many assumed-immutable parameter issues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies one client-side token type the CAPEC can target, but the attack works on URLs/data files too so enablement is only partial; CAPEC-39 broadly covers any opaque token and therefore only partially exploits the narrow cookie-specific weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-39",
      "target_framework": "CWE",
      "target_id": "CWE-565",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-565's missing validation is the exact precondition the CAPEC-39 manipulation requires, yet CAPEC-39 also covers non-cookie tokens so it only partially maps onto this cookie-specific CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-4",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-4 fully because the attack cannot succeed without the failure to handle alternate encodings, while CAPEC-4 exploits CWE-173 only partially as one narrow IP-encoding variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-4",
      "target_framework": "CWE",
      "target_id": "CWE-291",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-291's IP reliance creates the access-control surface CAPEC-4 targets via encoding tricks, yet CAPEC-4 is only one narrow bypass variant among many possible IP-authentication failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-401",
      "target_framework": "CWE",
      "target_id": "CWE-1263",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1263 enables CAPEC-401 fully (no physical access means no hardware tampering possible) while CAPEC-401 exploits only one narrow hardware-substitution variant of the broad physical-access weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-402",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing authz check directly enables the ATA password-update bypass, yet CAPEC-402 is only one narrow manifestation of the broad CWE-285 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-41",
      "target_framework": "CWE",
      "target_id": "CWE-150",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 directly supplies the missing neutralization that CAPEC-41 requires, yet CAPEC-41 is only one narrow email-header variant among many possible CWE-150 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-42",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 fully enables the buffer overflow that CAPEC-42 requires, while CAPEC-42 exploits CWE-119 only partially as one narrow MIME-conversion variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-42",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-42 fully as the MIME overflow attack cannot succeed without an unchecked buffer copy; CAPEC-42 exploits CWE-120 only partially as a narrow MIME-specific variant among many buffer-overflow avenues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-42",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-42 fully because a buffer overflow in MIME conversion cannot occur without a validation failure on input size/format; CAPEC-42 exploits CWE-20 only partially as one narrow MIME-specific variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-42",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-42 centers on buffer overflow in MIME conversion (CWE-120 family), only incidentally touching the broad injection surface of CWE-74."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-179 fully enables CAPEC-43 because early validation before modification is exactly the surface the multi-layer bypass requires, while CAPEC-43 exploits that CWE only partially as one narrow interpretation-layer variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-183's overly broad allow-list can admit the layered payloads CAPEC-43 crafts, yet the attack pattern fundamentally depends on multi-pass parsing rather than the allow-list flaw itself, so each direction only partially satisfies the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete blacklist (CWE-184) fully enables the layered-encoding bypass because any missed encoding lets the attack succeed, while CAPEC-43 only partially exploits it as one narrow multi-pass variant of many possible blacklist evasions."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-43 fully because the attack cannot succeed without flawed validation of layered input, yet CAPEC-43 exploits CWE-20 only partially as one narrow multi-pass variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can allow a layered bypass to succeed but is neither necessary nor the core issue; CAPEC-43 targets multi-pass parsing, exploiting CWE-697 only as one narrow validation flaw among others."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to neutralize layered input directly enables CAPEC-43's bypass technique, yet the narrow multi-pass variant only partially covers the broad neutralization weakness surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure is a prerequisite for any layered-interpretation bypass, enabling CAPEC-43 fully, yet CAPEC-43 is only one narrow variant among the many injection manifestations covered by the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-77's neutralization failure is required for CAPEC-43's layered bypass to succeed against commands, yet CAPEC-43 is only one narrow multi-pass variant among many command-injection techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-43",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 is not required for CAPEC-43 (which targets many input-validation surfaces), yet CAPEC-43's layered-bypass technique can partially exploit the neutralization failure described by CWE-78."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-439",
      "target_framework": "CWE",
      "target_id": "CWE-1269",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-439 describes active tampering across the supply chain (a broad meta-pattern) that could incidentally produce or exploit a non-release configuration, but CWE-1269 itself is not a prerequisite or primary hinge for the attack."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-44",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-44 fully (the attack cannot occur without the buffer overflow) while CAPEC-44 exploits CWE-119 only partially (narrow binary-resource variant among many possible manifestations)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-44",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-44 fully (attack cannot occur without the buffer overflow) while CAPEC-44 exploits CWE-120 only partially (narrow binary-resource variant of the broad weakness)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-44",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can contribute to flawed size checks that enable a binary-resource overflow, yet buffer overflows are primarily enabled by absent bounds checks rather than comparison errors; CAPEC-44 therefore only partially exploits this CWE surface as one narrow variant among many buffer-overflow vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-441",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control can serve as one vector for malware insertion but is not required (social engineering or physical access suffice), while CAPEC-441 only incidentally touches access-control surfaces as one of many possible steps."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-442",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the direct consequence of executing CAPEC-442, so the weakness cannot enable the attack pattern while the pattern fully realizes the weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-448",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the outcome of embedding malicious code rather than a precondition that enables CAPEC-448, while CAPEC-448 is one narrow binary-tampering variant that can produce the CWE-506 condition."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-45",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118's missing bounds check is the direct prerequisite for any buffer overflow, so the weakness enables the attack fully; CAPEC-45 is only one narrow symbolic-link vector among many possible CWE-118 manifestations, so the pattern exploits the weakness only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-45",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 is the direct prerequisite that CAPEC-45 hinges on, yet CAPEC-45 is only one narrow symbolic-link variant of the broad CWE-119 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-45",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120's missing bounds check is a direct prerequisite for CAPEC-45 (full enablement), yet CAPEC-45 is only one narrow symbolic-link variant among many buffer-overflow manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-45",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20's missing validation is the direct precondition for the symlink-induced overflow to succeed, yet CAPEC-45 is only one narrow symlink-based variant among many possible CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-45",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Buffer overflow via symlinks depends on missing bounds checks, not incorrect comparison, so the weakness neither enables nor is exploited by the pattern."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-456",
      "target_framework": "CWE",
      "target_id": "CWE-1260",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Overlap mishandling can be one bypass step enabling memory injection but is neither required nor the focus of the broad infected-memory pattern, which exploits many other weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-456",
      "target_framework": "CWE",
      "target_id": "CWE-1274",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1274's missing VM protections directly enable boot-code infection (CAPEC-456) but the broad memory-infection pattern only partially exploits this narrow boot-specific weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-456",
      "target_framework": "CWE",
      "target_id": "CWE-1312",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-456 is a broad memory-infection pattern that can exploit many weaknesses; CWE-1312 is a narrow hardware-firewall flaw that could be one vector for such infection but is not required by the CAPEC."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-457",
      "target_framework": "CWE",
      "target_id": "CWE-1299",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-457 exploits USB as one possible external vector among many weaknesses, while CWE-1299 describes a narrower hardware alternate-path bypass not required by the CAPEC."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-458",
      "target_framework": "CWE",
      "target_id": "CWE-1282",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1282's writable storage of immutable data directly supplies the surface that CAPEC-458's flash-memory write requires (full enablement), yet the CAPEC is only one narrow flash-specific variant among many possible manifestations of the CWE (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-459",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth implementation is neither required nor used by the hash-collision technique in CAPEC-459, yet the resulting rogue certificate produces an authentication bypass via spoofing and therefore touches that CWE surface only narrowly."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-459",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 fully enables CAPEC-459 because the attack requires a weak-collision hash algorithm, while CAPEC-459 exploits only one narrow manifestation of the broad CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118's range-error surface directly permits oversized tag writes to overflow buffers (mostly enabling CAPEC-46), yet CAPEC-46 is only one narrow configuration-tag variant among many possible range-error manifestations (exploits partially)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-46 fully because the attack requires an exploitable buffer boundary violation; CAPEC-46 exploits CWE-119 only partially as a narrow tag/variable variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-46 fully because the tag/variable overflow attack requires an unchecked buffer copy to succeed, while CAPEC-46 exploits the CWE only partially as one narrow input-format variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-46 fully because unsanitized oversized tag/variable input directly produces the overflow; CAPEC-46 exploits CWE-20 only partially as one narrow size-based variant among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 produces buffer overflows only via miscalculated allocation sizes, while CAPEC-46 directly supplies oversized tag/variable data and never relies on or targets that integer-overflow step."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-46 hinges on absent boundary checks that produce buffer overflows, only incidentally touching an incorrect length comparison."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-46",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-46 relies on absent length checks for oversized tag values (buffer overflow), not the neutralization-of-special-elements flaw that defines CWE-74."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-460",
      "target_framework": "CWE",
      "target_id": "CWE-147",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-147 neutralization failure can allow delimiter injection used by HPP (partial enablement) while CAPEC-460 is a narrow duplicate-parameter variant that only touches the CWE surface incidentally (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-460",
      "target_framework": "CWE",
      "target_id": "CWE-235",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-235 fully enables CAPEC-460 because duplicate-parameter injection succeeds only when extra names are not rejected, while the CAPEC is merely one narrow HTTP variant of the broader CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-460",
      "target_framework": "CWE",
      "target_id": "CWE-88",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-460 performs delimiter injection strictly inside HTTP query strings, while CWE-88 concerns command-line argument delimiters; the two touch the same abstract idea but share no direct exploitation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-461",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's incorrectly implemented auth schemes directly enable the signature forgery in CAPEC-461, but the CAPEC is only one narrow hash-extension variant among many possible spoofs of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-461",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-328 enables CAPEC-461 fully because length-extension forgery requires a weak Merkle-Damg\u00e5rd hash; CAPEC-461 exploits CWE-328 only partially as one narrow signature-forgery variant among many weak-hash manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-462",
      "target_framework": "CWE",
      "target_id": "CWE-208",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-208 fully enables CAPEC-462 because the attack requires observable timing discrepancies to leak information, while CAPEC-462 only partially exploits the CWE as one narrow cross-domain variant among many timing attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-462",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-462 uses cross-domain authenticated requests only as a vehicle for timing side-channel leaks, not to perform the state-changing forgeries that define CWE-352."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-462",
      "target_framework": "CWE",
      "target_id": "CWE-385",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-385 supplies the observable timing side-channel that CAPEC-462 directly requires, enabling the pattern fully, yet CAPEC-462 remains only one narrow cross-domain search variant among many possible timing-channel exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-463",
      "target_framework": "CWE",
      "target_id": "CWE-209",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-209 enables CAPEC-463 fully because the padding-oracle leak is realized precisely by sensitive error messages, while CAPEC-463 exploits CWE-209 only partially as one narrow crypto-specific variant of many possible error disclosures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-463",
      "target_framework": "CWE",
      "target_id": "CWE-347",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Padding-oracle decryption attacks rely on CBC padding-error oracles in symmetric ciphers and never depend on or target signature-verification logic."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-463",
      "target_framework": "CWE",
      "target_id": "CWE-354",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-354 concerns failure to detect tampering via checksums/MACs while CAPEC-463 requires only side-channel leakage of a correct padding check result, so the weakness does not enable the pattern but the pattern touches a narrow integrity-check surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-463",
      "target_framework": "CWE",
      "target_id": "CWE-649",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-649 fully enables the padding-oracle attack by permitting undetected ciphertext tampering, while CAPEC-463 exploits that surface only as one narrow cryptographic variant among many possible integrity failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-463",
      "target_framework": "CWE",
      "target_id": "CWE-696",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect operation ordering can produce distinguishable padding-error states that enable the oracle leak, yet the CAPEC is a narrow crypto side-channel variant that only partially maps onto the broad CWE-696 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-464",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 does not enable cookie persistence mechanics at all, while CAPEC-464 can serve as one narrow tracking vector that partially surfaces the privacy exposure described by CWE-359."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-465",
      "target_framework": "CWE",
      "target_id": "CWE-441",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-441's failure to preserve request source directly enables transparent-proxy abuse, while CAPEC-465 is only one narrow variant among many possible confused-deputy manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-466",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 directly supplies the MITM-accessible channel that CAPEC-466 requires, enabling the pattern fully, yet the CAPEC is only one narrow SOP-bypass variant among many possible exploitations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-467",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-352 is not required for CAPEC-467 (payload delivery and session harvesting can occur via XSS or other means), while the attack pattern only partially exploits CSRF surfaces by forging cross-origin session-bearing requests."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-467",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 supplies the exact exposure surface the CAPEC-467 cross-site request needs to succeed, yet CAPEC-467 is only one narrow session-harvesting variant among many possible manifestations of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-468",
      "target_framework": "CWE",
      "target_id": "CWE-149",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-149's quote-neutralization failure can aid CSS injection but is neither necessary nor the core of CAPEC-468's parser-abuse technique; conversely the CAPEC only partially touches quoting surfaces among many possible injection vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-468",
      "target_framework": "CWE",
      "target_id": "CWE-177",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-177 can serve as one optional bypass step for delivering injectable text but is not required for CAPEC-468, which instead exploits CSS parser and cookie-loading behavior."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-468",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-468 fully by permitting attacker-controlled CSS text, while the narrow CSS-parser abuse exploits only one slice of the broad neutralization surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-468",
      "target_framework": "CWE",
      "target_id": "CWE-838",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-838 enables CAPEC-468 mostly because missing context-appropriate output encoding lets attacker-controlled text be emitted and parsed as CSS; CAPEC-468 exploits that surface only partially as one narrow CSS-injection variant among many CWE-838 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-469",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-469 fully because unlimited allocation is the direct precondition for HTTP session exhaustion, while the CAPEC exploits the CWE only partially as one narrow flooding variant among many resource-depletion manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-469",
      "target_framework": "CWE",
      "target_id": "CWE-772",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-772 enables CAPEC-469 fully because the attack requires the server to retain HTTP sessions indefinitely, while CAPEC-469 exploits the CWE only partially as one narrow resource-exhaustion variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-47 fully because the range-error weakness is the direct precondition for the overflow to occur, while CAPEC-47 exploits CWE-118 only partially as one narrow parameter-expansion variant among many possible range errors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-47 fully because the attack cannot succeed without an out-of-bounds buffer operation, yet CAPEC-47 exploits the CWE only partially as one narrow parameter-expansion variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120's missing size check is the direct precondition that lets parameter expansion overflow a buffer (full enablement), while CAPEC-47 is only one narrow expansion-based variant among many possible CWE-120 triggers (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-130",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-130's length-inconsistency flaw directly supplies the missing bound check that CAPEC-47 needs to turn expansion into overflow (mostly enabling), yet CAPEC-47 is only one narrow expansion variant among many possible length mishandlings (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-131",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-131's miscalculation directly enables the expansion-based overflow in CAPEC-47, yet the narrow parameter-expansion variant only partially covers the broad CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-47 because the attack cannot succeed without missing validation of expanded input size, yet the narrow expansion variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies one possible allocation miscalculation that can turn parameter expansion into overflow (partial enablement), while CAPEC-47 is a narrow expansion variant that only sometimes hinges on integer overflow (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-47",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can enable the overflow when a flawed size/limit check permits expansion, but the attack can also succeed from a missing check entirely; CAPEC-47 is one narrow expansion variant among many possible CWE-697 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-470",
      "target_framework": "CWE",
      "target_id": "CWE-250",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-250 supplies the exact elevated DB privileges the CAPEC-470 escalation path requires, while CAPEC-470 is only one narrow variant among many possible manifestations of unnecessary privileges."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-470",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 supplies the DB foothold that CAPEC-470 then uses for OS expansion, but CAPEC-470 itself does not target the neutralization flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-471",
      "target_framework": "CWE",
      "target_id": "CWE-427",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 fully enables CAPEC-471 because the attack requires an uncontrolled search path element, while CAPEC-471 only partially exploits CWE-427 as one narrow library-loading variant among many possible search-path weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-472",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Fingerprinting relies on standard browser behaviors rather than any exposure weakness, yet still produces a narrow form of sensitive configuration disclosure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-473",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables signature spoof by allowing malformed or unverified signed data to be accepted, but CAPEC-473 exploits only the narrow verification surface of that weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-473",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 enables CAPEC-473 fully because signature spoofing requires a flawed authentication/verification scheme, while CAPEC-473 exploits the CWE only partially as one narrow spoofing variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-473",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Broken algorithms directly enable forgery of signatures (mostly), while Signature Spoof is only one narrow cryptographic manifestation among many possible exploits of CWE-327 (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-474",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables key theft fully as the attack cannot succeed without the protection failure, while CAPEC-474 exploits it only partially as a narrow signature-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-475",
      "target_framework": "CWE",
      "target_id": "CWE-295",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-295 enables CAPEC-475 fully as the attack requires the validation flaw, yet CAPEC-475 exploits only the signature-spoofing slice of the broader certificate-validation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-475",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 supplies the broken algorithm that CAPEC-475 directly requires, yet the CAPEC is only one narrow signature-spoofing variant of the broad CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-475",
      "target_framework": "CWE",
      "target_id": "CWE-347",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-347 is the direct root cause that fully enables the described spoofing attack, while CAPEC-475 is one narrow validation-specific variant among broader CWE-347 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-476",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth surface directly enables signature-misrepresentation attacks like CAPEC-476, yet the CAPEC only partially maps to that CWE because it targets a narrow parsing/display vector rather than the full authentication family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-477",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Absent correct use of a signature protection mechanism the mixing attack succeeds directly, yet CAPEC-477 is only one narrow manifestation among many possible protection-mechanism failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-478",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is the direct prerequisite for any service-config change, enabling CAPEC-478 fully, yet the attack is only one narrow Windows-specific variant among many possible improper-access-control exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-479",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is a prerequisite for unauthorized certificate installation so enables CAPEC-479 fully, yet the CAPEC is only one narrow variant among many possible access-control abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-48",
      "target_framework": "CWE",
      "target_id": "CWE-241",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-241 enables CAPEC-48 mostly because the attack directly requires the client to accept and act on an unexpected local-file input where a URL type was expected; CAPEC-48 exploits CWE-241 only partially as one narrow input-handling variant among many possible type mismatches."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-48",
      "target_framework": "CWE",
      "target_id": "CWE-706",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 supplies the exact incorrect name/reference resolution that CAPEC-48 requires to reach local files, yet CAPEC-48 is only one narrow filename-vs-URL variant among many CWE-706 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-480",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-480 fully because virtualization escape is impossible without a failure of the isolation protection; CAPEC-480 exploits CWE-693 only partially as one narrow variant among many protection-mechanism failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-481",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 enables CAPEC-481 fully because contradictory destinations succeed only when endpoint validation is absent, while CAPEC-481 exploits the CWE only partially as one narrow routing technique among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-482",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-482 fully (no resource caps lets unlimited TCP state accumulate), while the narrow SYN-flood variant exploits the CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-485",
      "target_framework": "CWE",
      "target_id": "CWE-330",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-330 supplies the exact PRNG flaw the attack needs, enabling it fully, yet CAPEC-485 is only one narrow key-recreation variant among many possible exploits of insufficient randomness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-486",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 directly enables resource exhaustion from UDP floods (mostly) while CAPEC-486 is only one narrow flooding variant among many exhaustion techniques (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-487",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-487 mostly by allowing unbounded network-resource consumption, while CAPEC-487 exploits the CWE only partially as one narrow volumetric variant among many resource-exhaustion manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-488",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-488 fully because an HTTP flood succeeds only when no throttling exists, while CAPEC-488 exploits the CWE only partially as one narrow resource-exhaustion variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-489",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-489 since unbounded allocation is required for the SSL flood to exhaust resources, while CAPEC-489 exploits the weakness only partially as one narrow variant among many resource-exhaustion attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-257",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-49 relies on absent throttling/weak policies for online guessing and only incidentally touches recoverable storage via optional encryption brute-force."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Brute forcing hinges on absent throttling/weak strength policies, not aging; lack of aging only marginally extends the window for a successful guess."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration widens the attack window but is unnecessary for brute force, which instead targets absent complexity/rate-limit controls rather than aging policy."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 directly enables CAPEC-49 by removing the rate-limit barrier the attack requires, yet CAPEC-49 remains only one narrow brute-force variant among many possible exploitations of the same weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth directly enables password brute-force success (no second factor to bypass), while CAPEC-49 is only one narrow exploitation variant of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 supplies the password surface that CAPEC-49 directly requires (full enablement), yet brute-force is only one narrow exploitation variant among many password-system weaknesses (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements enable brute-force by making short/simple passwords feasible targets, while brute-force is only one narrow exploitation variant among many possible attacks on weak policies."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-49",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 directly enables CAPEC-49 by leaving only one secret to guess, while CAPEC-49 is merely one narrow brute-force variant among many single-factor attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-490",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-490 mostly by letting unlimited incoming responses exhaust target resources, while CAPEC-490 exploits the CWE only partially as one specific spoofed-amplifier variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-491",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-491 because unbounded allocation is required for the quadratic expansion to produce DoS, while CAPEC-491 only partially exploits CWE-770 as one narrow entity-substitution variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-492",
      "target_framework": "CWE",
      "target_id": "CWE-1333",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1333 directly supplies the inefficient/exp-time regex surface that CAPEC-492 requires, but CAPEC-492 is only the exponential-NFA variant among the broader inefficiency family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-492",
      "target_framework": "CWE",
      "target_id": "CWE-400",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 enables CAPEC-492 fully because exponential regex blowup directly produces uncontrolled resource exhaustion, while CAPEC-492 exploits the CWE only partially as one narrow regex-specific variant among many exhaustion techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-493",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-493 fully because unbounded allocation is required for the array to exhaust memory, while CAPEC-493 exploits the CWE only partially as one narrow SOAP-array variant among many possible resource-exhaustion techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-495",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-495 fully because the attack's resource exhaustion succeeds only when no allocation limits exist, while CAPEC-495 exploits CWE-770 only partially as one narrow UDP variant among many resource-consumption manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-496",
      "target_framework": "CWE",
      "target_id": "CWE-404",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can contribute to exhaustion under fragment floods but is not required for CAPEC-496 execution; the CAPEC variant targets reassembly/header handling rather than release semantics."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-496",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-496 fully (attack needs unbounded fragment reassembly buffers) while CAPEC-496 exploits CWE-770 only partially (one narrow ICMP variant among many resource-exhaustion techniques)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-497",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly enables file discovery success by making sensitive files accessible, but CAPEC-497 is only one narrow probing variant among many possible exposures of CWE-200."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-498",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 enables CAPEC-498 fully because displaying private data on-screen directly creates the screenshot exposure surface the attack needs; CAPEC-498 exploits that surface only partially as one iOS-specific variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-499",
      "target_framework": "CWE",
      "target_id": "CWE-925",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-925 permits spoofed senders to reach a receiver, enabling only the data-injection facet of CAPEC-499 while the core intercept technique exploits implicit-intent exposure rather than receiver verification."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-5",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285's missing authorization check directly enables the signal-spoofing success of CAPEC-5, yet the attack is only one narrow, legacy-protocol manifestation of that broad weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-50",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 does not enable CAPEC-50 (recovery attacks succeed via weak questions alone) while CAPEC-50 only partially touches the credential-exposure surface described by CWE-522."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-50",
      "target_framework": "CWE",
      "target_id": "CWE-640",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-640's weak recovery mechanism directly enables CAPEC-50's exploitation (full), yet CAPEC-50 only covers narrow variants such as security-question attacks within the broader CWE family (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-500",
      "target_framework": "CWE",
      "target_id": "CWE-749",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-749's unrestricted interfaces directly enable the WebView code injection in CAPEC-500, yet the narrow CAPEC variant only partially covers the broad CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-500",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-940's missing origin check directly enables an external malicious app to reach and inject into a WebView (mostly), while CAPEC-500 is only one narrow manifestation among many possible source-verification failures (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-501",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 fully enables the hijack by leaving implicit intents open to any endpoint, while CAPEC-501 exploits that surface only as one narrow Android-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-502",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-502 fully by exposing the component in the first place, while CAPEC-502 exploits that surface only partially as one narrow intent-spoofing variant among many access-control failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-503",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-503 because the attack requires unrestricted global access to registered interfaces; CAPEC-503 exploits CWE-284 only partially as one narrow WebView-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-504",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is a web-specific frame/UI-layer restriction flaw while CAPEC-504 is an OS-level malicious-app task-monitoring and foreground spoofing technique; neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-506",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 directly permits the overlay technique that CAPEC-506 requires, yet Tapjacking is only one narrow manifestation among the broader set of UI-layer attacks covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-508",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Shoulder surfing is a purely physical observation attack that neither requires nor targets any product-side information-exposure flaw (CWE-200)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-508",
      "target_framework": "CWE",
      "target_id": "CWE-359",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 does not enable shoulder surfing (attack succeeds via physical observation regardless of product exposure controls), while CAPEC-508 only partially exploits the CWE by targeting one physical manifestation of visible private data."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-509",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Kerberoasting obtains/cracks SPN hashes without needing absent password aging (none), yet specifically targets long-lived service-account passwords whose non-aging surface it partially exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-509",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration adds value to a cracked Kerberos hash but is not required for the attack to execute; CAPEC-509 targets RC4 ticket encryption, not password lifetime."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-509",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth enables the offline-cracking step of Kerberoasting only partially (strong passwords or additional controls can still block it), while the CAPEC is a narrow SPN/ticket variant that exploits that CWE surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-509",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-509 mostly because Kerberoasting directly depends on offline cracking of password hashes obtained via Kerberos; CAPEC-509 exploits CWE-309 only partially as a narrow AD-specific variant among many password-auth weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-509",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements directly enable successful offline cracking in Kerberoasting (mostly), while the CAPEC is a narrow Kerberos-specific variant that only partially targets the CWE's broad password-policy surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-509",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables CAPEC-509 fully because the attack requires extractable, crackable credential material; CAPEC-509 exploits the CWE only partially as one narrow Kerberos-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-51",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization directly enables registry poisoning by allowing unauthorized writes, but CAPEC-51 is only one narrow variant among many possible authorization failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-51",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-51 fully because the registry-poisoning attack requires absent or broken protection on WS-Addressing/registry data; CAPEC-51 exploits the CWE only partially as one narrow registry-specific variant among many possible protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-51",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables registry poisoning by allowing unneutralized inputs to corrupt WS-Addressing or metadata entries, but CAPEC-51 is only one narrow variant among many injection surfaces covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-510",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is required for the session-trust abuse to succeed (full enablement), yet CAPEC-510 is only one narrow SaaS-session variant of the broad origin-validation family (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-158",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-158 enables CAPEC-52 fully because the attack cannot succeed without the neutralization failure, while CAPEC-52 exploits the CWE only partially as one narrow embedding variant among possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Encoding failure directly supplies the unexpected null-termination behavior the attack needs (mostly), yet CAPEC-52 is only one narrow manifestation among many possible encoding errors (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-52 mostly because null-byte injection commonly depends on an encoded form (%00, UTF-16, etc.) being mishandled; CAPEC-52 exploits CWE-173 only partially as one narrow encoding-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-52 because the attack cannot succeed without a validation failure on null bytes, yet CAPEC-52 only partially exploits CWE-20 as one narrow technique among many input-validation flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison of string inputs directly enables null-byte truncation attacks by failing to treat embedded NUL as a terminator, yet CAPEC-52 is only one narrow manifestation among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to neutralize special bytes directly enables CAPEC-52's null-byte termination trick, yet the narrow CAPEC variant only partially exploits the broad neutralization surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-52",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-52 fully because unneutralized null bytes are a direct instance of the injection flaw, while CAPEC-52 exploits CWE-74 only partially as one narrow null-byte variant among many possible injections."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-528",
      "target_framework": "CWE",
      "target_id": "CWE-770",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-528 fully because unbounded allocation is required for any XML flood to succeed, while CAPEC-528 exploits the CWE only partially as one narrow XML-specific variant among many resource-exhaustion attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-158",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-158 enables CAPEC-53 fully because the attack hinges on unneutralized NUL bytes; CAPEC-53 exploits CWE-158 only partially as one narrow null-byte variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-53 fully because the attack cannot succeed without an encoding mishandling that accepts alternate NULL representations; CAPEC-53 exploits CWE-172 only partially as one narrow encoding bypass among many CWE-172 variants."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-53 fully because the attack hinges on bypassing filters via unhandled alternate NULL encodings; CAPEC-53 exploits CWE-173 only partially as one narrow variant among many possible alternate-encoding abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-53 fully because the attack cannot succeed without a validation/filter failure that accepts the encoded NULL, while CAPEC-53 exploits CWE-20 only partially as one narrow NULL-termination variant among many possible input-validation flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison is required for the filter bypass to succeed, enabling the pattern fully, yet CAPEC-53 is only one narrow encoding variant among many possible manifestations of CWE-697."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to enforce well-formed data fully enables the NULL/postfix encoding bypass, yet CAPEC-53 is only one narrow filter-evasion variant among many neutralization flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-53",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization is a prerequisite for the NULL/postfix encoding bypass to succeed (full enablement), yet CAPEC-53 is only one narrow encoding trick among the many injection variants covered by CWE-74 (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-533",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-533 fully because the attack requires executing an unverified download, while CAPEC-533 exploits CWE-494 only partially as one narrow manual-update variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-536",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-536 fully because unauthorized configuration access is a direct prerequisite the attack cannot proceed without; CAPEC-536 exploits CWE-284 only partially as one narrow injection variant among many possible access-control failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-538",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-538 fully because absent integrity verification the implanted OSS code executes; CAPEC-538 exploits the CWE only partially as one narrow supply-chain variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-538",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 fully enables CAPEC-538 because the attack succeeds only when developers include the malicious OSS; CAPEC-538 exploits CWE-829 only partially as one narrow OSS-implantation variant among many untrusted-inclusion scenarios."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-54",
      "target_framework": "CWE",
      "target_id": "CWE-209",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-209 supplies a direct, high-yield information channel that CAPEC-54 routinely uses during probing, yet the attack pattern can still obtain data via other response artifacts and only partially matches the narrow error-message weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-540",
      "target_framework": "CWE",
      "target_id": "CWE-125",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-125 directly supplies the out-of-bounds read surface that CAPEC-540 requires, enabling the pattern fully, yet CAPEC-540 remains one narrow read-specific variant among the broader CWE-125 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-541",
      "target_framework": "CWE",
      "target_id": "CWE-204",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Observable discrepancies directly supply the signals that enable fingerprinting (mostly), yet CAPEC-541 encompasses many other reconnaissance techniques and only partially exploits this specific CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-541",
      "target_framework": "CWE",
      "target_id": "CWE-205",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-205's observable discrepancies are the direct prerequisite that makes application fingerprinting possible, while CAPEC-541 is a broad pattern that can also use non-behavioral methods."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-541",
      "target_framework": "CWE",
      "target_id": "CWE-208",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-541 can employ timing measurements among many other fingerprinting techniques, but does not rely on observable timing discrepancies."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-545",
      "target_framework": "CWE",
      "target_id": "CWE-1258",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1258 exposes debug data that CAPEC-545 could incidentally harvest, yet the broad pattern neither requires nor specifically targets this weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-545",
      "target_framework": "CWE",
      "target_id": "CWE-1272",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 leaves data in resources that CAPEC-545 can opportunistically read, yet the broad pull-data pattern neither requires nor specifically targets the state-transition flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-545",
      "target_framework": "CWE",
      "target_id": "CWE-1323",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-545 is a broad data-scraping pattern over any resource; CWE-1323 is a narrow SoC trace-exposure flaw that this pattern might incidentally hit but does not depend on."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-546",
      "target_framework": "CWE",
      "target_id": "CWE-1272",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 addresses uncleared data only on debug/power state changes while CAPEC-546 requires incomplete wiping on tenant-resource reallocation; neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-546",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-546 fully because residual data access is unauthorized access; CAPEC-546 exploits CWE-284 only partially as one narrow multi-tenant deletion variant among many access-control failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-549",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 supplies one vector for an adversary-supplied payload to run locally (partial enablement) while CAPEC-549 can achieve local execution through many unrelated weaknesses (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-55",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Rainbow-table cracking hinges on unsalted/weak hashes, not expiration length, though long validity gives more time to use a cracked password."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-55",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth makes password cracking alone sufficient for access (full enablement), while rainbow tables are only one narrow technique against the password factor itself (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-55",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 supplies the password hashes that CAPEC-55 directly requires, enabling the pattern fully, yet the CAPEC is only one narrow pre-computation variant among many password-system flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-55",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements enable rainbow-table success by allowing common passwords (mostly) while the CAPEC is only one narrow hash-chain variant among many ways to exploit that weakness (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-55",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-55 hinges on unsalted hashes (CWE-759), not single-factor reliance; the attack only incidentally benefits from password-only auth."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-55",
      "target_framework": "CWE",
      "target_id": "CWE-916",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-916's weak/fast hashes directly enable feasible rainbow-table precomputation (full), while CAPEC-55 is only one narrow precomputation technique among many that exploit such hashes (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-550",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is a prerequisite for unauthorized service installation, enabling CAPEC-550 fully, yet the CAPEC is only one narrow persistence variant among many CWE-284 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-551",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is a prerequisite for unauthorized service modification, enabling CAPEC-551 fully, yet the CAPEC is only one narrow variant among many possible exploitations of CWE-284."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-552",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables rootkit installation by permitting unauthorized access (mostly) while CAPEC-552 targets the narrower authentication subcase (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-554",
      "target_framework": "CWE",
      "target_id": "CWE-1299",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1299 directly supplies one hardware-specific vector for bypassing protections (forward partial) while CAPEC-554 is a broad category that only touches this narrow weakness as one of many possible realizations (reverse partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-554",
      "target_framework": "CWE",
      "target_id": "CWE-424",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-424 directly supplies one bypass vector (unprotected alternate paths) but CAPEC-554 can succeed via many other weaknesses, and the broad attack pattern only partially covers this narrow CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-555",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets stolen creds remain valid longer (partial enablement) but CAPEC-555 never targets aging mechanisms (no exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-555",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration extends the window for using already-stolen creds (partial enablement) but CAPEC-555 targets credential validity in general and does not rely on or specifically exploit the aging interval."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-555",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth directly enables credential-stuffing on remote services (attack fails without it), while CAPEC-555 is only one narrow variant among many possible exploitations of CWE-308."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-555",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-555 fully because stolen-password login is impossible without password-based primary auth; CAPEC-555 exploits CWE-309 only partially as one narrow credential-theft variant among many password weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-555",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements directly facilitate credential acquisition for CAPEC-555 (mostly enabling), yet the CAPEC is only one narrow remote-use variant among many possible exploitation paths for CWE-521 (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-555",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 directly supplies the stolen credentials that CAPEC-555 requires, yet CAPEC-555 is only one narrow use of those credentials among many possible theft vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-556",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-556 by permitting unauthorized modification of file-handler configuration, yet the narrow registry/file-extension technique exploits only one slice of the broad access-control surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-558",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-558 because the replacement attack cannot succeed without an access-control failure, yet CAPEC-558 is only one narrow variant among many possible exploits of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets obtained credentials remain valid longer (partial enable) but CAPEC-560 obtains/uses creds without depending on aging and does not target that surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration widens the usable window for stolen creds (partial enablement) but CAPEC-560 is a generic credential-reuse pattern that only incidentally benefits from this CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables the guessing subset of CAPEC-560 but is unnecessary for theft/purchase paths, while CAPEC-560 only narrowly exercises the rate-limit surface among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 fully enables CAPEC-560 because stolen credentials alone suffice for login, while the narrow credential-guessing variant exploits the broad single-factor weakness only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309's reliance on passwords directly supplies the credential surface CAPEC-560 needs, enabling the pattern fully, yet CAPEC-560 is only one narrow variant among many password attacks and therefore exploits the weakness only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 directly enables the steal/obtain step that drives CAPEC-560, yet the pattern can still succeed via guessing or purchase; conversely CAPEC-560 is only one narrow usage of many possible credential sources covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-560",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance fully enables credential attacks because the stolen password alone grants access, while CAPEC-560 exploits that surface only as one narrow variant among many single-factor failure modes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging lengthens credential lifetime (partial enablement) but CAPEC-561 targets stolen-credential use against admin shares and never touches aging mechanisms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC relies on credential theft+share access and can benefit incidentally from long-lived passwords but does not exploit the aging policy itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 replay bypass neither enables nor is exploited by CAPEC-561 credential-share access, which depends only on possession of valid credentials regardless of how they were obtained."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth enables credential-stuffing attacks on admin shares fully (no second factor blocks stolen passwords), while CAPEC-561 exploits that surface only as one narrow variant among many possible single-factor abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309's password flaws directly enable credential theft/guessing that CAPEC-561 requires, yet the CAPEC is only one narrow share-access variant among many possible password-system abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords enable guessing within CAPEC-561 but are unnecessary for its steal/purchase paths, while the narrow admin-share pattern only partially covers the broad CWE-521 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-561",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables credential theft (one of several acquisition methods listed in CAPEC-561) so only partially enables the pattern; CAPEC-561 is a narrow admin-share usage of stolen creds and therefore only partially exploits the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-562",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-562 fully because unauthorized file modification in a shared location cannot occur without the access-control failure; CAPEC-562 exploits CWE-284 only partially as one narrow shared-file variant among many possible access-control abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-563",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-563 fully (open share is a direct access-control failure) while CAPEC-563 exploits CWE-284 only partially (one narrow file-write variant among many access-control abuses)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-564",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-564 by allowing unauthorized script modification, yet the narrow logon-script variant exploits only one slice of the broad access-control surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-565",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-565 exploits absent password policy and throttling; lack of aging is only one tangential element of policy and is not required for the spraying technique."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-565",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables CAPEC-565 mostly by omitting the rate-limiting that spraying is explicitly designed to evade, while the narrow spraying variant exploits that surface only partially among many possible authentication-attack manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-565",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-565 fully because spraying succeeds only when a single password factor is sufficient, while CAPEC-565 exploits CWE-308 only partially as one narrow password-guessing variant among many single-factor attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-565",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth fully enables spraying (no passwords, no spray possible) while spraying only partially exploits the broad CWE by using one specific low-and-slow guessing tactic among many possible password flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-565",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements directly enable spraying success by permitting the common passwords it targets, while spraying is only one narrow variant among many ways to exploit that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-565",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-565 fully because spraying succeeds only when authentication rests on a single password factor; CAPEC-565 exploits the CWE only partially as one narrow variant among many single-factor attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-57",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-57 only partially because the REST trust-after-SSL vector can succeed via other missing controls; CAPEC-57 exploits the CWE only partially as one narrow infrastructure-trust variant among many auth failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-57",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 enables CAPEC-57 mostly because the attack depends on post-SSL channel access by non-endpoints; CAPEC-57 exploits the CWE only partially as one narrow REST-infrastructure variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-57",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-57 fully because the attack requires absent post-termination protections, while CAPEC-57 exploits the broad weakness only partially as one narrow REST-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-573",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-573 fully because process footprinting requires unauthorized exposure of sensitive runtime data; CAPEC-573 exploits CWE-200 only partially as one narrow variant among many information-exposure attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-574",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of service details directly supplies the information CAPEC-574 gathers, yet the pattern is only one narrow OS-command variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-575",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-575 mostly because the footprinting commands succeed only when account data is exposed, while CAPEC-575 exploits CWE-200 only partially as one narrow enumeration variant among many information-exposure cases."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-576",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the unauthorized exposure that CAPEC-576 requires to succeed, while CAPEC-576 is only one narrow permission-enumeration variant among many possible CWE-200 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-577",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-577 only partially because the attack may use intended functionality for authorized users rather than a pure unauthorized exposure flaw; CAPEC-577 exploits the CWE mostly as a narrow owner-info variant of the broad sensitive-information exposure family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-578",
      "target_framework": "CWE",
      "target_id": "CWE-284",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-578 fully because the attack cannot succeed without bypassing access controls, yet CAPEC-578 exploits only one narrow slice of the broad CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-579",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables CAPEC-579 fully because external registry control is the direct prerequisite for loading the malicious DLL, while CAPEC-579 exploits CWE-15 only partially as one narrow registry-key variant among many possible configuration-setting abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-58",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-267's unsafe privilege definition directly enables the missing REST access controls that CAPEC-58 relies on, yet CAPEC-58 remains only one narrow HTTP-verb variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-58",
      "target_framework": "CWE",
      "target_id": "CWE-269",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 supplies the missing access-control surface that CAPEC-58 directly requires, yet CAPEC-58 is only one narrow REST-method variant among many possible privilege-management failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-580",
      "target_framework": "CWE",
      "target_id": "CWE-204",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-204 supplies the exact response signals that make many footprinting probes effective, yet CAPEC-580 can still succeed via other reconnaissance vectors and only incidentally exploits this narrow weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-580",
      "target_framework": "CWE",
      "target_id": "CWE-205",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-205's observable differences directly enable behavioral probing in CAPEC-580, but the broad footprinting pattern only partially exploits this specific weakness among many reconnaissance avenues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-580",
      "target_framework": "CWE",
      "target_id": "CWE-208",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-580 can employ timing probes as one reconnaissance tactic among many, but CWE-208 is neither required nor central to footprinting."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-586",
      "target_framework": "CWE",
      "target_id": "CWE-502",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-502 enables CAPEC-586 fully as the attack cannot occur without unsafe deserialization, while CAPEC-586 exploits the CWE only partially as a narrow object-injection variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-587",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is the exact missing frame/UI restriction that XFS requires to succeed, but CAPEC-587 is only one narrow manifestation among related frame attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-588",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 directly enables DOM XSS via missing input validation (or encoding) so the pattern hinges on it, yet CAPEC-588 is only one narrow XSS variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-588",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 fully enables CAPEC-588 because DOM-based XSS requires the neutralization failure, while CAPEC-588 exploits the CWE only partially as one narrow variant among many XSS forms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-588",
      "target_framework": "CWE",
      "target_id": "CWE-83",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-83's server-side attribute neutralization flaw can indirectly aid certain DOM sinks but CAPEC-588 is driven by client-side validation/encoding defects unrelated to CWE-83."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-589",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 directly enables CAPEC-589 by permitting non-endpoint channel access needed to drop DNS packets, while CAPEC-589 exploits only one narrow DNS-specific slice of the broader CWE-300 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of predictable session IDs directly enables the full attack (no exposure = no prediction possible), while CAPEC-59 is only one narrow prediction variant among many CWE-200 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 does not enable session-ID prediction (attack hinges on ID entropy, not authz checks); CAPEC-59 only partially exploits CWE-285's surface by abusing the resulting session credential."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth directly enables any session-ID prediction (full), while CAPEC-59 is only one narrow prediction variant among many possible spoofs (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-330",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-330 supplies the exact predictability surface that CAPEC-59 requires, enabling the attack fully, yet the CAPEC remains only one narrow variant among many possible insufficient-randomness exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-331",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insufficient entropy directly supplies the predictable values CAPEC-59 needs, but the CAPEC is only one narrow session-ID variant of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Session-ID prediction (CAPEC-59) depends on weak randomness, not origin checks, so CWE-346 neither enables nor is exploited by it."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-488",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-488 concerns cross-session data leakage from missing isolation boundaries, while CAPEC-59 requires guessable session-ID generation; neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-6",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insufficient session-ID length directly supplies the predictability that CAPEC-59 requires, enabling the pattern fully, yet the CAPEC remains only one narrow prediction variant among many possible CWE-6 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-59",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-59 fully because absent any protection mechanism the predictable-ID vector has no obstacle, yet CAPEC-59 exploits only one narrow slice of the broad CWE-693 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-590",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-590 is network DoS via packet dropping that can influence a channel from an in-path position, touching only one narrow aspect of CWE-300 while relying on orthogonal prerequisites."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-591",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 enables CAPEC-591 fully because reflected XSS cannot execute without the neutralization flaw, while CAPEC-591 exploits CWE-79 only partially as one narrow reflected variant among many XSS manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-592",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 enables CAPEC-592 fully because stored XSS cannot occur without the neutralization failure, while CAPEC-592 exploits CWE-79 only partially as one narrow stored variant among many XSS manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-593",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables session hijacking fully as the attack cannot succeed without the auth verification failure, while CAPEC-593 exploits the CWE only partially as a narrow session-token variant among many improper-auth manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-594",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-940's missing source verification directly enables any traffic injection to succeed, while CAPEC-594 is a broad network-level pattern that only partially and indirectly exploits this particular verification gap."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-595",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-940 enables CAPEC-595 fully because forged RST packets succeed only when origin verification is absent; CAPEC-595 exploits the CWE only partially as one narrow TCP-specific variant among many possible channel-source failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-596",
      "target_framework": "CWE",
      "target_id": "CWE-940",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-940's missing origin check is a prerequisite for any TCP RST injection to succeed (full enablement), while CAPEC-596 is only one narrow TCP-specific variant among many possible channel-spoofing attacks (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-597",
      "target_framework": "CWE",
      "target_id": "CWE-36",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-36's missing neutralization of absolute paths directly enables CAPEC-597 execution (full), yet the CAPEC is a narrow variant that also mixes relative '..' steps and thus exploits the CWE surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-6",
      "target_framework": "CWE",
      "target_id": "CWE-146",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-146's delimiter neutralization failure is a prerequisite for successful argument injection (full enablement), yet CAPEC-6 is only one narrow variant among many possible manifestations of that CWE (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-6",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input list directly permits the missing argument syntax to reach the sink (mostly enables), while CAPEC-6 is only one narrow injection variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-6",
      "target_framework": "CWE",
      "target_id": "CWE-185",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect regex can partially enable argument injection by failing to filter malicious input, but CAPEC-6 does not target or exploit regex flaws specifically."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-6",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can contribute to failed argument validation (partial enablement) while argument injection broadly targets missing validation/filtering rather than comparison flaws specifically (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-6",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-6 fully because argument injection requires the neutralization failure, while CAPEC-6 exploits CWE-74 only partially as one narrow variant among many injection forms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-6",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-78's neutralization failure directly supplies the surface CAPEC-6 needs to succeed, yet CAPEC-6 is only one narrow argument-focused variant among many CWE-78 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 fully enables CAPEC-60 because obtaining a usable session ID requires its exposure, while CAPEC-60 only partially exploits CWE-200 as one narrow instance among many sensitive-data exposures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Session replay succeeds via stolen valid session tokens and weak session management, independent of whether authorization checks are performed correctly on those tokens."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth schemes directly enable session-ID replay, while CAPEC-60 is only one narrow manifestation of that CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 directly supplies the replayable credential surface that CAPEC-60 requires, yet CAPEC-60 is only one narrow session-ID manifestation of the broader CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables session replay only when the replay crosses an unvalidated origin boundary (partial); CAPEC-60 is one narrow session-management variant among many that may touch origin checks (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 enables session-ID reuse only when the ID is obtained via fixation rather than other theft vectors, while CAPEC-60 is a narrow replay variant that touches the fixation surface only incidentally."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-488",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-488 can supply a valid ID via cross-session leakage (one possible step for replay) but CAPEC-60 does not target or rely on inter-session exposure boundaries."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-539",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Persistent cookies can supply stealable session IDs as one vector for replay, but CAPEC-60 works via any theft method and only partially maps onto the CWE's storage flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664's failure to manage session lifetime directly enables replay, while CAPEC-60 is only one narrow manifestation of that broad weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-60",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms can expose stored session IDs as one possible theft vector (partial enablement) but session replay itself targets session-management flaws, not resource permissions (no exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-600",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-600 hinges on password reuse across sites plus weak/no MFA or policy enforcement, while CWE-263 (long expiration) is only a minor tangential factor in password policy."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-600",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables CAPEC-600 mostly by removing rate limits/lockouts that would otherwise hinder bulk attempts, while CAPEC-600 exploits the weakness only partially as one narrow variant among many that target auth attempt surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-600",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-600 fully because stuffing succeeds only when a single factor is sufficient, while CAPEC-600 exploits the CWE partially as one narrow password-reuse variant among many single-factor weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-600",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-600 fully (no password primary auth means stuffing has no target) while CAPEC-600 exploits only one narrow facet of password-system weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-600",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 supplies the bulk of credential lists that make stuffing feasible, yet CAPEC-600 itself only exploits password reuse, not the storage/transmission flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-600",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-600 fully because stuffing succeeds only when a single factor grants access; CAPEC-600 exploits the CWE only partially as one narrow reuse-based variant among many single-factor failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-606",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 enables CAPEC-606 fully as the attack requires successful algorithm downgrade; CAPEC-606 exploits the CWE only partially as one narrow cellular variant among many downgrade manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-608",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 fully enables CAPEC-608 by supplying the broken cellular algorithm the attack requires, while CAPEC-608 only partially exploits CWE-327 as one narrow cryptanalytic variant among many possible broken-algorithm weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-609",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption lets intercepted cellular data be read in cleartext (partial enablement) but interception itself can still be performed regardless; CAPEC-609 is one specific eavesdropping vector among many that target unencrypted traffic (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-61",
      "target_framework": "CWE",
      "target_id": "CWE-384",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-384's failure to invalidate existing session IDs directly enables the exact attack in CAPEC-61, which in turn fully exploits that same weakness surface with no narrower variant gap."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-61",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 fully enables CAPEC-61 because failure to regenerate or control session IDs after privilege change is exactly the required lifetime-control flaw, while CAPEC-61 only partially exploits the broad CWE-664 surface as one narrow session-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-61",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-61 hinges on unchanged/predictable session IDs and permissive ID acceptance, only incidentally touching permissive assignment of a critical resource."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-612",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-201 is a code-level transmission flaw; CAPEC-612 is passive protocol observation of an intentional identifier, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-612",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300's exposed channel directly enables passive WiFi sniffing (mostly), while CAPEC-612 is only one narrow tracking variant among many possible exploits of that surface (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-613",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-613 exploits protocol-level SSID broadcasts for tracking; CWE-201 is a general code weakness about unintended sensitive data transmission and is not required by this attack pattern."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-613",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 fully enables CAPEC-613 because passive SSID listening requires an unprotected channel accessible to non-endpoints, yet CAPEC-613 exploits that weakness only partially as one narrow WiFi-management-frame variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-614",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 enables CAPEC-614 fully because cracking the weak DES key is the attack's prerequisite, while the narrow SIM-specific DES variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-615",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 enables CAPEC-615 fully because the evil-twin AP succeeds only when endpoints fail to authenticate the channel; CAPEC-615 exploits the CWE only partially as one narrow Wi-Fi manifestation among many possible channel weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-618",
      "target_framework": "CWE",
      "target_id": "CWE-201",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-201 can partially enable CAPEC-618 by leaking a phone number an attacker needs, but CAPEC-618 does not exploit the insertion-of-sensitive-data flaw at all."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-62",
      "target_framework": "CWE",
      "target_id": "CWE-1275",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing SameSite directly enables cookie-bearing CSRF by allowing cross-site cookie delivery, while CAPEC-62 is only one narrow cookie-based variant among many CSRF techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-62",
      "target_framework": "CWE",
      "target_id": "CWE-306",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-306 directly enables CSRF by omitting the auth checks the attack requires, while CAPEC-62 is only one narrow cookie-based variant among many CWE-306 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-62",
      "target_framework": "CWE",
      "target_id": "CWE-352",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-352 enables CAPEC-62 fully because the attack cannot succeed without the missing request-intent check, while CAPEC-62 exploits CWE-352 only partially as one narrow CSRF variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-62",
      "target_framework": "CWE",
      "target_id": "CWE-664",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables CSRF mostly via missing lifetime controls on session resources that the attack directly relies on, while CAPEC-62 exploits only one narrow slice of that broad CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-620",
      "target_framework": "CWE",
      "target_id": "CWE-757",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 directly supplies the negotiable downgrade surface that CAPEC-620 requires, yet CAPEC-620 is only one narrow encryption-lowering variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-624",
      "target_framework": "CWE",
      "target_id": "CWE-1247",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1247 directly enables clock-glitch portions of CAPEC-624 (full) while CAPEC-624's broader fault-injection surface only partially maps to this single CWE family (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-624",
      "target_framework": "CWE",
      "target_id": "CWE-1256",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-624 relies on external physical fault injection while CWE-1256 centers on unrestricted software-exposed hardware controls, yielding only incidental overlap via clock glitches."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-624",
      "target_framework": "CWE",
      "target_id": "CWE-1319",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1319 enables only the EM subset of the broader CAPEC-624 pattern (partial) while CAPEC-624 exploits only one of several listed fault-injection surfaces (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-624",
      "target_framework": "CWE",
      "target_id": "CWE-1332",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1332's missing mitigation directly enables successful instruction-skip exploitation via any CAPEC-624 injection method, while the broad fault-injection pattern only partially targets this specific CWE surface among many possible fault effects."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-624",
      "target_framework": "CWE",
      "target_id": "CWE-1334",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1334's unauthorized injection surface directly enables fault-injection attacks on redundancy, yet CAPEC-624 remains a broad technique that only partially targets this specific CWE manifestation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-625",
      "target_framework": "CWE",
      "target_id": "CWE-1247",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1247 enables CAPEC-625 fully as the attack requires absent glitch protection; CAPEC-625 exploits the CWE only partially as a narrow mobile/crypto variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-625",
      "target_framework": "CWE",
      "target_id": "CWE-1256",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-625 relies on physical fault injection (EM/laser/clock glitches) while CWE-1256 centers on unrestricted software interfaces to hardware; only clock-glitch overlap yields partial coverage the other way."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-625",
      "target_framework": "CWE",
      "target_id": "CWE-1319",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1319 directly supplies the missing protection that CAPEC-625's EM-pulse variant requires, while CAPEC-625 remains only one narrow mobile instantiation among many possible fault-injection techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-625",
      "target_framework": "CWE",
      "target_id": "CWE-1332",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1332 directly enables CAPEC-625 by leaving instruction-skip faults unmitigated, while CAPEC-625 is only one narrow mobile/crypto instantiation of that broad fault-handling weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-625",
      "target_framework": "CWE",
      "target_id": "CWE-1334",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1334's unauthorized error-injection surface partially enables fault techniques like CAPEC-625, yet the CAPEC targets cryptographic key extraction on mobiles and never relies on redundancy degradation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-63",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-63 mostly because missing validation allows script injection to reach the browser, yet CAPEC-63 exploits the CWE only partially as a narrow XSS variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-63",
      "target_framework": "CWE",
      "target_id": "CWE-79",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 is the exact neutralization failure that CAPEC-63 requires to succeed, and CAPEC-63 is the canonical attack pattern written against that CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-632",
      "target_framework": "CWE",
      "target_id": "CWE-1007",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1007 enables CAPEC-632 fully because the attack cannot succeed without the display flaw, yet CAPEC-632 exploits the CWE only partially as one narrow homoglyph-domain variant among broader manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-633",
      "target_framework": "CWE",
      "target_id": "CWE-1270",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect token generation supplies the exact flaw needed for impersonation to succeed, yet CAPEC-633 represents only one narrow variant among many possible CWE-1270 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-633",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287's missing identity proof directly enables any token forgery (full), yet CAPEC-633 is only one narrow token-specific variant among many possible CWE-287 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-634",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-634 relies primarily on malware deployment and peripheral API abuse rather than a privilege that permits unintended unsafe actions."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-636",
      "target_framework": "CWE",
      "target_id": "CWE-506",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the resulting condition rather than a precondition for the hiding technique, while CAPEC-636 is one narrow file-format method of achieving embedded malicious code."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-637",
      "target_framework": "CWE",
      "target_id": "CWE-267",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 concerns unsafe actions reachable via a granted privilege, while CAPEC-637 relies on the inherent accessibility of the system clipboard to other processes; neither direction depends on the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-639",
      "target_framework": "CWE",
      "target_id": "CWE-552",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly enables CAPEC-639 by exposing the files the probe needs, yet CAPEC-639 is only one narrow manifestation of the broad accessibility weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172's failure to handle encoding is the direct prerequisite that lets CAPEC-64 succeed, yet CAPEC-64 is only one narrow URL-slash variant among many possible encoding errors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-64 fully because the bypass attack cannot succeed without a failure to normalize alternate encodings, while CAPEC-64 exploits the CWE only partially as one narrow slash/percent-encoding variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-177",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-177's missing URL-decoding normalization is the exact precondition the CAPEC-64 bypass requires (full enablement), yet CAPEC-64 is only one narrow slash-encoding variant among many possible CWE-177 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-64 fully because the encoding bypass has no effect without a validation failure, while CAPEC-64 exploits CWE-20 only partially as one narrow encoding-specific variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-22 enables CAPEC-64 fully because failure to neutralize encoded slashes directly permits the traversal; CAPEC-64 exploits CWE-22 only partially as one narrow encoding variant among many path-traversal techniques."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables the bypass (attack cannot succeed without it), while CAPEC-64 is only one narrow encoding/slash variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is a prerequisite the CAPEC-64 encoding bypass cannot succeed without, yet the pattern is only one narrow URL-slash variant among the CWE's many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 enables CAPEC-64 mostly because unsanitized path control is required for the slash/encoding bypass to reach the filesystem; CAPEC-64 exploits CWE-73 only partially as one narrow encoding variant among many path-control weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-64",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-64 fully because the slash/encoding bypass requires a neutralization failure on special URL elements; CAPEC-64 exploits CWE-74 only partially as one narrow encoding variant among many injection manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-640",
      "target_framework": "CWE",
      "target_id": "CWE-114",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 enables CAPEC-640 fully because the attack requires the ability to load/execute untrusted code into a live process; CAPEC-640 exploits CWE-114 only partially as one narrow injection variant among many process-control failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-640",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly supplies the untrusted-code surface that CAPEC-640 needs to run malicious code inside a live process, yet CAPEC-640 only covers one narrow verification-bypass variant among many possible CWE-829 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-641",
      "target_framework": "CWE",
      "target_id": "CWE-706",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 fully enables CAPEC-641 because side-loading succeeds only when a DLL name resolves outside the intended control sphere, yet the CAPEC remains one narrow variant among many CWE-706 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-642",
      "target_framework": "CWE",
      "target_id": "CWE-732",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 directly supplies the missing permissions that CAPEC-642 requires, yet CAPEC-642 is only one narrow binary-replacement variant among many possible mis-permission abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-643",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the exposed shared-resource data that CAPEC-643 enumerates, enabling the pattern completely, yet CAPEC-643 is only one narrow enumeration technique among many CWE-200 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-644",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables CAPEC-644 fully because pass-the-hash is replay of captured authenticators; CAPEC-644 exploits CWE-294 only partially as one narrow NTLM/LM variant among many capture-replay manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-644",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor hash auth directly enables PTH (no other factor blocks the captured hash), while CAPEC-644 is only one narrow NTLM-specific variant of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-644",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables hash capture (and thus CAPEC-644) in most cases, but CAPEC-644 is only one narrow NTLM-specific variant of credential theft."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-644",
      "target_framework": "CWE",
      "target_id": "CWE-836",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-836 fully enables CAPEC-644 by making systems accept hashes directly for auth, while the narrow LM/NTLM pass-the-hash variant exploits that surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-645",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 supplies the missing replay surface that CAPEC-645 needs, yet CAPEC-645 also covers ticket theft/forgery vectors outside classic network capture-replay."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-645",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 concerns absence of MFA while CAPEC-645 hinges on reusable Kerberos tickets; neither direction depends on the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-645",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522's failure to protect credentials directly enables ticket theft required by CAPEC-645, yet the narrow Kerberos ticket variant exploits only one slice of the broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-646",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-646 only partially because some footprinting steps rely on active malware rather than passive exposure; CAPEC-646 exploits CWE-200 only partially as one narrow reconnaissance variant among many information-exposure avenues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-647",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 enables CAPEC-647 fully as the registry collection attack cannot succeed without the missing authorization check, yet CAPEC-647 exploits the CWE only partially as one narrow registry-specific variant among many possible authorization failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-65",
      "target_framework": "CWE",
      "target_id": "CWE-311",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables successful capture of readable code via sniffing, while CAPEC-65 is only one narrow variant among many ways to exploit that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-65",
      "target_framework": "CWE",
      "target_id": "CWE-318",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 enables CAPEC-65 fully because cleartext sensitive data in the executable is exactly what the sniffer extracts; CAPEC-65 exploits the CWE only partially as one narrow network-sniffing variant among many possible exposures of the stored executable."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-65",
      "target_framework": "CWE",
      "target_id": "CWE-319",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables CAPEC-65 fully because cleartext transmission is required for passive sniffing of the code to succeed, while CAPEC-65 exploits the CWE only partially as a narrow code-sniffing variant among many possible sensitive-data exposures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-65",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lack of any protection mechanism directly enables passive capture of plaintext code, while CAPEC-65 is only one narrow sniffing variant among many possible exploits of CWE-693."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-650",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-650 hinges on insufficient permissions (authorization), not authentication verification, so neither direction links the two."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-650",
      "target_framework": "CWE",
      "target_id": "CWE-553",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-553 is the post-upload state rather than a precondition for the upload action in CAPEC-650, so A enables B not at all; the attack does however target the same externally-writable directory surface that CWE-553 describes, exploiting it only partially as one concrete variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-651",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 exposure is the outcome of eavesdropping rather than a prerequisite that enables it, while CAPEC-651 exploits the broad exposure surface only as one narrow non-network interception variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging lets stolen Kerberos creds remain valid longer (partial enablement) but CAPEC-652 targets credential theft/reuse, not password lifetime at all (no exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-652 exploits stolen Kerberos credentials whose validity window is lengthened by weak aging, yet relies primarily on credential theft rather than expiration policy."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables ticket replay within CAPEC-652 but is unnecessary for password theft/purchase paths; CAPEC-652 is one narrow Kerberos variant among many capture-replay manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth (CWE-308) directly enables credential-reuse attacks such as CAPEC-652 by making the stolen Kerberos material sufficient; CAPEC-652 is only one narrow variant among many single-factor exploits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-652 only partially because stolen Kerberos tickets bypass passwords entirely, while CAPEC-652 exploits the CWE only partially as a narrow Kerberos-specific credential-reuse variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables credential theft via interception (partial, since purchasing bypasses it) while CAPEC-652 is one narrow Kerberos-specific variant that may leverage such exposure (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-652",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-652 fully because stolen single-factor Kerberos credentials suffice for access, while the narrow Kerberos variant exploits the broad single-factor weakness only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-262",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets stolen credentials remain valid longer (partial enablement) but CAPEC-653 targets credential acquisition itself, not the aging surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-263",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Long expiration widens the window for already-obtained OS credentials (partial enablement) but CAPEC-653 never relies on or targets the aging policy itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-307",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables the guessing component of CAPEC-653 but is unnecessary when credentials are stolen/purchased, while CAPEC-653 exploits the weakness only in its brute-force variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-653 fully because single-factor auth lets stolen/guessed credentials succeed, while CAPEC-653 exploits the CWE only partially as one narrow OS-credential variant among many single-factor manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 supplies the password auth surface that CAPEC-653 directly requires (full enablement), yet the CAPEC is only one narrow OS-credential variant among many possible password weaknesses (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-522",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables credential theft used by CAPEC-653 but guessing/purchase paths bypass it; CAPEC-653 only sometimes exploits the CWE surface via stolen OS creds."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-653",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance directly enables credential-use attacks (no second factor blocks success), while the CAPEC is only one narrow password-based instance of that broad CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-654",
      "target_framework": "CWE",
      "target_id": "CWE-1021",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is a web-frame/UI-layer restriction flaw while CAPEC-654 is an OS-level malicious-app foreground impersonation that neither depends on nor targets web-frame weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-657",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is a prerequisite for any successful malicious update, enabling CAPEC-657 fully, yet the CAPEC only covers one narrow spoofing variant of the broader integrity-check weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-66",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1286 fully enables CAPEC-66 because SQLi requires unvalidated SQL syntax in input, yet CAPEC-66 only partially exploits the CWE as one narrow syntax-variant among many possible failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-66",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 is the exact root weakness that fully enables the general SQL Injection attack in CAPEC-66, which directly and fully exploits that same surface rather than a narrow variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-660",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 permits loading of attacker-controlled code that hooking can abuse, but CAPEC-660 is a narrow runtime-evasion variant that does not require developer-introduced untrusted includes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-661",
      "target_framework": "CWE",
      "target_id": "CWE-489",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Active debug code directly supplies the debugger attachment surface the CAPEC requires, while the CAPEC itself is only one narrow root-evasion variant among many possible debug-code abuses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-662",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 describes non-endpoint channel access (e.g. classic MITM) while CAPEC-662 requires endpoint Trojan installation, so the weakness does not enable the pattern; the pattern only partially overlaps the CWE surface via post-malware traffic manipulation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-662",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 can facilitate Trojan install via unverified download (one possible vector for AiTB) but is not required, while CAPEC-662 uses that surface only as a narrow delivery step rather than its core MITB exploitation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-663",
      "target_framework": "CWE",
      "target_id": "CWE-1037",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1037 concerns optimization passes that elide security-critical instructions, while CAPEC-663 targets micro-architectural side-effects of speculative execution; neither supplies the prerequisite for the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-663",
      "target_framework": "CWE",
      "target_id": "CWE-1264",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1264's de-synchronization directly supplies the transient-execution surface that CAPEC-663 requires, yet CAPEC-663 remains one narrow micro-architectural variant among the broader family of de-sync flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-663",
      "target_framework": "CWE",
      "target_id": "CWE-1303",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1303's shared microarchitectural resources are a prerequisite for any transient-execution leak, enabling CAPEC-663 fully, yet the CAPEC describes only one narrow gadget-and-covert-channel variant among many possible exploitations of that sharing."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-664",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-664 fully because SSRF requires the server to accept unvalidated malicious URLs or parameters, while CAPEC-664 exploits CWE-20 only partially as one narrow SSRF variant among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-664",
      "target_framework": "CWE",
      "target_id": "CWE-918",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-918 is the exact weakness the CAPEC-664 pattern requires, enabling it fully, yet the CAPEC remains one canonical variant within the broader CWE family so its exploitation is only mostly complete."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-665",
      "target_framework": "CWE",
      "target_id": "CWE-1188",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Insecure defaults in Thunderbolt controller init directly enable firmware manipulation of auth/verification (mostly), yet CAPEC-665 is one narrow physical-SPI variant among many possible CWE-1188 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-665",
      "target_framework": "CWE",
      "target_id": "CWE-288",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 directly supplies the alternate-channel bypass that CAPEC-665 needs, yet the CAPEC is only one narrow Thunderbolt firmware variant of that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-665",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly supplies the missing verification that CAPEC-665 must bypass, so the pattern cannot succeed without it; yet CAPEC-665 remains only one narrow Thunderbolt-specific variant among many possible manifestations of CWE-345."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-665",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-665 exploits implementation flaws in existing Thunderbolt verification/authorization schemes plus physical firmware access, not absence of integrity checking as defined by CWE-353."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-665",
      "target_framework": "CWE",
      "target_id": "CWE-862",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-862 supplies the exact authorization flaw the CAPEC directly targets via firmware manipulation (full enablement), yet the CAPEC remains only one narrow Thunderbolt-specific variant among many possible CWE-862 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-666",
      "target_framework": "CWE",
      "target_id": "CWE-404",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "BlueSmacking is a proximity-based L2CAP flooding DoS that succeeds regardless of resource-release behavior, and it targets protocol buffering rather than any shutdown/release surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-667",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 fully enables the spoofing-based bypass in CAPEC-667, yet the Bluetooth MAC-specific attack only partially exploits the broad CWE-290 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-668",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-668 fully because the attack requires the Bluetooth key-negotiation protection to be absent or bypassed, yet the narrow KNOB variant exploits only one slice of the broad protection-mechanism-failure surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-67",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120's unchecked buffer copy is unrelated to the format-string misuse that CAPEC-67 directly exploits to produce its overflow."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-67",
      "target_framework": "CWE",
      "target_id": "CWE-134",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-134 fully enables CAPEC-67 because the attack requires an uncontrolled format string in syslog, yet CAPEC-67 only partially exploits CWE-134 as one narrow syslog-specific variant among many format-string issues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-67",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-67 because the attack cannot occur without unvalidated user data reaching syslog(); CAPEC-67 exploits CWE-20 only partially as one narrow format-string instance among many input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-67",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-67 because the format-string misuse is impossible without the missing neutralization, yet CAPEC-67 only partially exploits the broad CWE surface as one narrow syslog variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-676",
      "target_framework": "CWE",
      "target_id": "CWE-1286",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1286 enables CAPEC-676 fully because NoSQL operator injection requires the ability to supply syntactically invalid input; CAPEC-676 exploits the CWE only partially as one narrow manifestation among many possible syntax-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-676",
      "target_framework": "CWE",
      "target_id": "CWE-943",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-943 fully enables CAPEC-676 because the injection requires the neutralization failure, while CAPEC-676 exploits the CWE only partially as one narrow NoSQL variant among many query types."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1222",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1222 is one specific coarse-grained lock flaw that can produce the broad improper memory protection surface CAPEC-679 targets, so it enables the pattern only partially and is exploited by the pattern only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1257",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1257 describes a specific aliasing-related access-control failure that directly supplies the missing/inconsistent memory protection surface CAPEC-679 exploits, yet the CAPEC covers many other memory-protection misconfigurations so only partially targets this CWE variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1260",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1260 is one specific mis-implementation of memory protection that can contribute to the broad CAPEC-679 pattern, but the attack neither requires overlap nor is limited to it."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1274",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1274 is exactly the missing memory protection for secure-boot code that CAPEC-679 describes, so the weakness enables the pattern fully, yet the broad CAPEC only partially covers this one narrow boot-code instance."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1282",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1282 is a direct instance of the missing memory protection that CAPEC-679 exploits, enabling the pattern fully while the pattern itself only partially covers this specific immutable-data case."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1312",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1312 is one narrow missing-protection case that can enable the broad CAPEC-679 pattern, while the general attack only partially targets this specific mirrored-region firewall flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1316",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1316 is a direct instance of the misconfigured memory protection that CAPEC-679 exploits, enabling the pattern fully, yet the broad CAPEC only partially covers this narrow address-map variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-679",
      "target_framework": "CWE",
      "target_id": "CWE-1326",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing root of trust can indirectly facilitate boot/memory attacks but does not supply the misconfigured memory protections that CAPEC-679 directly requires."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-68",
      "target_framework": "CWE",
      "target_id": "CWE-325",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing crypto step weakens signature verification that code-signing depends on, yet CAPEC-68 can also succeed via key theft or VM policy bypass, so each direction uses the other only as one enabling step."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-68",
      "target_framework": "CWE",
      "target_id": "CWE-328",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak-hash collisions can serve as one concrete step to forge signatures and thereby subvert code signing, yet CAPEC-68 lists many other subversion avenues and is not narrowly predicated on CWE-328."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-680",
      "target_framework": "CWE",
      "target_id": "CWE-1224",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1224 is one specific register-control flaw (write-once bits) among the broader set of access-control failures that CAPEC-680 targets, so each enables/exploits the other only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-680",
      "target_framework": "CWE",
      "target_id": "CWE-1231",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1231's lock-bit failure directly supplies the register access-control bypass that CAPEC-680 describes, yet the CAPEC remains only one narrow variant among several possible register-control flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-680",
      "target_framework": "CWE",
      "target_id": "CWE-1233",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1233 enables CAPEC-680 fully because missing lock-bit protection directly permits the unauthorized register writes the attack requires; CAPEC-680 exploits CWE-1233 only partially because it also covers many other forms of register access-control failure beyond lock bits."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-680",
      "target_framework": "CWE",
      "target_id": "CWE-1262",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1262 directly supplies the missing/inadequate register access control that CAPEC-680 requires, enabling the pattern fully; CAPEC-680 is a narrow register-specific exploitation variant and therefore only mostly exploits the broader CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-680",
      "target_framework": "CWE",
      "target_id": "CWE-1283",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1283 is precisely the attestation-register instance of the register-control flaw that CAPEC-680 exploits, so the weakness fully enables the pattern while the broad pattern only partially exploits this narrow CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-681",
      "target_framework": "CWE",
      "target_id": "CWE-1259",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1259's missing protection directly supplies the misconfigured tokens that CAPEC-681 requires, yet the CAPEC remains only one narrow hardware-identifier variant of the broader CWE family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-681",
      "target_framework": "CWE",
      "target_id": "CWE-1270",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect tokens are the direct prerequisite the attack hinges on, yet CAPEC-681 is only one narrow hardware-SoC variant of the broader CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-682",
      "target_framework": "CWE",
      "target_id": "CWE-1310",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1310 directly supplies the unpatchable surface that CAPEC-682 requires to succeed (full enablement), while CAPEC-682 is a close but not exhaustive match that also covers post-support decisions (mostly exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-69",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 can partially enable CAPEC-69 by allowing config changes that grant elevated privileges, but the attack pattern does not require or exploit external config control\u2014it targets code flaws in already-privileged programs."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-69",
      "target_framework": "CWE",
      "target_id": "CWE-250",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-250 directly supplies the elevated privileges that CAPEC-69 requires, enabling the pattern fully, while CAPEC-69 is only one narrow variant among many possible exploits of unnecessary privileges."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-691",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-691 fully because the attack succeeds only when downloaded code is executed without integrity verification, while CAPEC-691 exploits that weakness only partially as one narrow metadata-spoofing variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-692",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-692 fully because spoofed VCS metadata only succeeds in delivering malicious code when no integrity verification occurs; CAPEC-692 exploits the CWE only partially as one narrow metadata-spoofing variant among many possible integrity failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-693",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-693 fully because the spoofed package is only executable without origin/integrity verification; CAPEC-693 exploits CWE-494 only partially as one narrow metadata-spoofing variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-694",
      "target_framework": "CWE",
      "target_id": "CWE-497",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-497 exposure directly supplies the locale/timezone data that CAPEC-694 collects, enabling the pattern in most cases, yet CAPEC-694 remains only one narrow variant among many possible manifestations of that exposure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-695",
      "target_framework": "CWE",
      "target_id": "CWE-494",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is a prerequisite for successful repo jacking (full enablement) yet CAPEC-695 is only one narrow VCS-redirect variant among many possible integrity failures (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-695",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 fully enables repo jacking by permitting direct inclusion of VCS dependencies from an externally controlled sphere, while CAPEC-695 exploits that surface only partially as one narrow redirect-based variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-696",
      "target_framework": "CWE",
      "target_id": "CWE-1342",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1342 enables CAPEC-696 fully because uncleared transient microarchitectural state is required for LVI value forwarding, yet LVI exploits the CWE only partially as one narrow variant among many transient-execution attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-697",
      "target_framework": "CWE",
      "target_id": "CWE-923",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 enables CAPEC-697 fully because absent endpoint authentication the spoof succeeds, yet the narrow DHCP variant exploits that surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-698",
      "target_framework": "CWE",
      "target_id": "CWE-507",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-507 is the resulting hidden malicious functionality itself, while CAPEC-698 is the upstream act of introducing it; neither direction enables or exploits the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-698",
      "target_framework": "CWE",
      "target_id": "CWE-829",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-829's inclusion of untrusted functionality directly enables malicious extension installation (attack cannot succeed without that surface), while CAPEC-698 is only one narrow installation variant among many CWE-829 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-699",
      "target_framework": "CWE",
      "target_id": "CWE-1300",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1300 directly enables CAPEC-699 because monitor signal leakage is a physical side-channel emission with no protection; CAPEC-699 exploits only the EME-monitor subset of the broad CWE-1300 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-7",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-7 fully because blind SQLi requires unvalidated input to reach the query engine, yet the narrow blind variant exploits only one slice of the broad CWE-20 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-7",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is the direct prerequisite for any SQLi (hence full enablement), while CAPEC-7 is only one narrow blind variant among many neutralization manifestations (hence partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-7",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-7 fully (no neutralization failure means no injection possible) while CAPEC-7 exploits the CWE only partially (narrow blind-SQL variant among many injection forms)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-7",
      "target_framework": "CWE",
      "target_id": "CWE-89",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 enables CAPEC-7 fully because blind injection cannot occur without the underlying SQL neutralization flaw, while CAPEC-7 exploits CWE-89 only partially as one narrow error-suppressed variant among many SQLi forms."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-70",
      "target_framework": "CWE",
      "target_id": "CWE-308",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth enables the guessing attack fully (no second factor to bypass), while the narrow brute-force variant exploits that CWE surface only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-70",
      "target_framework": "CWE",
      "target_id": "CWE-309",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-70 fully because the attack requires password-based auth to exist, while CAPEC-70 exploits only one narrow slice (defaults/common guesses) of the broad CWE-309 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-70",
      "target_framework": "CWE",
      "target_id": "CWE-521",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-521 directly permits the default/weak credentials that CAPEC-70 requires to succeed, yet CAPEC-70 is only one narrow variant among many possible manifestations of weak password policy."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-70",
      "target_framework": "CWE",
      "target_id": "CWE-654",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 fully enables CAPEC-70 because password guessing succeeds only when a single factor is the sole gate; CAPEC-70 exploits that surface only partially as one narrow guessing variant among many single-factor attacks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-70",
      "target_framework": "CWE",
      "target_id": "CWE-798",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Hard-coded credentials supply one possible set of known values an attacker might try, yet CAPEC-70 succeeds against any default configuration and does not require the credentials to be embedded in code; conversely the pattern only partially covers the CWE because many hard-coded secrets are not common/default strings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-701",
      "target_framework": "CWE",
      "target_id": "CWE-345",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables CAPEC-701 mostly by letting an adversary present unauthenticated remote-desktop content the browser treats as legitimate, while the narrow BiTM variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 directly supplies the missing Unicode handling that CAPEC-71 requires to succeed, yet CAPEC-71 is only one narrow encoding-specific variant among many possible CWE-172 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-71 fully because the attack hinges directly on failure to handle alternate encodings, while CAPEC-71 exploits the CWE only partially as one narrow Unicode variant among many possible encodings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-176",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-176 is a prerequisite for CAPEC-71 so the weakness enables the pattern fully, yet CAPEC-71 is only one narrow validation-bypass variant among many possible Unicode mishandling consequences."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-179",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-179's early-validation ordering directly enables the Unicode bypass (full), while CAPEC-71 is only one narrow encoding-specific variant among many possible manifestations of that CWE (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 enables CAPEC-71 fully (validation-before-canonicalization directly permits Unicode bypass), while CAPEC-71 exploits CWE-180 only partially (one narrow encoding variant among many canonicalization flaws)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-183",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Permissive allow-list directly admits the encoded unsafe payload (mostly), while Unicode bypass is only one narrow validation-failure variant among many that could stem from CWE-183 (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-184's incomplete list directly enables CAPEC-71 by omitting Unicode variants (full), while the narrow Unicode attack exploits only one slice of that incompleteness surface (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-71 fully because the Unicode bypass has no effect without a validation failure, while CAPEC-71 exploits CWE-20 only partially as one narrow encoding-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-692",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-692's incomplete denylist directly enables CAPEC-71 by omitting Unicode variants; CAPEC-71 is only one narrow bypass among many possible denylist gaps."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison fully enables the Unicode bypass (no correct normalization means the filter fails outright), while CAPEC-71 is only one narrow encoding variant among many possible manifestations of CWE-697."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-71",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 supplies the missing neutralization surface that CAPEC-71's Unicode bypass directly targets, yet the CAPEC remains only one narrow encoding variant among many possible injections."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-72",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-72 fully because the attack requires improper encoding/decoding to succeed, while CAPEC-72 exploits CWE-172 only partially as one narrow URL-encoding variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-72",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-72 fully because the attack cannot succeed without the failure to handle alternate encodings, while CAPEC-72 exploits the CWE only partially as one narrow URL-encoding variant among many possible alternate encodings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-72",
      "target_framework": "CWE",
      "target_id": "CWE-177",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-177's missing neutralization is the direct prerequisite for any successful CAPEC-72 URL-encoding abuse (full enablement), yet CAPEC-72 is only one narrow encoding variant among the broader CWE-177 family (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-72",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-72 fully because the encoding abuse has no effect without a validation failure on decoded input; CAPEC-72 exploits CWE-20 only partially as one narrow encoding-specific variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-72",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 enables URL-encoding attacks only when the target is path traversal, while CAPEC-72 is a narrow encoding technique that exploits path-control surfaces only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-72",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's failure to neutralize special elements directly enables any URL-encoding bypass that alters interpretation, while CAPEC-72 is only one narrow encoding technique among many CWE-74 variants."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-116 enables CAPEC-73 fully because the filename-driven XSS succeeds only when output escaping is absent or broken; CAPEC-73 exploits CWE-116 only partially as one narrow filename variant among many encoding failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-184",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input list directly permits malicious filenames to reach HTML generation (mostly enabling CAPEC-73), while the narrow filename-XSS variant only partially exercises the broad CWE-184 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-73 fully because the attack cannot succeed without missing validation of the supplied filename, while CAPEC-73 exploits the CWE only partially as one narrow filename-specific variant among many possible input-validation failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-348",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 supplies a less-trusted data path that the CAPEC-73 payload can ride, yet the attack still requires separate filename-to-HTML mishandling; conversely the narrow filename variant only partially exercises the two-source trust decision."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can partially enable the attack by allowing a malicious filename to pass a flawed check, but CAPEC-73 exploits missing filename sanitization rather than any comparison flaw."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-86",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-86 neutralization failure directly supplies the injection surface filenames rely on, yet CAPEC-73 is only one narrow filename-based variant among many possible CWE-86 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-73",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-96's failure to neutralize input before writing to saved resources directly enables filename-driven injection, but CAPEC-73 is only one narrow filename-based variant among many static-injection manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-74",
      "target_framework": "CWE",
      "target_id": "CWE-1245",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Faulty FSMs directly enable hardware state manipulation attacks, but CAPEC-74 is a broad pattern covering many state issues beyond just improper hardware FSMs."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-74",
      "target_framework": "CWE",
      "target_id": "CWE-1253",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect fuse selection directly permits hardware state transitions to insecure values (mostly enabling CAPEC-74), yet CAPEC-74 covers many unrelated state manipulations and only partially exploits this narrow fuse weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-74",
      "target_framework": "CWE",
      "target_id": "CWE-315",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Cleartext cookie storage directly exposes modifiable state, enabling CAPEC-74 as a primary vector, yet CAPEC-74 remains a broad pattern that only partially exploits this narrow CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-74",
      "target_framework": "CWE",
      "target_id": "CWE-353",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Missing transmission integrity enables undetected state tampering mostly via network vectors, while CAPEC-74 exploits that surface only partially as one of many state-manipulation avenues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-74",
      "target_framework": "CWE",
      "target_id": "CWE-372",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-372's failure to track/distinguish states directly enables any state-manipulation attack to succeed, while CAPEC-74 broadly covers many state flaws and only partially exploits this specific distinction weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-74",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-74 fully because absent any working protection mechanism the state manipulation succeeds, yet CAPEC-74 only partially exploits the broad CWE as one narrow state-focused variant among many possible protection failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-75",
      "target_framework": "CWE",
      "target_id": "CWE-349",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-75 primarily exploits file-permission and external-control weaknesses rather than mixing of extraneous untrusted data with trusted data."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-75",
      "target_framework": "CWE",
      "target_id": "CWE-99",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-99 resource-identifier flaws do not enable or underlie CAPEC-75 file-modification attacks, which instead hinge on write permissions and direct file access."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 can serve as one indirect vector for supplying malicious FS paths but is not required for CAPEC-76, which directly targets unsanitized web inputs to file-system APIs rather than configuration settings."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-22 supplies the exact pathname-resolution flaw CAPEC-76 requires, enabling the attack fully, while CAPEC-76 is a broad input-manipulation pattern that only partially maps onto the narrower CWE-22 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-23",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-23 directly supplies the missing neutralization that CAPEC-76 requires to reach unintended paths, yet CAPEC-76 remains a broad pattern that can also exploit other file-call weaknesses such as CWE-36."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization enables the file-system manipulation attack by allowing the resolved path to be accessed, but the pattern itself is a narrow input-handling variant that only partially maps to the broad authorization family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 concerns source authenticity while CAPEC-76 hinges on unsanitized path content reaching FS APIs; neither direction depends on the other."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-348",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 supplies a less-trusted data source that CAPEC-76 can ride, yet the attack fundamentally needs missing path validation rather than the source-selection flaw itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-59",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-59 can serve as one optional step in a CAPEC-76 input-to-FS-call attack when a symlink is involved, but CAPEC-76 does not depend on or specifically target link-resolution failures."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 enables CAPEC-76 fully because the attack cannot succeed without external path control, yet CAPEC-76 exploits the CWE only partially as one narrow web-input variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-76 because the attack requires unneutralized special elements to reach file-system calls, yet CAPEC-76 only partially exploits CWE-74 as it is one narrow variant among many injection surfaces covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-76",
      "target_framework": "CWE",
      "target_id": "CWE-77",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 enables file-system manipulation only when the calls occur via injectable shell commands (partial); CAPEC-76 is a narrow path-manipulation variant that exploits command-injection surfaces only incidentally (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-1321",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1321 directly supplies the uncontrolled mutation surface that CAPEC-77 relies on for JS objects, yet CAPEC-77 also covers many non-prototype variable manipulations outside that CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-15",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 supplies the exact external-control surface that CAPEC-77 requires, yet CAPEC-77 is only one narrow variant among many possible manifestations of CWE-15."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 permits variable manipulation to affect auth decisions but is not required for CAPEC-77 execution, while CAPEC-77 is only one narrow vector among many that could abuse improper authorization."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-302",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-302's immutable-data assumption directly enables variable-manipulation attacks on auth flows (mostly), while CAPEC-77 is a broad pattern that only partially maps onto this specific auth weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-473",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-473 is the precise PHP neutralization failure that CAPEC-77 directly requires, yet CAPEC-77 remains a broader pattern that also covers non-PHP variable manipulation."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-94",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-94 enables variable-manipulation attacks only when those variables feed into code generation, while CAPEC-77 is a narrow input-vector variant that exploits the CWE surface only incidentally."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-77",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-77 targets variable overriding via unsanitized input to alter logic; CWE-96 is a narrower static-resource code-directive flaw that the attack pattern only incidentally touches via shared sanitization issues."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172's failure to handle encodings directly enables the escaped-slash bypass (full), yet CAPEC-78 is only one narrow variant among many possible encoding attacks (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-78 fully because the attack cannot succeed without the failure to handle alternate encodings, yet CAPEC-78 exploits the CWE only partially as one narrow escaped-slash variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 enables CAPEC-78 fully because the attack requires validation to miss post-canonicalization encodings; CAPEC-78 exploits the CWE only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-78 fully as the encoding bypass has no effect without a validation failure, while CAPEC-78 exploits CWE-20 only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-22's failure to neutralize encoded pathname elements directly enables the escaped-slash bypass (mostly), while CAPEC-78 is only one narrow encoding variant among many possible path-traversal manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables the encoding bypass (filter fails to normalize/decode before matching), while CAPEC-78 is only one narrow encoding variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is a prerequisite for CAPEC-78's encoding bypass (full enablement), yet the narrow slash-escape variant only partially covers the broad CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 supplies the uncontrolled path surface that CAPEC-78's encoding bypass needs to reach the filesystem, yet CAPEC-78 is only one narrow slash-encoding variant among many ways to abuse that surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-78",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-78 because the attack requires unneutralized special elements (backslash escapes) to reach the parser, while CAPEC-78 only partially exploits CWE-74 as one narrow encoding-specific variant of the broad injection family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-79 fully (attack fails without the encoding-handling flaw) while CAPEC-79 exploits the CWE only partially (narrow slash-encoding variant among many possible manifestations)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 fully enables CAPEC-79 because alternate slash encodings bypass pre-canonicalization validation, while CAPEC-79 only partially exploits the CWE as one narrow encoding variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-185",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-79 exploits alternate-encoding bypasses in path validation (primarily CWE-22/173) and only incidentally touches regex if that mechanism is used for filtering."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20's missing validation is the direct prerequisite that fully enables CAPEC-79's slash-encoding bypass, yet the narrow encoding variant only partially exploits the broad CWE-20 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-200",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-79 exploits validation/encoding flaws to cause path traversal; exposure (CWE-200) is only one possible outcome among several weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-22",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-22's failure to neutralize pathname elements directly enables any slash-encoding traversal (full), while CAPEC-79 is only one narrow encoding variant among many possible CWE-22 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables the slash-encoding bypass (no canonicalization means the attack lands), yet CAPEC-79 is only one narrow variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-79 fully because the slash-encoding bypass requires a neutralization failure to succeed, while CAPEC-79 exploits CWE-707 only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 supplies the external path control surface that CAPEC-79 needs, yet CAPEC-79 only exercises one narrow encoding bypass among many possible manifestations of that weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-79",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-79 because the attack cannot succeed without failure to neutralize encoded slashes, while CAPEC-79 only partially exploits CWE-74 as one narrow encoding variant among many injection surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-8",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-8 fully because an unchecked index/range error is the direct precondition for any buffer overflow, while CAPEC-8 exploits CWE-118 only partially as one narrow API-call variant among many range-error manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-8",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-8 fully because the attack is a direct instance of unrestricted buffer operations, while CAPEC-8 exploits the CWE only partially as one narrow API-call variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-8",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 supplies the exact unchecked buffer copy that CAPEC-8 requires in an API/library, enabling the pattern fully, yet CAPEC-8 remains only one narrow API-call variant among many possible CWE-120 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-8",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 directly enables CAPEC-8 because buffer overflows in API calls require missing length/content validation, while CAPEC-8 is only one narrow manifestation among many CWE-20 variants."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-8",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 produces one specific root cause of BO that CAPEC-8 can exploit, yet CAPEC-8 neither requires integer overflow nor is limited to it."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-8",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can be one contributing factor in certain buffer-overflow preconditions but is neither necessary nor the primary cause for CAPEC-8, and CAPEC-8 does not target comparison flaws at all."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-172",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-80 fully because any successful UTF-8 bypass requires an underlying encoding/decoding failure, while CAPEC-80 exploits CWE-172 only partially as one narrow UTF-8 variant among many possible encoding errors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-173",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 fully enables the UTF-8 bypass because the attack cannot succeed without mishandled alternate encodings, yet CAPEC-80 exploits only one narrow encoding variant among many covered by the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-180",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-180's validation-before-canonicalization order directly enables the UTF-8 bypass (attack fails if canonicalize-then-validate is used), while CAPEC-80 is only one narrow encoding variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-80 because the attack requires missing or ineffective input validation for UTF-8, while CAPEC-80 exploits CWE-20 only partially as one narrow encoding-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-692",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist fully enables UTF-8 bypass by omitting encoded variants, while the narrow encoding attack only partially exploits the broad denylist weakness."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison enables the UTF-8 bypass by allowing flawed validation to be evaded, but the narrow encoding-specific attack only partially exploits the broad CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-73",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 is unnecessary for executing the general UTF-8 bypass in CAPEC-80, yet that encoding attack can partially target the validation surface of path-control flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-80",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization directly enables the UTF-8 bypass (attack fails without it), while CAPEC-80 is only one narrow encoding variant among many CWE-74 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-116",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-116 enables log-injection tampering by failing to preserve structure when writing requests to logs (mostly), while CAPEC-81 is only one narrow log-targeting variant among many CWE-116 manifestations (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-117",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 fully enables CAPEC-81 because absent neutralization the tampering succeeds directly, yet CAPEC-81 exploits the CWE only partially as one narrow web-server-log variant among many possible log-injection manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-150",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 enables CAPEC-81 mostly by allowing direct injection of control sequences (e.g., newlines) into logs, while CAPEC-81 exploits the weakness only partially as one of several tampering vectors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 mostly enables CAPEC-81 by allowing unsanitized input to reach logs, but CAPEC-81 exploits only one narrow injection vector within the broad CWE-20 family."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-276",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak default file perms directly enable log-file tampering by allowing arbitrary modification, yet CAPEC-81 describes a narrow log-injection variant that only sometimes exploits this CWE surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-279",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-279 can partially enable log tampering by granting unintended write access to log files, but CAPEC-81 primarily exploits injection/processing flaws rather than execution-time permission assignment."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-75",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-75 fully enables CAPEC-81 because log tampering by injection requires unsanitized special elements to reach the log plane, while CAPEC-81 exploits the CWE only partially as one narrow variant among many injection surfaces."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-93",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-93 fully enables CAPEC-81 because log tampering via forged entries directly requires unneutralized CRLF, while CAPEC-81 is only one narrow log-specific variant among many CRLF manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-81",
      "target_framework": "CWE",
      "target_id": "CWE-96",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-81 can exploit CWE-96 only in the narrow asynchronous log-processing subcase, while the CWE itself is unrelated to web-log tampering."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-83",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-83 because unsanitized input is required for XPath expressions to reach the XML engine, yet CAPEC-83 is only one narrow injection variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-83",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's missing neutralization is the direct prerequisite that fully enables CAPEC-83, yet the narrow XPath variant only partially exploits the broad CWE-707 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-83",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-83 fully because XPath injection cannot occur without the neutralization failure, while CAPEC-83 exploits CWE-74 only partially as one narrow XPath variant among many injection types."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-83",
      "target_framework": "CWE",
      "target_id": "CWE-91",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-91's failure to neutralize XML metacharacters fully enables the XPath injection attack, yet CAPEC-83 is only one narrow variant within the broader XML-injection surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-84",
      "target_framework": "CWE",
      "target_id": "CWE-707",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is a prerequisite for any XQuery injection to succeed, enabling CAPEC-84 fully, yet the narrow XQuery variant only partially exploits the broad CWE-707 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-84",
      "target_framework": "CWE",
      "target_id": "CWE-74",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-84 fully (no neutralization failure means no XQuery injection surface), while CAPEC-84 exploits CWE-74 only partially (narrow XQuery variant of the broad injection family)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-86",
      "target_framework": "CWE",
      "target_id": "CWE-80",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-80's neutralization failure is the direct prerequisite for any header-based script injection (full enablement), while CAPEC-86 is only one narrow header-specific variant among many possible CWE-80 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-87",
      "target_framework": "CWE",
      "target_id": "CWE-285",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 is a prerequisite for CAPEC-87 to succeed (full enablement), yet forceful browsing is only one narrow exploitation variant among many authorization failures (partial exploitation)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-87",
      "target_framework": "CWE",
      "target_id": "CWE-425",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 is the precise missing authorization control that CAPEC-87 directly exercises, so the weakness enables the pattern completely and the pattern exploits that surface completely."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-87",
      "target_framework": "CWE",
      "target_id": "CWE-693",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-87 fully because the attack cannot succeed without a missing or broken protection mechanism, yet CAPEC-87 exploits only one narrow slice of the broad CWE-693 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-88",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-88 fully because command injection requires untrusted input to reach a command interpreter, yet CAPEC-88 exploits only one narrow slice of the broad input-validation surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-88",
      "target_framework": "CWE",
      "target_id": "CWE-78",
      "extent": "full",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 is the exact neutralization failure that CAPEC-88 requires to succeed, and CAPEC-88 is the canonical attack pattern written against that CWE surface rather than a narrow sub-variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-88",
      "target_framework": "CWE",
      "target_id": "CWE-88",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-88's delimiter neutralization failure directly supplies the injection surface CAPEC-88 needs, yet CAPEC-88 also covers other command-separator and quoting vectors beyond strict argument delimiters."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-89",
      "target_framework": "CWE",
      "target_id": "CWE-346",
      "extent": "none",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Pharming succeeds via DNS/hosts manipulation that makes the apparent origin appear legitimate, independent of any product-side origin check failure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-9",
      "target_framework": "CWE",
      "target_id": "CWE-118",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-9 fully because range errors are the direct cause of buffer overflows, while CAPEC-9 exploits the weakness only partially as one narrow local-utility variant among many CWE-118 manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-9",
      "target_framework": "CWE",
      "target_id": "CWE-119",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 fully enables CAPEC-9 because the attack cannot occur without an out-of-bounds buffer operation, yet CAPEC-9 exploits the CWE only partially as one narrow local-utility variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-9",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-9 fully because the attack cannot succeed without the unchecked buffer copy, while CAPEC-9 exploits CWE-120 only partially as one narrow local-utility variant among many possible manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-9",
      "target_framework": "CWE",
      "target_id": "CWE-20",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-9 fully (no overflow without missing length checks) while CAPEC-9 exploits only one narrow slice of the broad CWE-20 surface."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-9",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies one specific root cause of the buffer overflows that CAPEC-9 targets, yet CAPEC-9 can succeed via other BO vectors and only partially matches the integer-overflow mechanism."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-9",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-9 hinges on buffer overflow (CWE-120 family), not incorrect comparison, though some BOF cases involve flawed size checks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-90",
      "target_framework": "CWE",
      "target_id": "CWE-301",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-301 is the exact weakness the attack pattern requires, enabling it fully, while CAPEC-90 is the canonical (not narrowly sub-variant) realization of that CWE and therefore exploits it mostly."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-90",
      "target_framework": "CWE",
      "target_id": "CWE-303",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect implementation directly creates the protocol flaw reflection needs (mostly enables), yet CAPEC-90 only covers one narrow reflection variant among many possible incorrect-impl bugs (partial exploit)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-120",
      "extent": "partial",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-92 centers on integer range manipulation (primarily CWE-190) that may secondarily produce buffer issues, while CWE-120 describes unchecked buffer copies unrelated to the integer attack vector itself."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-122",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-122 is a potential downstream consequence of CAPEC-92 rather than an enabler of it; CAPEC-92 can indirectly reach heap-overflow surfaces when the overflowed integer controls allocation size, but only as one of many possible outcomes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-128",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-128's wrap-around behavior is the direct and necessary result of the integer overflow that CAPEC-92 forces, enabling the attack fully, while the CAPEC remains one specific forcing technique among the broader family of wrap-around manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-190",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-190 is the direct root condition that CAPEC-92 forces and abuses, yet CAPEC-92 remains one concrete variant among many possible integer-overflow manifestations."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-196",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-196 produces the exact negative/unexpected values CAPEC-92 seeks via overflow, yet the attack pattern succeeds with many other integer-wrap scenarios that never involve an unsigned-to-signed cast."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-680",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies the exact unchecked allocation arithmetic that CAPEC-92 must trigger to reach buffer overflow, yet CAPEC-92 remains a broader forced-overflow technique usable against many other integer sinks."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-92",
      "target_framework": "CWE",
      "target_id": "CWE-697",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can allow overflowed values to pass checks and produce the attack effect, yet Forced Integer Overflow can succeed via other downstream misuse and only represents one narrow manifestation of comparison errors."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-93",
      "target_framework": "CWE",
      "target_id": "CWE-117",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 directly supplies the missing neutralization that CAPEC-93 requires to succeed, yet CAPEC-93 remains only one narrow manifestation among the broader family of log weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-93",
      "target_framework": "CWE",
      "target_id": "CWE-150",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 fully enables CAPEC-93 because log forging requires unneutralized control/escape sequences, while CAPEC-93 exploits the CWE only partially as one narrow log-specific variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-93",
      "target_framework": "CWE",
      "target_id": "CWE-75",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-75's missing sanitization of control-plane delimiters directly enables log forging (full), while CAPEC-93 is only one narrow manifestation of that broad weakness class (partial)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-94",
      "target_framework": "CWE",
      "target_id": "CWE-287",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-94 mostly because AiTM commonly hinges on weak identity verification during auth challenges, while CAPEC-94 exploits CWE-287 only partially as one narrow interposition variant among many."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-94",
      "target_framework": "CWE",
      "target_id": "CWE-290",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "AiTM executes independently of any auth-spoofing flaw, while AiTM can exploit CWE-290 as one of many possible targets."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-94",
      "target_framework": "CWE",
      "target_id": "CWE-294",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 does not enable execution of general AiTM positioning, while CAPEC-94 can exploit capture-replay only as one narrow variant among many possible AiTM outcomes."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-94",
      "target_framework": "CWE",
      "target_id": "CWE-300",
      "extent": "mostly",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-300's missing endpoint/channel verification is the exact precondition AiTM requires (full enablement), yet CAPEC-94 represents only one concrete realization among the weakness's broader exploitation surface (mostly)."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-95",
      "target_framework": "CWE",
      "target_id": "CWE-538",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-538 places the sensitive WSDL content in an accessible location, directly enabling CAPEC-95; the CAPEC is only one narrow WSDL-specific variant of that exposure."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-97",
      "target_framework": "CWE",
      "target_id": "CWE-1204",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Weak IVs directly enable many cryptanalysis techniques by supplying predictable state an attacker can leverage, yet CAPEC-97 remains a broad family that only partially exploits this single CWE surface among many possible flaws."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-97",
      "target_framework": "CWE",
      "target_id": "CWE-1240",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1240 supplies the exact implementation flaw that cryptanalysis requires, enabling CAPEC-97 fully, yet CAPEC-97 is a broad family that only partially targets this single CWE variant."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-97",
      "target_framework": "CWE",
      "target_id": "CWE-1241",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "Predictable RNG supplies a concrete, high-value flaw that cryptanalysis routinely leverages to recover keys, yet cryptanalysis itself remains a broad family that also targets algorithm design flaws unrelated to RNG."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-97",
      "target_framework": "CWE",
      "target_id": "CWE-1279",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-1279 can partially enable CAPEC-97 by producing weak outputs that aid cryptanalysis, while CAPEC-97 only partially exploits this narrow readiness flaw among many possible application weaknesses."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-97",
      "target_framework": "CWE",
      "target_id": "CWE-327",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 supplies the exact broken algorithm that CAPEC-97 is designed to break, enabling the pattern fully, yet CAPEC-97 also covers implementation and usage flaws outside the algorithm choice itself and therefore exploits the CWE only partially."
    },
    {
      "source_framework": "CAPEC",
      "source_id": "CAPEC-98",
      "target_framework": "CWE",
      "target_id": "CWE-451",
      "extent": "partial",
      "relation": "exploits",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 supplies the UI spoofing surface that phishing commonly needs, yet phishing can succeed via non-UI vectors such as email spoofing alone; conversely, CAPEC-98 is a broad social-engineering pattern that only partially exercises the narrower UI-misrepresentation weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1007",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-632",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1007 enables CAPEC-632 fully because the attack cannot succeed without the display flaw, yet CAPEC-632 exploits the CWE only partially as one narrow homoglyph-domain variant among broader manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-103",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is the exact missing frame/UI restriction that clickjacking requires, enabling CAPEC-103 fully; CAPEC-103 is only one narrow realization of the broad CWE family, exploiting it only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-181",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 enables CAPEC-181 fully because absent UI-layer restrictions the Flash overlay has no surface to hijack, while CAPEC-181 exploits the CWE only partially as one narrow Flash-specific variant among many clickjacking techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-222",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 enables CAPEC-222 fully because the overlay attack cannot succeed without unrestricted cross-domain frames, while CAPEC-222 exploits the CWE only partially as one narrow iFrame variant among several possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-504",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is a web-specific frame/UI-layer restriction flaw while CAPEC-504 is an OS-level malicious-app task-monitoring and foreground spoofing technique; neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-506",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 directly permits the overlay technique that CAPEC-506 requires, yet Tapjacking is only one narrow manifestation among the broader set of UI-layer attacks covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-587",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is the exact missing frame/UI restriction that XFS requires to succeed, but CAPEC-587 is only one narrow manifestation among related frame attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1021",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-654",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1021 is a web-frame/UI-layer restriction flaw while CAPEC-654 is an OS-level malicious-app foreground impersonation that neither depends on nor targets web-frame weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1037",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-663",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1037 concerns optimization passes that elide security-critical instructions, while CAPEC-663 targets micro-architectural side-effects of speculative execution; neither supplies the prerequisite for the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-112",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-230",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing validation fully enables the nested-payload resource attack because the malicious XML is accepted and expanded; CAPEC-230 exploits that surface only partially as one narrow variant of many possible CWE-112 abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-112",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-231",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing schema validation can incidentally permit oversized XML but does not directly enable resource-exhaustion attacks that hinge on absent size limits; CAPEC-231 targets parser resource handling rather than schema-validation surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-105",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-113 enables CAPEC-105 fully because CRLF neutralization failure is the direct prerequisite for request splitting, while CAPEC-105 exploits the CWE only partially as one narrow request-oriented variant within the broader request/response family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-31 targets cookie access/tampering via unrelated vectors (sniffing, XSS, etc.) while CWE-113 enables header splitting that can incidentally set malicious cookies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-113",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-34",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-113's missing CRLF neutralization directly supplies the injection surface CAPEC-34 requires, enabling the pattern fully, while CAPEC-34 itself is one narrow manifestation of that CWE and therefore exploits it only mostly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-114",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-108",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 enables CAPEC-108 fully because the attack requires unvalidated command execution from untrusted data, while CAPEC-108 exploits CWE-114 only partially as one narrow SQL-injection variant of the broad process-control weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-114",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-640",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-114 enables CAPEC-640 fully because the attack requires the ability to load/execute untrusted code into a live process; CAPEC-640 exploits CWE-114 only partially as one narrow injection variant among many process-control failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-104",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper output encoding can be one vector for zone bypass but is neither required nor the core of CAPEC-104; the CAPEC is a narrow zone-elevation variant that only partially maps onto the broad CWE-116 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-116 enables CAPEC-73 fully because the filename-driven XSS succeeds only when output escaping is absent or broken; CAPEC-73 exploits CWE-116 only partially as one narrow filename variant among many encoding failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-116",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-116 enables log-injection tampering by failing to preserve structure when writing requests to logs (mostly), while CAPEC-81 is only one narrow log-targeting variant among many CWE-116 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-117",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-268",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 enables log manipulation via unneutralized input but access-control paths also permit CAPEC-268, while the CAPEC only narrowly exploits the neutralization surface among other vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-117",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 fully enables CAPEC-81 because absent neutralization the tampering succeeds directly, yet CAPEC-81 exploits the CWE only partially as one narrow web-server-log variant among many possible log-injection manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-117",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-93",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-117 directly supplies the missing neutralization that CAPEC-93 requires to succeed, yet CAPEC-93 remains only one narrow manifestation among the broader family of log weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-10",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-10 fully because any buffer overflow requires an out-of-bounds write (range error), yet CAPEC-10 exploits the weakness only partially as one narrow env-var variant among many possible range-error manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 range errors directly enable buffer overflows (CAPEC-14) but are not the sole cause; CAPEC-14's narrow client-injection variant exploits that surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-24 fully because the attack hinges on an exploitable range error to produce the overflow that bypasses the filter, while CAPEC-24 exploits CWE-118 only partially as one narrow filter-failure variant among many range-error manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-45",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118's missing bounds check is the direct prerequisite for any buffer overflow, so the weakness enables the attack fully; CAPEC-45 is only one narrow symbolic-link vector among many possible CWE-118 manifestations, so the pattern exploits the weakness only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118's range-error surface directly permits oversized tag writes to overflow buffers (mostly enabling CAPEC-46), yet CAPEC-46 is only one narrow configuration-tag variant among many possible range-error manifestations (exploits partially)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-47 fully because the range-error weakness is the direct precondition for the overflow to occur, while CAPEC-47 exploits CWE-118 only partially as one narrow parameter-expansion variant among many possible range errors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-8",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-8 fully because an unchecked index/range error is the direct precondition for any buffer overflow, while CAPEC-8 exploits CWE-118 only partially as one narrow API-call variant among many range-error manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-118",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-9",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-118 enables CAPEC-9 fully because range errors are the direct cause of buffer overflows, while CAPEC-9 exploits the weakness only partially as one narrow local-utility variant among many CWE-118 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1188",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-665",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insecure defaults in Thunderbolt controller init directly enable firmware manipulation of auth/verification (mostly), yet CAPEC-665 is one narrow physical-SPI variant among many possible CWE-1188 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1189",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-124",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1189's missing isolation is the direct prerequisite that lets CAPEC-124 succeed, yet the broad CAPEC pattern only partially targets the narrower SoC-specific surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-10",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-10 fully because the buffer-boundary violation is a prerequisite for any overflow, while CAPEC-10 exploits the CWE only partially as one narrow environment-variable variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-100",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 is the direct root weakness that fully enables any buffer overflow, yet CAPEC-100 is only one narrow variant among the many manifestations of that broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-123",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-123 fully because the attack cannot succeed without an out-of-bounds buffer operation, yet CAPEC-123 exploits the CWE only partially as one narrow manipulation variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 fully enables CAPEC-14 because the attack cannot succeed without an out-of-bounds buffer operation, yet CAPEC-14 only partially exploits CWE-119 by instantiating one narrow client-side injection variant among many possible buffer-overflow manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-24 fully because the attack requires a successful buffer overflow to bypass the filter, while CAPEC-24 exploits CWE-119 only partially as one narrow filter-failure variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-42",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 fully enables the buffer overflow that CAPEC-42 requires, while CAPEC-42 exploits CWE-119 only partially as one narrow MIME-conversion variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-44",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-44 fully (the attack cannot occur without the buffer overflow) while CAPEC-44 exploits CWE-119 only partially (narrow binary-resource variant among many possible manifestations)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-45",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 is the direct prerequisite that CAPEC-45 hinges on, yet CAPEC-45 is only one narrow symbolic-link variant of the broad CWE-119 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-46 fully because the attack requires an exploitable buffer boundary violation; CAPEC-46 exploits CWE-119 only partially as a narrow tag/variable variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-47 fully because the attack cannot succeed without an out-of-bounds buffer operation, yet CAPEC-47 exploits the CWE only partially as one narrow parameter-expansion variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-8",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 enables CAPEC-8 fully because the attack is a direct instance of unrestricted buffer operations, while CAPEC-8 exploits the CWE only partially as one narrow API-call variant among many buffer-overflow manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-119",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-9",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-119 fully enables CAPEC-9 because the attack cannot occur without an out-of-bounds buffer operation, yet CAPEC-9 exploits the CWE only partially as one narrow local-utility variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1190",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-180",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-180 broadly covers access-control misconfigurations; CWE-1190 is a narrow boot-order/DMA timing flaw that only incidentally resembles one such misconfiguration."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1191",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1191 is a hardware debug-interface flaw while CAPEC-1 is a software ACL bypass pattern; neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1191",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-180",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1191 directly supplies the missing access-control surface that CAPEC-180 requires, yet CAPEC-180 remains a broad pattern that only partially maps onto this hardware-specific weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-10",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-10 fully because the attack hinges on the unchecked copy; CAPEC-10 exploits CWE-120 only partially as one narrow env-var variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-100",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 is the exact missing-bounds-check condition that CAPEC-100 requires, enabling the pattern fully, yet CAPEC-100 also covers other buffer-overflow variants so it exploits this specific CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 fully enables CAPEC-14 (attack cannot succeed without the unchecked buffer copy) while CAPEC-14 only partially exploits CWE-120 (narrow client-side injection variant of the broad classic buffer-overflow family)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 directly supplies the unchecked oversized copy that CAPEC-24 requires to make the filter fail, but CAPEC-24 is only one narrow filter-bypass usage of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-42",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-42 fully as the MIME overflow attack cannot succeed without an unchecked buffer copy; CAPEC-42 exploits CWE-120 only partially as a narrow MIME-specific variant among many buffer-overflow avenues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-44",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-44 fully (attack cannot occur without the buffer overflow) while CAPEC-44 exploits CWE-120 only partially (narrow binary-resource variant of the broad weakness)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-45",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120's missing bounds check is a direct prerequisite for CAPEC-45 (full enablement), yet CAPEC-45 is only one narrow symbolic-link variant among many buffer-overflow manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-46 fully because the tag/variable overflow attack requires an unchecked buffer copy to succeed, while CAPEC-46 exploits the CWE only partially as one narrow input-format variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120's missing size check is the direct precondition that lets parameter expansion overflow a buffer (full enablement), while CAPEC-47 is only one narrow expansion-based variant among many possible CWE-120 triggers (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-67",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120's unchecked buffer copy is unrelated to the format-string misuse that CAPEC-67 directly exploits to produce its overflow."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-8",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 supplies the exact unchecked buffer copy that CAPEC-8 requires in an API/library, enabling the pattern fully, yet CAPEC-8 remains only one narrow API-call variant among many possible CWE-120 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-9",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-120 enables CAPEC-9 fully because the attack cannot succeed without the unchecked buffer copy, while CAPEC-9 exploits CWE-120 only partially as one narrow local-utility variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-120",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-92 centers on integer range manipulation (primarily CWE-190) that may secondarily produce buffer issues, while CWE-120 describes unchecked buffer copies unrelated to the integer attack vector itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1204",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-97",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak IVs directly enable many cryptanalysis techniques by supplying predictable state an attacker can leverage, yet CAPEC-97 remains a broad family that only partially exploits this single CWE surface among many possible flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-122",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-122 is a potential downstream consequence of CAPEC-92 rather than an enabler of it; CAPEC-92 can indirectly reach heap-overflow surfaces when the overflowed integer controls allocation size, but only as one of many possible outcomes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220 enables CAPEC-1 mostly because overly-broad policies directly permit the unauthorized access the attack seeks, while CAPEC-1 exploits the CWE only partially as one narrow missing-ACL manifestation among many granularity failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1220",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-180",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1220 supplies one specific misconfiguration vector that CAPEC-180 can use, yet the attack pattern neither requires nor is limited to insufficient granularity."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1221",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-166",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect defaults supply one reachable bad prior state that a reset can target, yet CAPEC-166 works against any prior insecure configuration and is not limited to register defaults."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1222",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1222 is one specific coarse-grained lock flaw that can produce the broad improper memory protection surface CAPEC-679 targets, so it enables the pattern only partially and is exploited by the pattern only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1223",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1223 is one specific hardware race-condition instance that CAPEC-26 can leverage, but the general attack pattern neither depends exclusively on it nor targets its surface exclusively."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1224",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-680",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1224 is one specific register-control flaw (write-once bits) among the broader set of access-control failures that CAPEC-680 targets, so each enables/exploits the other only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1231",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-680",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1231's lock-bit failure directly supplies the register access-control bypass that CAPEC-680 describes, yet the CAPEC remains only one narrow variant among several possible register-control flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1233",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-176",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-176 is a meta pattern centered on external software config files, only tangentially related to this hardware register lock flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1233",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-680",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1233 enables CAPEC-680 fully because missing lock-bit protection directly permits the unauthorized register writes the attack requires; CAPEC-680 exploits CWE-1233 only partially because it also covers many other forms of register access-control failure beyond lock bits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1234",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-176",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-176 is a broad meta pattern centered on external config files/libraries while CWE-1234 describes a narrow hardware debug-mode bypass, so the weakness is irrelevant to the attack but the attack could touch the weakness via environment manipulation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1240",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-97",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1240 supplies the exact implementation flaw that cryptanalysis requires, enabling CAPEC-97 fully, yet CAPEC-97 is a broad family that only partially targets this single CWE variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1241",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-97",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Predictable RNG supplies a concrete, high-value flaw that cryptanalysis routinely leverages to recover keys, yet cryptanalysis itself remains a broad family that also targets algorithm design flaws unrelated to RNG."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1242",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-212",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Undocumented chicken bits directly supply the hidden entry points that enable Functionality Misuse, yet the broad CAPEC-212 pattern only partially targets this specific weakness among many possible design flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1242",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-36",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1242 supplies the hidden chicken-bit surface that CAPEC-36 can invoke, yet CAPEC-36 also succeeds via other unpublished interfaces; conversely the CAPEC directly targets the exact weakness surface described by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1244",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-114",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-114 is a broad meta-pattern on auth-mechanism abuse while CWE-1244 describes a narrow hardware debug-level misassignment that only incidentally resembles one possible auth flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1245",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-74",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Faulty FSMs directly enable hardware state manipulation attacks, but CAPEC-74 is a broad pattern covering many state issues beyond just improper hardware FSMs."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1246",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-212",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1246 supplies one specific design flaw that a misuse attack can leverage as a step, while CAPEC-212 is a broad pattern that only partially maps onto this narrow NVM weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1247",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-624",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1247 directly enables clock-glitch portions of CAPEC-624 (full) while CAPEC-624's broader fault-injection surface only partially maps to this single CWE family (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1247",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-625",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1247 enables CAPEC-625 fully as the attack requires absent glitch protection; CAPEC-625 exploits the CWE only partially as a narrow mobile/crypto variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-125",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-540",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-125 directly supplies the out-of-bounds read surface that CAPEC-540 requires, enabling the pattern fully, yet CAPEC-540 remains one narrow read-specific variant among the broader CWE-125 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1253",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-74",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect fuse selection directly permits hardware state transitions to insecure values (mostly enabling CAPEC-74), yet CAPEC-74 covers many unrelated state manipulations and only partially exploits this narrow fuse weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1254",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1254's stepwise comparison timing side-channel has no bearing on CAPEC-26's concurrent resource-modification race, so neither enables nor is exploited by the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1255",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-189",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-189 is a broad reverse-engineering pattern that lists physical side-effects only as one possible technique among many, while CWE-1255 describes one narrow power-analysis weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1256",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-624",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-624 relies on external physical fault injection while CWE-1256 centers on unrestricted software-exposed hardware controls, yielding only incidental overlap via clock glitches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1256",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-625",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-625 relies on physical fault injection (EM/laser/clock glitches) while CWE-1256 centers on unrestricted software interfaces to hardware; only clock-glitch overlap yields partial coverage the other way."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1257",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1257 describes a specific aliasing-related access-control failure that directly supplies the missing/inconsistent memory protection surface CAPEC-679 exploits, yet the CAPEC covers many other memory-protection misconfigurations so only partially targets this CWE variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1258 directly supplies the uncleared sensitive values that CAPEC-37 seeks, enabling the pattern in debug scenarios, yet CAPEC-37 remains a broad retrieval technique that only partially maps onto this specific hardware exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1258",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-545",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1258 exposes debug data that CAPEC-545 could incidentally harvest, yet the broad pattern neither requires nor specifically targets this weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1259",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-681",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1259's missing protection directly supplies the misconfigured tokens that CAPEC-681 requires, yet the CAPEC remains only one narrow hardware-identifier variant of the broader CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1260",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-456",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Overlap mishandling can be one bypass step enabling memory injection but is neither required nor the focus of the broad infected-memory pattern, which exploits many other weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1260",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1260 is one specific mis-implementation of memory protection that can contribute to the broad CAPEC-679 pattern, but the attack neither requires overlap nor is limited to it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-680",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1262 directly supplies the missing/inadequate register access control that CAPEC-680 requires, enabling the pattern fully; CAPEC-680 is a narrow register-specific exploitation variant and therefore only mostly exploits the broader CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-401",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1263 enables CAPEC-401 fully (no physical access means no hardware tampering possible) while CAPEC-401 exploits only one narrow hardware-substitution variant of the broad physical-access weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1264",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-233",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1264 supplies one hardware bypass step usable for privilege escalation but is not required for CAPEC-233; CAPEC-233 is a broad category that only narrowly matches this specific de-synchronization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1264",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-663",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1264's de-synchronization directly supplies the transient-execution surface that CAPEC-663 requires, yet CAPEC-663 remains one narrow micro-architectural variant among the broader family of de-sync flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1268",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-180",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1268 is a direct hardware access-control misconfiguration that enables the bypass in CAPEC-180, yet CAPEC-180 is a broad pattern that only partially targets this narrow inconsistency."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1269",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-439",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-439 describes active tampering across the supply chain (a broad meta-pattern) that could incidentally produce or exploit a non-release configuration, but CWE-1269 itself is not a prerequisite or primary hinge for the attack."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1270",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-633",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect token generation supplies the exact flaw needed for impersonation to succeed, yet CAPEC-633 represents only one narrow variant among many possible CWE-1270 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1270",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-681",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect tokens are the direct prerequisite the attack hinges on, yet CAPEC-681 is only one narrow hardware-SoC variant of the broader CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1272",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-37 is a broad software reverse-engineering pattern while CWE-1272 describes one narrow hardware/firmware uncleared-data scenario that the CAPEC could incidentally exploit."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1272",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-545",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 leaves data in resources that CAPEC-545 can opportunistically read, yet the broad pull-data pattern neither requires nor specifically targets the state-transition flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1272",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-546",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1272 addresses uncleared data only on debug/power state changes while CAPEC-546 requires incomplete wiping on tenant-resource reallocation; neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1274",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-456",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1274's missing VM protections directly enable boot-code infection (CAPEC-456) but the broad memory-infection pattern only partially exploits this narrow boot-specific weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1274",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1274 is exactly the missing memory protection for secure-boot code that CAPEC-679 describes, so the weakness enables the pattern fully, yet the broad CAPEC only partially covers this one narrow boot-code instance."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1275",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-62",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing SameSite directly enables cookie-bearing CSRF by allowing cross-site cookie delivery, while CAPEC-62 is only one narrow cookie-based variant among many CSRF techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1278",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-188",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1278 enables one specific hardware imaging technique within the broad CAPEC-188 pattern (hence partial) while CAPEC-188 only touches this narrow IC-imaging surface among many RE variants (hence partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1278",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "A enables one specific hardware-imaging method within the broader CAPEC-37 pattern (hence partial) while CAPEC-37 only touches this narrow IC-imaging surface among many possible retrieval techniques (hence partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1279",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-97",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1279 can partially enable CAPEC-97 by producing weak outputs that aid cryptanalysis, while CAPEC-97 only partially exploits this narrow readiness flaw among many possible application weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-128",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-128's wrap-around behavior is the direct and necessary result of the integer overflow that CAPEC-92 forces, enabling the attack fully, while the CAPEC remains one specific forcing technique among the broader family of wrap-around manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1281",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-212",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-212 is a meta pattern about application-level misuse; CWE-1281 is a narrow processor-instruction flaw that could be one of many possible enablers but is not required by the CAPEC."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1282",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-458",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1282's writable storage of immutable data directly supplies the surface that CAPEC-458's flash-memory write requires (full enablement), yet the CAPEC is only one narrow flash-specific variant among many possible manifestations of the CWE (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1282",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1282 is a direct instance of the missing memory protection that CAPEC-679 exploits, enabling the pattern fully while the pattern itself only partially covers this specific immutable-data case."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1283",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-680",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1283 is precisely the attestation-register instance of the register-control flaw that CAPEC-680 exploits, so the weakness fully enables the pattern while the broad pattern only partially exploits this narrow CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-66",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1286 fully enables CAPEC-66 because SQLi requires unvalidated SQL syntax in input, yet CAPEC-66 only partially exploits the CWE as one narrow syntax-variant among many possible failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1286",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-676",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1286 enables CAPEC-676 fully because NoSQL operator injection requires the ability to supply syntactically invalid input; CAPEC-676 exploits the CWE only partially as one narrow manifestation among many possible syntax-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-129",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-100",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-129 enables certain out-of-bounds writes that manifest as buffer overflows (partial) while CAPEC-100 primarily exploits broader missing bounds checks rather than array-index validation specifically (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1295",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-121",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "A enables B only partially because debug-message leakage is one possible symptom of an exposed debug interface but the CAPEC can succeed via functionality access alone; B exploits A only partially because it targets the broader class of non-production interfaces rather than the narrow debug-message weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1298",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1298 supplies one hardware-specific race surface that CAPEC-26 can leverage, yet CAPEC-26 executes fully on software races alone; conversely the broad CAPEC only partially matches the narrow hardware CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1299",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-457",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-457 exploits USB as one possible external vector among many weaknesses, while CWE-1299 describes a narrower hardware alternate-path bypass not required by the CAPEC."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1299",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-554",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1299 directly supplies one hardware-specific vector for bypassing protections (forward partial) while CAPEC-554 is a broad category that only touches this narrow weakness as one of many possible realizations (reverse partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-130",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-130's length-inconsistency flaw directly supplies the missing bound check that CAPEC-47 needs to turn expansion into overflow (mostly enabling), yet CAPEC-47 is only one narrow expansion variant among many possible length mishandlings (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-189",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1300 directly supplies the unprotected emissions that CAPEC-189's physical-side-effect step requires, yet black-box RE can still succeed via non-physical I/O methods, so the pattern exploits only one narrow slice of the weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-699",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1300 directly enables CAPEC-699 because monitor signal leakage is a physical side-channel emission with no protection; CAPEC-699 exploits only the EME-monitor subset of the broad CWE-1300 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1301",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1301's incomplete hardware erasure directly supplies the sensitive data that CAPEC-37 retrieves, yet CAPEC-37 is a broad retrieval pattern that can exploit many other embedding vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1303",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-663",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1303's shared microarchitectural resources are a prerequisite for any transient-execution leak, enabling CAPEC-663 fully, yet the CAPEC describes only one narrow gadget-and-covert-channel variant among many possible exploitations of that sharing."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1304",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-176",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-176 is a broad meta pattern for any external config tampering while CWE-1304 describes one narrow hardware power-state integrity flaw that the meta pattern might incidentally touch."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-131",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-100",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-131's size miscalculation directly supplies the missing bound that CAPEC-100 needs, enabling the pattern fully, yet the broad CAPEC only partially exploits this one narrow CWE among many buffer issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-131",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-131's miscalculation directly enables the expansion-based overflow in CAPEC-47, yet the narrow parameter-expansion variant only partially covers the broad CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1310",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-682",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1310 directly supplies the unpatchable surface that CAPEC-682 requires to succeed (full enablement), while CAPEC-682 is a close but not exhaustive match that also covers post-support decisions (mostly exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1312",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-456",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-456 is a broad memory-infection pattern that can exploit many weaknesses; CWE-1312 is a narrow hardware-firewall flaw that could be one vector for such infection but is not required by the CAPEC."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1312",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1312 is one narrow missing-protection case that can enable the broad CAPEC-679 pattern, while the general attack only partially targets this specific mirrored-region firewall flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1313",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-121",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1313 directly supplies the enabled runtime debug surface that CAPEC-121 requires, yet CAPEC-121 covers many non-hardware interface variants beyond this specific weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1314",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing write protection is one concrete instance of unconstrained functionality, so CWE-1314 enables CAPEC-1 only in that narrow sensor-parameter case while the broad ACL attack pattern exploits this hardware-specific weakness only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1316",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1316 is a direct instance of the misconfigured memory protection that CAPEC-679 exploits, enabling the pattern fully, yet the broad CAPEC only partially covers this narrow address-map variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1319",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-624",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1319 enables only the EM subset of the broader CAPEC-624 pattern (partial) while CAPEC-624 exploits only one of several listed fault-injection surfaces (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1319",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-625",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1319 directly supplies the missing protection that CAPEC-625's EM-pulse variant requires, while CAPEC-625 remains only one narrow mobile instantiation among many possible fault-injection techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1320",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-180",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1320 concerns alert-signal protection while CAPEC-180 targets access-control misconfiguration; neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1321",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1321 directly supplies the uncontrolled mutation surface that CAPEC-77 relies on for JS objects, yet CAPEC-77 also covers many non-prototype variable manipulations outside that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1322",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-25",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1322 produces single-thread hangs from blocking calls, not multi-action deadlocks, so it neither enables nor is exploited by CAPEC-25."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1323",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-150",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1323 places trace data in unprotected locations that CAPEC-150 can target, enabling the pattern only as one possible instance, while the broad collection attack exploits this narrow weakness surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1323",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-545",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-545 is a broad data-scraping pattern over any resource; CWE-1323 is a narrow SoC trace-exposure flaw that this pattern might incidentally hit but does not depend on."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1325",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-130",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1325 directly enables CAPEC-130 by removing any total-memory bound on sequential allocations, while CAPEC-130 is a broad resource-exhaustion pattern that only partially maps onto this specific sequential-allocation flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1326",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-679",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing root of trust can indirectly facilitate boot/memory attacks but does not supply the misconfigured memory protections that CAPEC-679 directly requires."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1328",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-176",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Mutable version numbers let config manipulation achieve rollback (partial enablement) while config manipulation is only one narrow way to target this specific weakness (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1332",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-624",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1332's missing mitigation directly enables successful instruction-skip exploitation via any CAPEC-624 injection method, while the broad fault-injection pattern only partially targets this specific CWE surface among many possible fault effects."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1332",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-625",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1332 directly enables CAPEC-625 by leaving instruction-skip faults unmitigated, while CAPEC-625 is only one narrow mobile/crypto instantiation of that broad fault-handling weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1333",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-492",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1333 directly supplies the inefficient/exp-time regex surface that CAPEC-492 requires, but CAPEC-492 is only the exponential-NFA variant among the broader inefficiency family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1334",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-624",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1334's unauthorized injection surface directly enables fault-injection attacks on redundancy, yet CAPEC-624 remains a broad technique that only partially targets this specific CWE manifestation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1334",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-625",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1334's unauthorized error-injection surface partially enables fault techniques like CAPEC-625, yet the CAPEC targets cryptographic key extraction on mobiles and never relies on redundancy degradation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-134",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-135",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-134 is the exact condition (externally-controlled format string) that CAPEC-135 directly injects into, so the weakness enables the pattern fully and the pattern exploits that surface fully."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-134",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-67",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-134 fully enables CAPEC-67 because the attack requires an uncontrolled format string in syslog, yet CAPEC-67 only partially exploits CWE-134 as one narrow syslog-specific variant among many format-string issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-1342",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-696",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-1342 enables CAPEC-696 fully because uncleared transient microarchitectural state is required for LVI value forwarding, yet LVI exploits the CWE only partially as one narrow variant among many transient-execution attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-138",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-105",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-138 enables CAPEC-105 fully because CRLF injection requires failure to neutralize those control characters, while CAPEC-105 exploits the CWE only partially as one narrow HTTP-header variant among many possible special-element contexts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-138",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-138 fully enables CAPEC-15 because the delimiter injection succeeds only when neutralization fails, yet CAPEC-15 remains one narrow variant among many possible CWE-138 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-138",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-34",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-138 fully enables CAPEC-34 because the attack requires unneutralized CRLF/special chars, while CAPEC-34 exploits only one narrow slice of the broad CWE-138 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-140",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-140 fully enables CAPEC-15 because the attack cannot succeed without unneutralized delimiters, yet CAPEC-15 only covers one narrow command-injection variant of the broader delimiter-neutralization weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-146",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-146 directly enables CAPEC-15 (attack needs the delimiter neutralization failure) while CAPEC-15 exploits only one narrow slice of the broad CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-146",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-6",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-146's delimiter neutralization failure is a prerequisite for successful argument injection (full enablement), yet CAPEC-6 is only one narrow variant among many possible manifestations of that CWE (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-147",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-460",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-147 neutralization failure can allow delimiter injection used by HPP (partial enablement) while CAPEC-460 is a narrow duplicate-parameter variant that only touches the CWE surface incidentally (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-149",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-468",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-149's quote-neutralization failure can aid CSS injection but is neither necessary nor the core of CAPEC-468's parser-abuse technique; conversely the CAPEC only partially touches quoting surfaces among many possible injection vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 fully enables CAPEC-13 because env-var tampering requires external control of a configuration setting, yet CAPEC-13 only partially exploits CWE-15 as one narrow instance among many possible settings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-146",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 fully enables CAPEC-146 because schema poisoning requires external control over the schema treated as a configuration artifact, while the narrow XML-specific attack only partially exploits the broad class of externally-controlled settings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-176",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 directly supplies the external controllability that CAPEC-176 requires to succeed, while CAPEC-176 is the canonical manipulation pattern that exercises that surface rather than one narrow sub-variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-203",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 directly supplies the external-control surface that CAPEC-203 needs to alter registry entries, yet CAPEC-203 is only one narrow authorization-based variant among many possible CWE-15 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-270",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 directly supplies the external config control surface that CAPEC-270 requires to write run keys, yet CAPEC-270 is only one narrow registry variant among many possible CWE-15 abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-271",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables CAPEC-271 fully because external control of the schema (a config setting) is a prerequisite for poisoning it; CAPEC-271 exploits CWE-15 only partially as one narrow schema-specific variant among many possible config manipulations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-579",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 enables CAPEC-579 fully because external registry control is the direct prerequisite for loading the malicious DLL, while CAPEC-579 exploits CWE-15 only partially as one narrow registry-key variant among many possible configuration-setting abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-69",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 can partially enable CAPEC-69 by allowing config changes that grant elevated privileges, but the attack pattern does not require or exploit external config control\u2014it targets code flaws in already-privileged programs."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 can serve as one indirect vector for supplying malicious FS paths but is not required for CAPEC-76, which directly targets unsanitized web inputs to file-system APIs rather than configuration settings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-15",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-15 supplies the exact external-control surface that CAPEC-77 requires, yet CAPEC-77 is only one narrow variant among many possible manifestations of CWE-15."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-150",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-134",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 enables CAPEC-134 fully because email header injection requires unneutralized CRLF/control delimiters; CAPEC-134 exploits the CWE only partially as one narrow variant among many possible control-sequence abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-150",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-41",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 directly supplies the missing neutralization that CAPEC-41 requires, yet CAPEC-41 is only one narrow email-header variant among many possible CWE-150 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-150",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 enables CAPEC-81 mostly by allowing direct injection of control sequences (e.g., newlines) into logs, while CAPEC-81 exploits the weakness only partially as one of several tampering vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-150",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-93",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-150 fully enables CAPEC-93 because log forging requires unneutralized control/escape sequences, while CAPEC-93 exploits the CWE only partially as one narrow log-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-154",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-154 addresses only variable-name delimiters while CAPEC-15 requires command-separator delimiters, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-157",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-157 enables CAPEC-15 only partially because paired structural delimiters are one possible vector among many non-paired command delimiters; CAPEC-15 exploits the paired-delimiter surface only partially as a narrow command-separator variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-158",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-158 enables CAPEC-52 fully because the attack cannot succeed without the neutralization failure, while CAPEC-52 exploits the CWE only partially as one narrow embedding variant among possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-158",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-158 enables CAPEC-53 fully because the attack hinges on unneutralized NUL bytes; CAPEC-53 exploits CWE-158 only partially as one narrow null-byte variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172's failure to normalize repeated encodings directly permits the double-encoding bypass (full enablement), while CAPEC-120 is only one narrow encoding-obfuscation variant among many CWE-172 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-267 fully because the attack hinges on improper encoding/decoding allowing bypass, while CAPEC-267 exploits the broad CWE only partially as one narrow alternate-encoding variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-3 only as one possible processing step among syntactic-form mismatches, while CAPEC-3 is a narrow leading-character variant that exploits the broader CWE surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Encoding failure directly supplies the unexpected null-termination behavior the attack needs (mostly), yet CAPEC-52 is only one narrow manifestation among many possible encoding errors (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-53 fully because the attack cannot succeed without an encoding mishandling that accepts alternate NULL representations; CAPEC-53 exploits CWE-172 only partially as one narrow encoding bypass among many CWE-172 variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172's failure to handle encoding is the direct prerequisite that lets CAPEC-64 succeed, yet CAPEC-64 is only one narrow URL-slash variant among many possible encoding errors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 directly supplies the missing Unicode handling that CAPEC-71 requires to succeed, yet CAPEC-71 is only one narrow encoding-specific variant among many possible CWE-172 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-72",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-72 fully because the attack requires improper encoding/decoding to succeed, while CAPEC-72 exploits CWE-172 only partially as one narrow URL-encoding variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172's failure to handle encodings directly enables the escaped-slash bypass (full), yet CAPEC-78 is only one narrow variant among many possible encoding attacks (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-172",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-172 enables CAPEC-80 fully because any successful UTF-8 bypass requires an underlying encoding/decoding failure, while CAPEC-80 exploits CWE-172 only partially as one narrow UTF-8 variant among many possible encoding errors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-120 fully because double-encoding bypass requires mishandling of alternate encodings, while CAPEC-120 exploits the CWE only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 is the direct precondition that makes CAPEC-267 possible (full enablement), yet CAPEC-267 is only one narrow encoding-based variant among many possible manifestations of the CWE (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 fully enables CAPEC-3 because the attack requires the product to accept equivalent syntactic forms the filter fails to normalize; CAPEC-3 exploits the CWE only partially as one narrow leading-character variant among many possible alternate encodings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-4",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-4 fully because the attack cannot succeed without the failure to handle alternate encodings, while CAPEC-4 exploits CWE-173 only partially as one narrow IP-encoding variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-52 mostly because null-byte injection commonly depends on an encoded form (%00, UTF-16, etc.) being mishandled; CAPEC-52 exploits CWE-173 only partially as one narrow encoding-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-53 fully because the attack hinges on bypassing filters via unhandled alternate NULL encodings; CAPEC-53 exploits CWE-173 only partially as one narrow variant among many possible alternate-encoding abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-64 fully because the bypass attack cannot succeed without a failure to normalize alternate encodings, while CAPEC-64 exploits the CWE only partially as one narrow slash/percent-encoding variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-71 fully because the attack hinges directly on failure to handle alternate encodings, while CAPEC-71 exploits the CWE only partially as one narrow Unicode variant among many possible encodings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-72",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-72 fully because the attack cannot succeed without the failure to handle alternate encodings, while CAPEC-72 exploits the CWE only partially as one narrow URL-encoding variant among many possible alternate encodings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-78 fully because the attack cannot succeed without the failure to handle alternate encodings, yet CAPEC-78 exploits the CWE only partially as one narrow escaped-slash variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 enables CAPEC-79 fully (attack fails without the encoding-handling flaw) while CAPEC-79 exploits the CWE only partially (narrow slash-encoding variant among many possible manifestations)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-173",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-173 fully enables the UTF-8 bypass because the attack cannot succeed without mishandled alternate encodings, yet CAPEC-80 exploits only one narrow encoding variant among many covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-176",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-176 is a prerequisite for CAPEC-71 so the weakness enables the pattern fully, yet CAPEC-71 is only one narrow validation-bypass variant among many possible Unicode mishandling consequences."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-177",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-177's failure to normalize/decode URL input fully enables double-encoding bypasses, while CAPEC-120 is only one narrow encoding variant among many possible CWE-177 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-177",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-468",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-177 can serve as one optional bypass step for delivering injectable text but is not required for CAPEC-468, which instead exploits CSS parser and cookie-loading behavior."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-177",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-177's missing URL-decoding normalization is the exact precondition the CAPEC-64 bypass requires (full enablement), yet CAPEC-64 is only one narrow slash-encoding variant among many possible CWE-177 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-177",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-72",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-177's missing neutralization is the direct prerequisite for any successful CAPEC-72 URL-encoding abuse (full enablement), yet CAPEC-72 is only one narrow encoding variant among the broader CWE-177 family (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-179's early-validation ordering directly supplies the precondition the ghost-character attack needs to reach the later modification step, while CAPEC-3 is only one narrow syntactic variant among many possible manifestations of that ordering error."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-179 fully enables CAPEC-43 because early validation before modification is exactly the surface the multi-layer bypass requires, while CAPEC-43 exploits that CWE only partially as one narrow interpretation-layer variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-179",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-179's early-validation ordering directly enables the Unicode bypass (full), while CAPEC-71 is only one narrow encoding-specific variant among many possible manifestations of that CWE (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180's validate-before-canonicalize ordering directly enables any alternate-encoding bypass (full), while CAPEC-267 is only one narrow encoding variant among many possible manifestations of that weakness (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 enables CAPEC-3 fully because validating before canonicalization lets ghost-character variants slip past filters, while CAPEC-3 exploits the CWE only partially as one narrow syntactic bypass among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 enables CAPEC-71 fully (validation-before-canonicalization directly permits Unicode bypass), while CAPEC-71 exploits CWE-180 only partially (one narrow encoding variant among many canonicalization flaws)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 enables CAPEC-78 fully because the attack requires validation to miss post-canonicalization encodings; CAPEC-78 exploits the CWE only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180 fully enables CAPEC-79 because alternate slash encodings bypass pre-canonicalization validation, while CAPEC-79 only partially exploits the CWE as one narrow encoding variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-180",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-180's validation-before-canonicalization order directly enables the UTF-8 bypass (attack fails if canonicalize-then-validate is used), while CAPEC-80 is only one narrow encoding variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Permissive allow-list (CWE-183) directly permits the doubly-encoded unsafe payload, enabling the bypass technique fully, while double-encoding (CAPEC-120) is only one narrow variant among many possible manifestations of that permissive-list flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-183's overly broad allow-list directly enables the ghost-character bypass (attack fails without it), while CAPEC-3 is only one narrow syntactic variant among many possible permissive-list failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-183's overly broad allow-list can admit the layered payloads CAPEC-43 crafts, yet the attack pattern fundamentally depends on multi-pass parsing rather than the allow-list flaw itself, so each direction only partially satisfies the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-183",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Permissive allow-list directly admits the encoded unsafe payload (mostly), while Unicode bypass is only one narrow validation-failure variant among many that could stem from CWE-183 (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete blacklist (CWE-184) fully enables double-encoding bypass because the attack succeeds exactly when encoded forms are absent from the list, while CAPEC-120 exploits that surface only partially as one narrow encoding variant among many possible bypasses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist directly enables the delimiter injection by omitting the needed tokens, while CAPEC-15 is only one narrow variant among many possible bypasses of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-182",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input list directly permits attacker-controlled flash references (mostly enabling), while Flash Injection is only one narrow manifestation among many possible blacklist evasions (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input lists fully enable ghost-character bypass because the filter cannot recognize every syntactic form the API accepts, yet CAPEC-3 is only one narrow manifestation of that broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete blacklist (CWE-184) fully enables the layered-encoding bypass because any missed encoding lets the attack succeed, while CAPEC-43 only partially exploits it as one narrow multi-pass variant of many possible blacklist evasions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-6",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input list directly permits the missing argument syntax to reach the sink (mostly enables), while CAPEC-6 is only one narrow injection variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-184's incomplete list directly enables CAPEC-71 by omitting Unicode variants (full), while the narrow Unicode attack exploits only one slice of that incompleteness surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-184",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete disallowed-input list directly permits malicious filenames to reach HTML generation (mostly enabling CAPEC-73), while the narrow filename-XSS variant only partially exercises the broad CWE-184 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-185",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect regex directly weakens denylist validation enough to admit unseen delimiters (mostly enabling), yet CAPEC-15 targets the broader denylist flaw rather than regex specifically (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-185",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-6",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect regex can partially enable argument injection by failing to filter malicious input, but CAPEC-6 does not target or exploit regex flaws specifically."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-185",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-79 exploits alternate-encoding bypasses in path validation (primarily CWE-22/173) and only incidentally touches regex if that mechanism is used for filtering."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-190",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-190 is the direct root condition that CAPEC-92 forces and abuses, yet CAPEC-92 remains one concrete variant among many possible integer-overflow manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-196",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-196 produces the exact negative/unexpected values CAPEC-92 seeks via overflow, yet the attack pattern succeeds with many other integer-wrap scenarios that never involve an unsigned-to-signed cast."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-10",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-10 fully because absent any input validation the env-var buffer write succeeds; CAPEC-10 exploits CWE-20 only partially as one narrow variant among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-101",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-101 fully because unvalidated input is the direct prerequisite for successful SSI directive execution, while CAPEC-101 exploits CWE-20 only partially as one narrow injection variant among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-104",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 broadly enables zone bypasses via unvalidated URLs/headers but is not required for every CAPEC-104 vector; CAPEC-104 is one narrow variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-108",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-108 fully because both the SQL injection step and the later command execution step require absent or incorrect input validation, while CAPEC-108 exploits CWE-20 only partially as one narrow SQL-to-shell variant among many possible manifestations of the broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-109",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-109 fully because unvalidated input is the direct prerequisite for ORM-generated SQL manipulation, while CAPEC-109 exploits CWE-20 only partially as one narrow ORM-specific variant among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-110",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-110 fully because the attack requires absent/inadequate input validation on SOAP parameters, yet CAPEC-110 exploits the CWE only partially as one narrow delivery variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-120 fully because double-encoding bypass succeeds only when validation fails to normalize/decode input; CAPEC-120 exploits CWE-20 only partially as one narrow encoding variant among many possible validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-13 fully because environment variables are unvalidated inputs whose subversion directly depends on that flaw, while CAPEC-13 exploits CWE-20 only partially as one narrow variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-135",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-135 fully because format-string injection requires unvalidated user input to reach a vulnerable formatting function; CAPEC-135 exploits CWE-20 only partially as one narrow variant among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-136",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-136 fully because LDAP injection requires unvalidated input to succeed, while CAPEC-136 exploits CWE-20 only partially as one narrow injection variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 directly enables CAPEC-14 because missing length/format checks are what allow the injected content to overflow the buffer, yet CAPEC-14 only covers one narrow client-injection variant among many possible CWE-20 failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-153",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-153 because the manipulation attack cannot succeed without a validation failure, yet CAPEC-153 only partially exploits CWE-20 as one narrow data-format variant among many possible input-validation weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-182",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-182 fully because unvalidated parameters are required for attacker-controlled Flash references, yet CAPEC-182 exploits only one narrow slice of the broad CWE-20 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-209",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 broadly enables CAPEC-209 by allowing malicious content to reach the browser, yet the attack hinges more directly on MIME handling than on validation alone; CAPEC-209 exploits CWE-20 only partially as one narrow MIME-mismatch variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-22",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-22 mostly because the attack succeeds only when the server fails to validate client-supplied data it should not trust; CAPEC-22 exploits CWE-20 only partially as a narrow trust-bypass variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-23",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-23 mostly because absent proper validation the poisoned file content is accepted and processed; CAPEC-23 exploits CWE-20 only partially as a narrow file-injection variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-230",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-230 fully because absent any input validation the nested-payload DoS is possible, yet CAPEC-230 only partially exploits the broad CWE-20 surface by targeting one specific structural-validation failure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-231",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-231 fully because absent size validation the oversized payload attack succeeds, yet the narrow serialized-data variant exploits only one slice of the broad input-validation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-24 fully because the overflow-to-bypass attack cannot succeed without a validation failure, while CAPEC-24 exploits CWE-20 only partially as one narrow buffer-overflow variant among many possible input-validation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-250",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-250 fully because XML injection requires unvalidated input to succeed, while CAPEC-250 exploits CWE-20 only partially as one narrow XML-specific variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-261",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-261 fully because the fuzzing attack hinges on absent template/input verification, while CAPEC-261 exploits CWE-20 only partially as one narrow fuzzing variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-267 fully because alternate-encoding bypasses require a validation failure to succeed, while the narrow encoding variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-28",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 does not enable fuzzing (CAPEC-28 probes for validation flaws rather than requiring them), while fuzzing only partially exploits the CWE-20 surface as one of many discovery targets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-3 fully because the ghost-character bypass requires absent or incomplete validation, while CAPEC-3 exploits CWE-20 only partially as one narrow syntactic-filter variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables cookie modification acceptance but not client-side access/interception forms; CAPEC-31 is a narrow cookie variant that only partially maps onto the broad CWE-20 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-42",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-42 fully because a buffer overflow in MIME conversion cannot occur without a validation failure on input size/format; CAPEC-42 exploits CWE-20 only partially as one narrow MIME-specific variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-43 fully because the attack cannot succeed without flawed validation of layered input, yet CAPEC-43 exploits CWE-20 only partially as one narrow multi-pass variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-45",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20's missing validation is the direct precondition for the symlink-induced overflow to succeed, yet CAPEC-45 is only one narrow symlink-based variant among many possible CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-46 fully because unsanitized oversized tag/variable input directly produces the overflow; CAPEC-46 exploits CWE-20 only partially as one narrow size-based variant among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-47 because the attack cannot succeed without missing validation of expanded input size, yet the narrow expansion variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-473",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables signature spoof by allowing malformed or unverified signed data to be accepted, but CAPEC-473 exploits only the narrow verification surface of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-52 because the attack cannot succeed without a validation failure on null bytes, yet CAPEC-52 only partially exploits CWE-20 as one narrow technique among many input-validation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-53 fully because the attack cannot succeed without a validation/filter failure that accepts the encoded NULL, while CAPEC-53 exploits CWE-20 only partially as one narrow NULL-termination variant among many possible input-validation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-588",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 directly enables DOM XSS via missing input validation (or encoding) so the pattern hinges on it, yet CAPEC-588 is only one narrow XSS variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-63",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-63 mostly because missing validation allows script injection to reach the browser, yet CAPEC-63 exploits the CWE only partially as a narrow XSS variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-64 fully because the encoding bypass has no effect without a validation failure, while CAPEC-64 exploits CWE-20 only partially as one narrow encoding-specific variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-664",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-664 fully because SSRF requires the server to accept unvalidated malicious URLs or parameters, while CAPEC-664 exploits CWE-20 only partially as one narrow SSRF variant among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-67",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-67 because the attack cannot occur without unvalidated user data reaching syslog(); CAPEC-67 exploits CWE-20 only partially as one narrow format-string instance among many input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-7",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-7 fully because blind SQLi requires unvalidated input to reach the query engine, yet the narrow blind variant exploits only one slice of the broad CWE-20 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-71 fully because the Unicode bypass has no effect without a validation failure, while CAPEC-71 exploits CWE-20 only partially as one narrow encoding-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-72",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-72 fully because the encoding abuse has no effect without a validation failure on decoded input; CAPEC-72 exploits CWE-20 only partially as one narrow encoding-specific variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-73 fully because the attack cannot succeed without missing validation of the supplied filename, while CAPEC-73 exploits the CWE only partially as one narrow filename-specific variant among many possible input-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-78 fully as the encoding bypass has no effect without a validation failure, while CAPEC-78 exploits CWE-20 only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20's missing validation is the direct prerequisite that fully enables CAPEC-79's slash-encoding bypass, yet the narrow encoding variant only partially exploits the broad CWE-20 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-8",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 directly enables CAPEC-8 because buffer overflows in API calls require missing length/content validation, while CAPEC-8 is only one narrow manifestation among many CWE-20 variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-80 because the attack requires missing or ineffective input validation for UTF-8, while CAPEC-80 exploits CWE-20 only partially as one narrow encoding-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 mostly enables CAPEC-81 by allowing unsanitized input to reach logs, but CAPEC-81 exploits only one narrow injection vector within the broad CWE-20 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-83",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 fully enables CAPEC-83 because unsanitized input is required for XPath expressions to reach the XML engine, yet CAPEC-83 is only one narrow injection variant among many CWE-20 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-88",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-88 fully because command injection requires untrusted input to reach a command interpreter, yet CAPEC-88 exploits only one narrow slice of the broad input-validation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-20",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-9",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-20 enables CAPEC-9 fully (no overflow without missing length checks) while CAPEC-9 exploits only one narrow slice of the broad CWE-20 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-116",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is the direct precondition that lets any excavation succeed, while CAPEC-116 is only one narrow probing technique among many possible exposures of CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-13 exploits improper env-var handling to alter behavior and may incidentally expose data, but CWE-200 is neither required nor the hinge of the attack pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-169",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required to perform general reconnaissance (forward), yet CAPEC-169 can discover exposed sensitive data as one of many possible information-gathering steps (reverse)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-22",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is an information-disclosure consequence, not an authentication or channel-integrity flaw, so it neither enables nor is exploited by CAPEC-22's client-impersonation vector."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-224",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure surface directly supplies the identifying details that make fingerprinting succeed, yet CAPEC-224 is only one narrow reconnaissance technique among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-285",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Ping reconnaissance leaks only host existence (narrow info leak) and hinges primarily on absent ICMP filtering rather than CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-290",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-290 only partially because MX queries can be issued regardless, yet yield sensitive internal addresses solely when the exposure exists; CAPEC-290 exploits CWE-200 only partially as a narrow DNS-specific enumeration among many information-disclosure vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-291",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is the direct outcome the zone-transfer attack hinges on, enabling it mostly, while CAPEC-291 is only one narrow DNS-specific variant that exploits the broad CWE partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-292",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required for CAPEC-292 probes to succeed, yet host-discovery responses inherently leak presence information that CWE-200 would classify as sensitive."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-293",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the route topology data that CAPEC-293 is designed to obtain, yet the CAPEC is only one narrow, protocol-specific instance of information disclosure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-294",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the sensitive network data that CAPEC-294 is designed to obtain, enabling the pattern fully, yet the CAPEC remains only one narrow probe among many possible exposures of CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-295",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the timestamp that CAPEC-295 needs, enabling the pattern almost completely, yet the narrow timestamp-request variant only partially exploits the broad CWE-200 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-296",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-296 fully because a response to the deprecated request directly constitutes the unauthorized exposure, while CAPEC-296 exploits only one narrow variant of the broad CWE-200 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-297",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "TCP ACK ping is pure protocol-behavior reconnaissance that neither requires nor produces exposure of sensitive information."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-298",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure surface (ICMP responses revealing host/port state) directly enables the UDP ping reconnaissance, but CAPEC-298 is only one narrow variant among many information-disclosure techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-299",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-299 performs host discovery via protocol responses, disclosing existence but not relying on CWE-200's typical sensitive-data exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-300",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Port scanning executes and gathers basic reachability data without depending on or targeting unintended sensitive-information exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-301",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 leaks data but supplies no prerequisite for TCP handshakes; CAPEC-301 merely probes ports and never targets an information-exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-302",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is an information-exposure flaw inside an application; CAPEC-302 is a transport-layer port-probing technique that relies only on RFC 793 RST behavior and neither requires nor targets any such flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-303",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is irrelevant to the TCP-stack behavior that CAPEC-303 directly abuses, so neither enabling nor exploitation occurs in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-304",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is a product flaw exposing data; CAPEC-304 is a protocol-conformant port probe that neither requires nor targets any such flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-305",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is not required for CAPEC-305 (scan works on standard RFC 793 RST behavior), yet the scan partially exploits the same information-disclosure surface by leaking ACL details via responses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-306",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "TCP Window Scan infers port/OS state from normal RST responses and neither requires nor targets any sensitive-information exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-307",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is a possible outcome of the scan rather than a prerequisite for executing it, while CAPEC-307 directly probes for and records service information that constitutes a narrow form of exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-308",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "UDP scanning succeeds against normal protocol behavior with no need for an exposure weakness, yet the pattern directly probes the information-exposure surface that CWE-200 describes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-309",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable CAPEC-309 (scanning works regardless of any exposure flaw), yet topology mapping can partially exploit exposed network details as a side-effect of reconnaissance."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-310",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable reconnaissance scanning, yet CAPEC-310 can partially exploit exposed version banners or service details."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-312",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-312 fully because the attack depends on protocol responses exposing OS details; CAPEC-312 exploits CWE-200 only partially as one narrow fingerprinting variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-313",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 supplies the exposed OS artifacts that CAPEC-313 directly observes, yet the CAPEC is only one narrow passive variant among many possible information exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-317",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 is a software flaw exposing data via improper protection; CAPEC-317 is passive network reconnaissance of inherent protocol behavior that neither requires nor targets that flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-318",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-318 mostly because the probe directly depends on the OS exposing ID-field details via ICMP; CAPEC-318 exploits CWE-200 only partially as one narrow fingerprinting variant among many information-disclosure manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-319",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure behavior is the direct prerequisite that makes the DF-bit distinction observable (full enablement), while CAPEC-319 is only one narrow probe among many possible information-gathering techniques that could leverage such exposure (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-320",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-320 gathers OS info via normal TCP behavior with no dependence on an exposure flaw (forward none), yet still constitutes one narrow form of sensitive-information disclosure (reverse partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-321",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable the TCP probe (sequence behavior is observable regardless), while CAPEC-321 exploits the exposure surface only partially as one narrow reconnaissance variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-322",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-322 performs passive TCP ISN analysis on standard protocol responses and neither requires nor targets any sensitive-information exposure flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-323",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 exposure is irrelevant to CAPEC-323's passive TCP ISN timing observation, which neither depends on nor targets an information-disclosure flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-324",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable CAPEC-324's network-probing technique at all, while the probe can partially exploit the weakness by revealing OS-identifying sequence data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-325",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-325 performs active TCP/ECN probing for OS fingerprinting and neither depends on nor targets any sensitive-information exposure surface described by CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-326",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-326 performs passive TCP stack fingerprinting via protocol behavior and has no dependence on or exploitation of any sensitive-information exposure surface described by CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-327",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 does not enable the TCP probe (which works on any compliant stack), while CAPEC-327 is one narrow reconnaissance variant that produces the exposure described by CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-328",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of RST payload text directly enables the fingerprinting probe (mostly), while CAPEC-328 is only one narrow RST-checksum variant among many possible information exposures (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-329",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of implementation details in ICMP error quotes directly enables the probe, yet CAPEC-329 is only one narrow variant among many possible information disclosures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-330",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 fully enables CAPEC-330 because the probe succeeds only by exposing OS/protocol details in ICMP quotes, while CAPEC-330 exploits CWE-200 only partially as one narrow variant among many exposure surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-472",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Fingerprinting relies on standard browser behaviors rather than any exposure weakness, yet still produces a narrow form of sensitive configuration disclosure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-497",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly enables file discovery success by making sensitive files accessible, but CAPEC-497 is only one narrow probing variant among many possible exposures of CWE-200."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-508",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Shoulder surfing is a purely physical observation attack that neither requires nor targets any product-side information-exposure flaw (CWE-200)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-573",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-573 fully because process footprinting requires unauthorized exposure of sensitive runtime data; CAPEC-573 exploits CWE-200 only partially as one narrow variant among many information-exposure attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-574",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of service details directly supplies the information CAPEC-574 gathers, yet the pattern is only one narrow OS-command variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-575",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-575 mostly because the footprinting commands succeed only when account data is exposed, while CAPEC-575 exploits CWE-200 only partially as one narrow enumeration variant among many information-exposure cases."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-576",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the unauthorized exposure that CAPEC-576 requires to succeed, while CAPEC-576 is only one narrow permission-enumeration variant among many possible CWE-200 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-577",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-577 only partially because the attack may use intended functionality for authorized users rather than a pure unauthorized exposure flaw; CAPEC-577 exploits the CWE mostly as a narrow owner-info variant of the broad sensitive-information exposure family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200's exposure of predictable session IDs directly enables the full attack (no exposure = no prediction possible), while CAPEC-59 is only one narrow prediction variant among many CWE-200 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 fully enables CAPEC-60 because obtaining a usable session ID requires its exposure, while CAPEC-60 only partially exploits CWE-200 as one narrow instance among many sensitive-data exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-643",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 directly supplies the exposed shared-resource data that CAPEC-643 enumerates, enabling the pattern completely, yet CAPEC-643 is only one narrow enumeration technique among many CWE-200 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-646",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 enables CAPEC-646 only partially because some footprinting steps rely on active malware rather than passive exposure; CAPEC-646 exploits CWE-200 only partially as one narrow reconnaissance variant among many information-exposure avenues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-651",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-200 exposure is the outcome of eavesdropping rather than a prerequisite that enables it, while CAPEC-651 exploits the broad exposure surface only as one narrow non-network interception variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-200",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-79 exploits validation/encoding flaws to cause path traversal; exposure (CWE-200) is only one possible outcome among several weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-12",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-201 transmits sensitive data but does not create or enable identifier-selection attacks; CAPEC-12 can partially exploit the resulting exposure surface when messages are public."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-217",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-217 exploits TLS misconfiguration weaknesses to expose intended encrypted streams, only incidentally touching one narrow slice of CWE-201's broader sensitive-data exposure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-612",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-201 is a code-level transmission flaw; CAPEC-612 is passive protocol observation of an intentional identifier, so neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-613",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-613 exploits protocol-level SSID broadcasts for tracking; CWE-201 is a general code weakness about unintended sensitive data transmission and is not required by this attack pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-201",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-618",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-201 can partially enable CAPEC-618 by leaking a phone number an attacker needs, but CAPEC-618 does not exploit the insertion-of-sensitive-data flaw at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-203",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-189",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Observable discrepancy supplies useful behavioral signals that aid black-box analysis but is neither required nor the sole technique; CAPEC-189 therefore only partially exploits this particular CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-204",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-331",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-204's response discrepancies directly enable the fingerprinting probe (no distinguishable error data = no attack), while CAPEC-331 is only one narrow ICMP/UDP variant among many possible CWE-204 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-204",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-332",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-204 directly supplies the observable response differences the probe requires, while CAPEC-332 is only one narrow ICMP-ID variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-204",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-541",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Observable discrepancies directly supply the signals that enable fingerprinting (mostly), yet CAPEC-541 encompasses many other reconnaissance techniques and only partially exploits this specific CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-204",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-580",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-204 supplies the exact response signals that make many footprinting probes effective, yet CAPEC-580 can still succeed via other reconnaissance vectors and only incidentally exploits this narrow weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-205",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-541",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-205's observable discrepancies are the direct prerequisite that makes application fingerprinting possible, while CAPEC-541 is a broad pattern that can also use non-behavioral methods."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-205",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-580",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-205's observable differences directly enable behavioral probing in CAPEC-580, but the broad footprinting pattern only partially exploits this specific weakness among many reconnaissance avenues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-208",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-462",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-208 fully enables CAPEC-462 because the attack requires observable timing discrepancies to leak information, while CAPEC-462 only partially exploits the CWE as one narrow cross-domain variant among many timing attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-208",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-541",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-541 can employ timing measurements among many other fingerprinting techniques, but does not rely on observable timing discrepancies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-208",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-580",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-580 can employ timing probes as one reconnaissance tactic among many, but CWE-208 is neither required nor central to footprinting."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-209",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-215",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-209 directly supplies the sensitive error content that makes CAPEC-215's observation goal effective (mostly enables), yet CAPEC-215 is only one narrow fuzzing variant among many possible CWE-209 exploitations (partially exploits)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-209",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-463",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-209 enables CAPEC-463 fully because the padding-oracle leak is realized precisely by sensitive error messages, while CAPEC-463 exploits CWE-209 only partially as one narrow crypto-specific variant of many possible error disclosures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-209",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-54",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-209 supplies a direct, high-yield information channel that CAPEC-54 routinely uses during probing, yet the attack pattern can still obtain data via other response artifacts and only partially matches the narrow error-message weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-126",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-22 is the exact class of neutralization failure that CAPEC-126 requires to succeed (full enablement), yet CAPEC-126 remains only one concrete variant (dot-dot-slash and similar) among many possible manifestations of that CWE (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-22 enables CAPEC-64 fully because failure to neutralize encoded slashes directly permits the traversal; CAPEC-64 exploits CWE-22 only partially as one narrow encoding variant among many path-traversal techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-22 supplies the exact pathname-resolution flaw CAPEC-76 requires, enabling the attack fully, while CAPEC-76 is a broad input-manipulation pattern that only partially maps onto the narrower CWE-22 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-22's failure to neutralize encoded pathname elements directly enables the escaped-slash bypass (mostly), while CAPEC-78 is only one narrow encoding variant among many possible path-traversal manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-22",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-22's failure to neutralize pathname elements directly enables any slash-encoding traversal (full), while CAPEC-79 is only one narrow encoding variant among many possible CWE-22 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-226",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-226 leaves data in reusable resources that CAPEC-37 directly retrieves, yet the attack pattern also covers other embedding sources while only one narrow variant targets reuse failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-23",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-139",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-23 enables CAPEC-139 fully as the attack hinges directly on unneutralized relative traversal, while CAPEC-139 exploits the CWE only partially as one narrow variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-23",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-23 directly supplies the missing neutralization that CAPEC-76 requires to reach unintended paths, yet CAPEC-76 remains a broad pattern that can also exploit other file-call weaknesses such as CWE-36."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-235",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-460",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-235 fully enables CAPEC-460 because duplicate-parameter injection succeeds only when extra names are not rejected, while the CAPEC is merely one narrow HTTP variant of the broader CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-241",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-48",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-241 enables CAPEC-48 mostly because the attack directly requires the client to accept and act on an unexpected local-file input where a URL type was expected; CAPEC-48 exploits CWE-241 only partially as one narrow input-handling variant among many possible type mismatches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-250",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-104",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-250 amplifies post-escalation impact of CAPEC-104 but is not required for the zone bypass itself; CAPEC-104 targets zone privilege boundaries and only incidentally touches unnecessary-privilege surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-250",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-470",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-250 supplies the exact elevated DB privileges the CAPEC-470 escalation path requires, while CAPEC-470 is only one narrow variant among many possible manifestations of unnecessary privileges."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-250",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-69",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-250 directly supplies the elevated privileges that CAPEC-69 requires, enabling the pattern fully, while CAPEC-69 is only one narrow variant among many possible exploits of unnecessary privileges."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-257",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-49 relies on absent throttling/weak policies for online guessing and only incidentally touches recoverable storage via optional encryption brute-force."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-16 exploits weak dictionary passwords + absent throttling/policy enforcement; password aging is only a tangential element of that policy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Brute forcing hinges on absent throttling/weak strength policies, not aging; lack of aging only marginally extends the window for a successful guess."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-509",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Kerberoasting obtains/cracks SPN hashes without needing absent password aging (none), yet specifically targets long-lived service-account passwords whose non-aging surface it partially exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-555",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets stolen creds remain valid longer (partial enablement) but CAPEC-555 never targets aging mechanisms (no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets obtained credentials remain valid longer (partial enable) but CAPEC-560 obtains/uses creds without depending on aging and does not target that surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging lengthens credential lifetime (partial enablement) but CAPEC-561 targets stolen-credential use against admin shares and never touches aging mechanisms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-565",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-565 exploits absent password policy and throttling; lack of aging is only one tangential element of policy and is not required for the spraying technique."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lack of password aging lets stolen Kerberos creds remain valid longer (partial enablement) but CAPEC-652 targets credential theft/reuse, not password lifetime at all (no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-262",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "No password aging lets stolen credentials remain valid longer (partial enablement) but CAPEC-653 targets credential acquisition itself, not the aging surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration gives a dictionary attack more calendar time to succeed but is not required for the attack to run; CAPEC-16 targets guessable passwords, not the aging policy itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration widens the attack window but is unnecessary for brute force, which instead targets absent complexity/rate-limit controls rather than aging policy."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-509",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration adds value to a cracked Kerberos hash but is not required for the attack to execute; CAPEC-509 targets RC4 ticket encryption, not password lifetime."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-55",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "Rainbow-table cracking hinges on unsalted/weak hashes, not expiration length, though long validity gives more time to use a cracked password."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-555",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration extends the window for using already-stolen creds (partial enablement) but CAPEC-555 targets credential validity in general and does not rely on or specifically exploit the aging interval."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration widens the usable window for stolen creds (partial enablement) but CAPEC-560 is a generic credential-reuse pattern that only incidentally benefits from this CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC relies on credential theft+share access and can benefit incidentally from long-lived passwords but does not exploit the aging policy itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-600",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-600 hinges on password reuse across sites plus weak/no MFA or policy enforcement, while CWE-263 (long expiration) is only a minor tangential factor in password policy."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-652 exploits stolen Kerberos credentials whose validity window is lengthened by weak aging, yet relies primarily on credential theft rather than expiration policy."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-263",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Long expiration widens the window for already-obtained OS credentials (partial enablement) but CAPEC-653 never relies on or targets the aging policy itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-58",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-267's unsafe privilege definition directly enables the missing REST access controls that CAPEC-58 relies on, yet CAPEC-58 remains only one narrow HTTP-verb variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-634",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-634 relies primarily on malware deployment and peripheral API abuse rather than a privilege that permits unintended unsafe actions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-267",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-637",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-267 concerns unsafe actions reachable via a granted privilege, while CAPEC-637 relies on the inherent accessibility of the system clipboard to other processes; neither direction depends on the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-122",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 directly enables CAPEC-122 because absent/misconfigured privilege controls are a prerequisite for the abuse; CAPEC-122 exploits only the exposure sub-case of the broader CWE-269 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-233",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 is the direct prerequisite for any privilege escalation, enabling CAPEC-233 fully, yet CAPEC-233 remains one broad attack pattern among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-269",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-58",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-269 supplies the missing access-control surface that CAPEC-58 directly requires, yet CAPEC-58 is only one narrow REST-method variant among many possible privilege-management failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-270",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-17",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-17 exploits broad file-permission misconfigurations, not context-switching errors, so the CWE is neither required nor the hinge of the attack pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-270",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-30",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-270's failure to manage privileges across thread/context switches directly enables thread hijacking (mostly), while CAPEC-30 is only one narrow injection-based variant that exploits that surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-272",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-17",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-272's failure to drop privileges directly enables file upload/execution attacks by granting the needed access surface, while CAPEC-17 is only one narrow manifestation among many possible least-privilege violations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-276",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-276's permissive file defaults can indirectly aid unauthorized access to functionality (partial enablement) but CAPEC-1 targets missing functional ACLs, not file-permission surfaces (no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-276",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak default file perms directly enable log-file tampering by allowing arbitrary modification, yet CAPEC-81 describes a narrow log-injection variant that only sometimes exploits this CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-279",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-279 can partially enable log tampering by granting unintended write access to log files, but CAPEC-81 primarily exploits injection/processing flaws rather than execution-time permission assignment."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-282",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-17",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper ownership directly enables unauthorized file execution in many cases, while CAPEC-17 is only one narrow variant among many possible ownership-related exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-282",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-35",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Wrong ownership can let an attacker modify a resource file and thereby enable CAPEC-35, yet the attack pattern itself targets file-trust behavior rather than ownership verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-19",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-19 mostly by permitting unauthorized script execution; CAPEC-19 exploits that surface only partially as one narrow injection variant among many access-control failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-441",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control can serve as one vector for malware insertion but is not required (social engineering or physical access suffice), while CAPEC-441 only incidentally touches access-control surfaces as one of many possible steps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-478",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is the direct prerequisite for any service-config change, enabling CAPEC-478 fully, yet the attack is only one narrow Windows-specific variant among many possible improper-access-control exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-479",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is a prerequisite for unauthorized certificate installation so enables CAPEC-479 fully, yet the CAPEC is only one narrow variant among many possible access-control abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-502",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-502 fully by exposing the component in the first place, while CAPEC-502 exploits that surface only partially as one narrow intent-spoofing variant among many access-control failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-503",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-503 because the attack requires unrestricted global access to registered interfaces; CAPEC-503 exploits CWE-284 only partially as one narrow WebView-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-536",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-536 fully because unauthorized configuration access is a direct prerequisite the attack cannot proceed without; CAPEC-536 exploits CWE-284 only partially as one narrow injection variant among many possible access-control failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-546",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-546 fully because residual data access is unauthorized access; CAPEC-546 exploits CWE-284 only partially as one narrow multi-tenant deletion variant among many access-control failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-550",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 is a prerequisite for unauthorized service installation, enabling CAPEC-550 fully, yet the CAPEC is only one narrow persistence variant among many CWE-284 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-551",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper access control is a prerequisite for unauthorized service modification, enabling CAPEC-551 fully, yet the CAPEC is only one narrow variant among many possible exploitations of CWE-284."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-552",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables rootkit installation by permitting unauthorized access (mostly) while CAPEC-552 targets the narrower authentication subcase (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-556",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-556 by permitting unauthorized modification of file-handler configuration, yet the narrow registry/file-extension technique exploits only one slice of the broad access-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-558",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-558 because the replacement attack cannot succeed without an access-control failure, yet CAPEC-558 is only one narrow variant among many possible exploits of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-562",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-562 fully because unauthorized file modification in a shared location cannot occur without the access-control failure; CAPEC-562 exploits CWE-284 only partially as one narrow shared-file variant among many possible access-control abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-563",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-563 fully (open share is a direct access-control failure) while CAPEC-563 exploits CWE-284 only partially (one narrow file-write variant among many access-control abuses)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-564",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 fully enables CAPEC-564 by allowing unauthorized script modification, yet the narrow logon-script variant exploits only one slice of the broad access-control surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-284",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-578",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-284 enables CAPEC-578 fully because the attack cannot succeed without bypassing access controls, yet CAPEC-578 exploits only one narrow slice of the broad CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 directly supplies the missing ACL enforcement that CAPEC-1 requires, yet CAPEC-1 is only one narrow ACL-specific variant among many possible authorization failures covered by CWE-285."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-104",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 does not enable CAPEC-104 (zone bypass is a browser-enforced policy flaw independent of app authorization checks), while CAPEC-104 exploits the CWE surface only partially as one narrow client-side variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-127",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization can allow an attacker to reach a directory that then lists contents, but directory indexing occurs independently via server configuration and does not specifically exploit an authorization-check surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 concerns missing authorization checks on resources/actions while CAPEC-13 targets untrusted environment-variable handling; neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-17",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization directly enables file upload/execution attacks by omitting privilege checks, but CAPEC-17 is only one narrow manifestation among many authorization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 fully enables CAPEC-39 because tampered tokens succeed only when server-side authorization is missing or broken; CAPEC-39 exploits that surface only partially as one narrow client-token variant among many authorization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-402",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing authz check directly enables the ATA password-update bypass, yet CAPEC-402 is only one narrow manifestation of the broad CWE-285 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-5",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285's missing authorization check directly enables the signal-spoofing success of CAPEC-5, yet the attack is only one narrow, legacy-protocol manifestation of that broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-51",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization directly enables registry poisoning by allowing unauthorized writes, but CAPEC-51 is only one narrow variant among many possible authorization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 does not enable session-ID prediction (attack hinges on ID entropy, not authz checks); CAPEC-59 only partially exploits CWE-285's surface by abusing the resulting session credential."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Session replay succeeds via stolen valid session tokens and weak session management, independent of whether authorization checks are performed correctly on those tokens."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-647",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 enables CAPEC-647 fully as the registry collection attack cannot succeed without the missing authorization check, yet CAPEC-647 exploits the CWE only partially as one narrow registry-specific variant among many possible authorization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper authorization enables the file-system manipulation attack by allowing the resolved path to be accessed, but the pattern itself is a narrow input-handling variant that only partially maps to the broad authorization family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 permits variable manipulation to affect auth decisions but is not required for CAPEC-77 execution, while CAPEC-77 is only one narrow vector among many that could abuse improper authorization."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-285",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-87",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-285 is a prerequisite for CAPEC-87 to succeed (full enablement), yet forceful browsing is only one narrow exploitation variant among many authorization failures (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-114",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287's missing verification is a prerequisite that fully enables CAPEC-114's abuse sequence, yet the CAPEC is only one narrow exploitation variant among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-115",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-115 fully as the bypass cannot occur without the missing authentication proof, while CAPEC-115 exploits the CWE only partially as one broad variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-151",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-151 fully as spoofing requires the missing verification, yet the CAPEC is only one narrow variant among many possible exploits of the broad authentication weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-194",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 is a prerequisite for the attack to succeed at all, yet CAPEC-194 represents only one narrow manifestation among many possible authentication exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-22",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287's missing authentication is the direct prerequisite that lets CAPEC-22 succeed (full enablement), yet CAPEC-22 is only one narrow client-trust variant among many possible authentication failures (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-57",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-57 only partially because the REST trust-after-SSL vector can succeed via other missing controls; CAPEC-57 exploits the CWE only partially as one narrow infrastructure-trust variant among many auth failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-593",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables session hijacking fully as the attack cannot succeed without the auth verification failure, while CAPEC-593 exploits the CWE only partially as a narrow session-token variant among many improper-auth manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-633",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287's missing identity proof directly enables any token forgery (full), yet CAPEC-633 is only one narrow token-specific variant among many possible CWE-287 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-650",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CAPEC-650 hinges on insufficient permissions (authorization), not authentication verification, so neither direction links the two."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-287",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-94",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-287 enables CAPEC-94 mostly because AiTM commonly hinges on weak identity verification during auth challenges, while CAPEC-94 exploits CWE-287 only partially as one narrow interposition variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-127",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 is an auth-bypass condition while CAPEC-127 is a directory-enumeration technique; neither depends on nor is a variant of the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-288",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-665",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-288 directly supplies the alternate-channel bypass that CAPEC-665 needs, yet the CAPEC is only one narrow Thunderbolt firmware variant of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth directly enables any trusted-ID attack (full), while CAPEC-21 is only one narrow variant among many possible spoofs (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-22",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth directly enables CAPEC-22's client-trust exploitation (no bypass, no attack), yet CAPEC-22 encompasses many auth-integrity variants beyond spoofing alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-459",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth implementation is neither required nor used by the hash-collision technique in CAPEC-459, yet the resulting rogue certificate produces an authentication bypass via spoofing and therefore touches that CWE surface only narrowly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-461",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's incorrectly implemented auth schemes directly enable the signature forgery in CAPEC-461, but the CAPEC is only one narrow hash-extension variant among many possible spoofs of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-473",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 enables CAPEC-473 fully because signature spoofing requires a flawed authentication/verification scheme, while CAPEC-473 exploits the CWE only partially as one narrow spoofing variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-476",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth surface directly enables signature-misrepresentation attacks like CAPEC-476, yet the CAPEC only partially maps to that CWE because it targets a narrow parsing/display vector rather than the full authentication family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth directly enables any session-ID prediction (full), while CAPEC-59 is only one narrow prediction variant among many possible spoofs (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290's spoofable auth schemes directly enable session-ID replay, while CAPEC-60 is only one narrow manifestation of that CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-667",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-290 fully enables the spoofing-based bypass in CAPEC-667, yet the Bluetooth MAC-specific attack only partially exploits the broad CWE-290 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-290",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-94",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "AiTM executes independently of any auth-spoofing flaw, while AiTM can exploit CWE-290 as one of many possible targets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-291",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-4",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-291's IP reliance creates the access-control surface CAPEC-4 targets via encoding tricks, yet CAPEC-4 is only one narrow bypass variant among many possible IP-authentication failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-102",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 directly enables replay of captured tokens so CAPEC-102 cannot succeed without it; CAPEC-102 is only one narrow sniffing-based variant among many possible capture-replay manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 replay bypass neither enables nor is exploited by CAPEC-561 credential-share access, which depends only on possession of valid credentials regardless of how they were obtained."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 directly supplies the replayable credential surface that CAPEC-60 requires, yet CAPEC-60 is only one narrow session-ID manifestation of the broader CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-644",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables CAPEC-644 fully because pass-the-hash is replay of captured authenticators; CAPEC-644 exploits CWE-294 only partially as one narrow NTLM/LM variant among many capture-replay manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-645",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 supplies the missing replay surface that CAPEC-645 needs, yet CAPEC-645 also covers ticket theft/forgery vectors outside classic network capture-replay."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 enables ticket replay within CAPEC-652 but is unnecessary for password theft/purchase paths; CAPEC-652 is one narrow Kerberos variant among many capture-replay manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-294",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-94",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-294 does not enable execution of general AiTM positioning, while CAPEC-94 can exploit capture-replay only as one narrow variant among many possible AiTM outcomes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-295",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-475",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-295 enables CAPEC-475 fully as the attack requires the validation flaw, yet CAPEC-475 exploits only the signature-spoofing slice of the broader certificate-validation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-466",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 directly supplies the MITM-accessible channel that CAPEC-466 requires, enabling the pattern fully, yet the CAPEC is only one narrow SOP-bypass variant among many possible exploitations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-57",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 enables CAPEC-57 mostly because the attack depends on post-SSL channel access by non-endpoints; CAPEC-57 exploits the CWE only partially as one narrow REST-infrastructure variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-589",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 directly enables CAPEC-589 by permitting non-endpoint channel access needed to drop DNS packets, while CAPEC-589 exploits only one narrow DNS-specific slice of the broader CWE-300 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-590",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-590 is network DoS via packet dropping that can influence a channel from an in-path position, touching only one narrow aspect of CWE-300 while relying on orthogonal prerequisites."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-612",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300's exposed channel directly enables passive WiFi sniffing (mostly), while CAPEC-612 is only one narrow tracking variant among many possible exploits of that surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-613",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 fully enables CAPEC-613 because passive SSID listening requires an unprotected channel accessible to non-endpoints, yet CAPEC-613 exploits that weakness only partially as one narrow WiFi-management-frame variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-615",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 enables CAPEC-615 fully because the evil-twin AP succeeds only when endpoints fail to authenticate the channel; CAPEC-615 exploits the CWE only partially as one narrow Wi-Fi manifestation among many possible channel weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-662",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300 describes non-endpoint channel access (e.g. classic MITM) while CAPEC-662 requires endpoint Trojan installation, so the weakness does not enable the pattern; the pattern only partially overlaps the CWE surface via post-malware traffic manipulation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-300",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-94",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-300's missing endpoint/channel verification is the exact precondition AiTM requires (full enablement), yet CAPEC-94 represents only one concrete realization among the weakness's broader exploitation surface (mostly)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-301",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-90",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-301 is the exact weakness the attack pattern requires, enabling it fully, while CAPEC-90 is the canonical (not narrowly sub-variant) realization of that CWE and therefore exploits it mostly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302's core flaw (trusting mutable data for auth) directly enables env-var subversion when those vars carry auth state, but CAPEC-13 remains a narrow, non-auth-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 fully enables CAPEC-21 because the attack requires the system to trust modifiable identifiers, while CAPEC-21 only partially exploits CWE-302 as one narrow variant among many possible trusted-identifier abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-274",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 fully enables CAPEC-274 because verb tampering succeeds only when the implementation treats the HTTP method as immutable data; CAPEC-274 exploits that CWE only partially as one narrow variant among many possible assumed-immutable data attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302 fully enables CAPEC-31 because cookie modification succeeds only when the auth scheme assumes cookie contents are immutable; CAPEC-31 exploits that weakness only partially as one narrow cookie-specific variant among many possible assumed-immutable data elements."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302's assumed-immutable data directly enables the token-manipulation attack with no alternative path, while CAPEC-39 is only one narrow client-token variant of that broad CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-302",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-302's immutable-data assumption directly enables variable-manipulation attacks on auth flows (mostly), while CAPEC-77 is a broad pattern that only partially maps onto this specific auth weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-303",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-90",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect implementation directly creates the protocol flaw reflection needs (mostly enables), yet CAPEC-90 only covers one narrow reflection variant among many possible incorrect-impl bugs (partial exploit)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-12",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-306's total lack of identity checks directly enables any identifier-based impersonation (CAPEC-12), yet CAPEC-12 is only one narrow multicast-identifier variant among many possible CWE-306 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-166",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing auth on reset functions directly enables the CAPEC-166 reset-to-prior-state attack (full), while the narrow reset pattern only partially covers the broad CWE-306 surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-36",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-306 enables CAPEC-36 fully because unpublished interfaces succeed only when auth is absent, while CAPEC-36 exploits the CWE only partially as one narrow variant among many auth failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-306",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-62",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-306 directly enables CSRF by omitting the auth checks the attack requires, while CAPEC-62 is only one narrow cookie-based variant among many CWE-306 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 fully enables CAPEC-16 by permitting unlimited guesses, yet CAPEC-16 only partially exploits the weakness as one narrow dictionary variant among many possible authentication attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 directly enables CAPEC-49 by removing the rate-limit barrier the attack requires, yet CAPEC-49 remains only one narrow brute-force variant among many possible exploitations of the same weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables the guessing subset of CAPEC-560 but is unnecessary for theft/purchase paths, while CAPEC-560 only narrowly exercises the rate-limit surface among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-565",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables CAPEC-565 mostly by omitting the rate-limiting that spraying is explicitly designed to evade, while the narrow spraying variant exploits that surface only partially among many possible authentication-attack manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-600",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables CAPEC-600 mostly by removing rate limits/lockouts that would otherwise hinder bulk attempts, while CAPEC-600 exploits the weakness only partially as one narrow variant among many that target auth attempt surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-307",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-307 enables the guessing component of CAPEC-653 but is unnecessary when credentials are stolen/purchased, while CAPEC-653 exploits the weakness only in its brute-force variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-16 fully because dictionary attacks succeed only when a single password factor is sufficient, while CAPEC-16 exploits that surface only partially as one narrow password-guessing variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth directly enables password brute-force success (no second factor to bypass), while CAPEC-49 is only one narrow exploitation variant of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-509",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth enables the offline-cracking step of Kerberoasting only partially (strong passwords or additional controls can still block it), while the CAPEC is a narrow SPN/ticket variant that exploits that CWE surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-55",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth makes password cracking alone sufficient for access (full enablement), while rainbow tables are only one narrow technique against the password factor itself (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-555",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth directly enables credential-stuffing on remote services (attack fails without it), while CAPEC-555 is only one narrow variant among many possible exploitations of CWE-308."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 fully enables CAPEC-560 because stolen credentials alone suffice for login, while the narrow credential-guessing variant exploits the broad single-factor weakness only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth enables credential-stuffing attacks on admin shares fully (no second factor blocks stolen passwords), while CAPEC-561 exploits that surface only as one narrow variant among many possible single-factor abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-565",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-565 fully because spraying succeeds only when a single password factor is sufficient, while CAPEC-565 exploits CWE-308 only partially as one narrow password-guessing variant among many single-factor attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-600",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-600 fully because stuffing succeeds only when a single factor is sufficient, while CAPEC-600 exploits the CWE partially as one narrow password-reuse variant among many single-factor weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-644",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor hash auth directly enables PTH (no other factor blocks the captured hash), while CAPEC-644 is only one narrow NTLM-specific variant of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-645",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 concerns absence of MFA while CAPEC-645 hinges on reusable Kerberos tickets; neither direction depends on the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor auth (CWE-308) directly enables credential-reuse attacks such as CAPEC-652 by making the stolen Kerberos material sufficient; CAPEC-652 is only one narrow variant among many single-factor exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-308 enables CAPEC-653 fully because single-factor auth lets stolen/guessed credentials succeed, while CAPEC-653 exploits the CWE only partially as one narrow OS-credential variant among many single-factor manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-308",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-70",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor password auth enables the guessing attack fully (no second factor to bypass), while the narrow brute-force variant exploits that CWE surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-16 fully because dictionary attacks require a password auth surface, yet CAPEC-16 only exploits one narrow manifestation among many possible password weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 supplies the password surface that CAPEC-49 directly requires (full enablement), yet brute-force is only one narrow exploitation variant among many password-system weaknesses (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-509",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-509 mostly because Kerberoasting directly depends on offline cracking of password hashes obtained via Kerberos; CAPEC-509 exploits CWE-309 only partially as a narrow AD-specific variant among many password-auth weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-55",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 supplies the password hashes that CAPEC-55 directly requires, enabling the pattern fully, yet the CAPEC is only one narrow pre-computation variant among many password-system flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-555",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-555 fully because stolen-password login is impossible without password-based primary auth; CAPEC-555 exploits CWE-309 only partially as one narrow credential-theft variant among many password weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309's reliance on passwords directly supplies the credential surface CAPEC-560 needs, enabling the pattern fully, yet CAPEC-560 is only one narrow variant among many password attacks and therefore exploits the weakness only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309's password flaws directly enable credential theft/guessing that CAPEC-561 requires, yet the CAPEC is only one narrow share-access variant among many possible password-system abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-565",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Password-based primary auth fully enables spraying (no passwords, no spray possible) while spraying only partially exploits the broad CWE by using one specific low-and-slow guessing tactic among many possible password flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-600",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-600 fully (no password primary auth means stuffing has no target) while CAPEC-600 exploits only one narrow facet of password-system weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-652 only partially because stolen Kerberos tickets bypass passwords entirely, while CAPEC-652 exploits the CWE only partially as a narrow Kerberos-specific credential-reuse variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 supplies the password auth surface that CAPEC-653 directly requires (full enablement), yet the CAPEC is only one narrow OS-credential variant among many possible password weaknesses (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-309",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-70",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-309 enables CAPEC-70 fully because the attack requires password-based auth to exist, while CAPEC-70 exploits only one narrow slice (defaults/common guesses) of the broad CWE-309 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-157",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption lets sniffing obtain plaintext sensitive data directly (full enablement), while the broad passive sniffing pattern only partially targets the specific encryption omission surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-158",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption fully enables sniffing to obtain readable sensitive data, while sniffing only partially exploits the broad CWE as one transmission-specific variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-204",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables cache lifting by leaving readable sensitive data in storage (mostly), while the CAPEC is only one narrow cache-specific variant among many possible exposures of unencrypted data (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables cookie interception attacks by exposing sensitive values in transit/storage, but CAPEC-31 is only one narrow cookie-specific variant among many ways CWE-311 can be exploited."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables retrieval of usable embedded secrets (full), while CAPEC-37 is only one narrow manifestation of that broad weakness (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-383",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly exposes the sensitive values that CAPEC-383's event monitoring is designed to harvest, yet the CAPEC remains only one narrow transmission-monitoring variant among many possible manifestations of CWE-311."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-384",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables MITM message tampering by exposing plaintext, while CAPEC-384 is only one narrow variant among many possible exploits of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-385",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-385 performs tampering via API-level MITM; missing encryption can aid interception but is neither required nor the hinge of the pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-609",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption lets intercepted cellular data be read in cleartext (partial enablement) but interception itself can still be performed regardless; CAPEC-609 is one specific eavesdropping vector among many that target unencrypted traffic (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-311",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-65",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing encryption directly enables successful capture of readable code via sniffing, while CAPEC-65 is only one narrow variant among many ways to exploit that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-312",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-312's cleartext storage directly enables CAPEC-37's retrieval (no readable data exists without it), yet CAPEC-37 is only one narrow embedding/retrieval variant among many possible CWE-312 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-314",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Cleartext registry storage directly supplies the accessible sensitive data that CAPEC-37 retrieves, yet the attack pattern also covers many other embedding locations so the match is not exhaustive in either direction."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-315",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Cleartext sensitive cookie storage enables cookie-access attacks to succeed in data theft (but attack forms like modification can occur regardless), while CAPEC-31 broadly covers interception/modification variants that only partially target this specific CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-315",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-315 supplies one possible embedding location that CAPEC-37 can read, but the attack pattern neither requires cookies nor is limited to them, so each direction rates only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-315",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Cleartext cookie storage directly supplies readable data an attacker can alter, enabling most of CAPEC-39, yet CAPEC-39 only partially exploits this CWE because it also covers encrypted but unsigned tokens."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-315",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-74",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Cleartext cookie storage directly exposes modifiable state, enabling CAPEC-74 as a primary vector, yet CAPEC-74 remains a broad pattern that only partially exploits this narrow CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-318",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 directly supplies the cleartext executable data that CAPEC-37 retrieves, enabling the pattern fully, yet CAPEC-37 also targets many other embedding locations and formats so exploits this CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-318",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-65",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-318 enables CAPEC-65 fully because cleartext sensitive data in the executable is exactly what the sniffer extracts; CAPEC-65 exploits the CWE only partially as one narrow network-sniffing variant among many possible exposures of the stored executable."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-319",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-102",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables CAPEC-102 fully because cleartext session tokens are required for sniffing to succeed, while CAPEC-102 exploits CWE-319 only partially as a narrow session-token variant among many possible sensitive-data exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-319",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-117",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 supplies the readable sensitive data that makes interception useful (mostly enabling) while CAPEC-117 is a broad sniffing pattern that only partially targets the cleartext surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-319",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-383",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables CAPEC-383 fully because event monitoring can only harvest the sensitive values when they traverse the channel in cleartext; CAPEC-383 exploits the CWE only partially because it is one narrow monitoring technique among many possible manifestations of cleartext exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-319",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-65",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-319 enables CAPEC-65 fully because cleartext transmission is required for passive sniffing of the code to succeed, while CAPEC-65 exploits the CWE only partially as a narrow code-sniffing variant among many possible sensitive-data exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-325",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-68",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing crypto step weakens signature verification that code-signing depends on, yet CAPEC-68 can also succeed via key theft or VM policy bypass, so each direction uses the other only as one enabling step."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-112",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Inadequate key length directly shrinks the search space so brute force becomes practical (full enablement), yet CAPEC-112 is a broad trial-and-error pattern that also targets passwords, tokens, etc. and therefore only partially exploits the crypto-specific surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-192",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-192 is broad protocol reverse-engineering that may incidentally exploit weak crypto but does not rely on it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-326",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-20",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-326 fully enables CAPEC-20 by shrinking the key space to a brute-forceable size, while CAPEC-20 only partially exploits CWE-326 as one narrow attack variant among other possible cryptanalytic approaches."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-20",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 makes exhaustive key search practically viable (mostly enables), while CAPEC-20 is only one narrow brute-force variant among many possible exploits of weak crypto (partially exploits)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-459",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 fully enables CAPEC-459 because the attack requires a weak-collision hash algorithm, while CAPEC-459 exploits only one narrow manifestation of the broad CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-473",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Broken algorithms directly enable forgery of signatures (mostly), while Signature Spoof is only one narrow cryptographic manifestation among many possible exploits of CWE-327 (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-475",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 supplies the broken algorithm that CAPEC-475 directly requires, yet the CAPEC is only one narrow signature-spoofing variant of the broad CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-608",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 fully enables CAPEC-608 by supplying the broken cellular algorithm the attack requires, while CAPEC-608 only partially exploits CWE-327 as one narrow cryptanalytic variant among many possible broken-algorithm weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-614",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 enables CAPEC-614 fully because cracking the weak DES key is the attack's prerequisite, while the narrow SIM-specific DES variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-327",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-97",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-327 supplies the exact broken algorithm that CAPEC-97 is designed to break, enabling the pattern fully, yet CAPEC-97 also covers implementation and usage flaws outside the algorithm choice itself and therefore exploits the CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-461",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-328 enables CAPEC-461 fully because length-extension forgery requires a weak Merkle-Damg\u00e5rd hash; CAPEC-461 exploits CWE-328 only partially as one narrow signature-forgery variant among many weak-hash manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-328",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-68",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak-hash collisions can serve as one concrete step to forge signatures and thereby subvert code signing, yet CAPEC-68 lists many other subversion avenues and is not narrowly predicated on CWE-328."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-330",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-112",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insufficient randomness shrinks the secret space and thereby enables practical brute force (mostly), while CAPEC-112 brute-force is a broad pattern that only sometimes targets randomness flaws and can succeed against other weaknesses such as inherently short secrets (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-330",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-485",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-330 supplies the exact PRNG flaw the attack needs, enabling it fully, yet CAPEC-485 is only one narrow key-recreation variant among many possible exploits of insufficient randomness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-330",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-330 supplies the exact predictability surface that CAPEC-59 requires, enabling the attack fully, yet the CAPEC remains only one narrow variant among many possible insufficient-randomness exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-331",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insufficient entropy directly supplies the predictable values CAPEC-59 needs, but the CAPEC is only one narrow session-ID variant of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-111",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-111 because the hijack requires the server to accept cross-origin script inclusion without authenticity checks, while CAPEC-111 is only one narrow JSON-specific variant of that broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-141",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly enables cache poisoning by allowing unauthenticated data to be accepted as valid, while CAPEC-141 is only one narrow variant among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-142",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables CAPEC-142 fully because forged DNS responses succeed only when authenticity checks are absent, while CAPEC-142 exploits the CWE only partially as one narrow DNS-specific variant among many possible authenticity failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-148",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly enables CAPEC-148 by allowing spoofed content to be accepted as authentic; CAPEC-148 is only one narrow variant among many possible manifestations of insufficient authenticity checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-218",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-218 since spoofed messages succeed only when authenticity checks are absent, while CAPEC-218 exploits the broad weakness only partially as one narrow UDDI/ebXML variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-384",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-384 because message manipulation via MITM succeeds only when authenticity checks are absent, yet CAPEC-384 remains one narrow MITM variant among many manifestations of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-385",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 is a direct prerequisite for any successful tampering (full enablement), yet CAPEC-385 is only one narrow API-manipulation variant among many possible authenticity failures (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-386",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables CAPEC-386 fully because manipulated navigation data is accepted only when authenticity checks are absent, yet CAPEC-386 exploits the CWE only partially as one narrow remapping variant among many possible authenticity failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-387",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables the attack by letting unauthenticated manipulated messages be accepted, while CAPEC-387 exploits that surface only as one narrow navigation-remapping variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-388",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 fully enables CAPEC-388 because the attack cannot succeed if manipulated API data is rejected, yet the narrow button-hijacking variant exploits only one slice of the broad authenticity-verification surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-665",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 directly supplies the missing verification that CAPEC-665 must bypass, so the pattern cannot succeed without it; yet CAPEC-665 remains only one narrow Thunderbolt-specific variant among many possible manifestations of CWE-345."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-345",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-701",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-345 enables CAPEC-701 mostly by letting an adversary present unauthenticated remote-desktop content the browser treats as legitimate, while the narrow BiTM variant exploits the broad CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-111",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-111 fully because absent any origin check the JSON endpoint can be script-included cross-domain; CAPEC-111 exploits the CWE only partially as one narrow JSON-hijacking variant among many origin-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-141",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables cache poisoning mostly by allowing untrusted data to be accepted into caches, but CAPEC-141 exploits it only partially as one narrow variant among multiple poisoning techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-142",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-142 fully because spoofed DNS responses succeed only when origin validation is absent; CAPEC-142 exploits the CWE only partially as one narrow DNS-specific variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-160",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-160 exploits failures to filter script input (primarily code-injection CWEs) while CWE-346 addresses only the narrower origin-check aspect that is incidental here."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-21 only partially because identifier guessing/stealing can succeed without origin flaws; CAPEC-21 exploits the CWE surface only partially as a narrow identifier-trust variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-384",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is a prerequisite for successful MITM message tampering (full enablement) yet CAPEC-384 is only one narrow AiTM variant among many possible origin-validation failures (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-385",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-385 fully because absent origin checks the MITM tampering succeeds directly; CAPEC-385 exploits the CWE only partially as a narrow API-tampering variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-386",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-386 fully because absent origin checks the attacker can freely substitute authentic-looking navigation targets; CAPEC-386 exploits the CWE only partially as a narrow navigation-remapping variant among many possible origin-validation failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-387",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables CAPEC-387 fully because absent origin checks let remapped navigation appear authentic; CAPEC-387 exploits the CWE only partially as one narrow navigation-specific variant among many possible origin failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-388",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing origin checks directly enable an attacker to alter API message destinations, yet CAPEC-388 is only one narrow button-focused variant of such origin abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-510",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 is required for the session-trust abuse to succeed (full enablement), yet CAPEC-510 is only one narrow SaaS-session variant of the broad origin-validation family (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Session-ID prediction (CAPEC-59) depends on weak randomness, not origin checks, so CWE-346 neither enables nor is exploited by it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 enables session replay only when the replay crosses an unvalidated origin boundary (partial); CAPEC-60 is one narrow session-management variant among many that may touch origin checks (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-346 concerns source authenticity while CAPEC-76 hinges on unsanitized path content reaching FS APIs; neither direction depends on the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-346",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-89",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Pharming succeeds via DNS/hosts manipulation that makes the apparent origin appear legitimate, independent of any product-side origin check failure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-347",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-463",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Padding-oracle decryption attacks rely on CBC padding-error oracles in symmetric ciphers and never depend on or target signature-verification logic."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-347",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-475",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-347 is the direct root cause that fully enables the described spoofing attack, while CAPEC-475 is one narrow validation-specific variant among broader CWE-347 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-348",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-141",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 directly enables cache poisoning by allowing attacker-controlled data from the weaker source to be cached, but CAPEC-141 is only one narrow manifestation among many possible exploits of that source-selection flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-348",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-142",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 enables CAPEC-142 fully because poisoning succeeds only when the victim accepts the less-trusted (poisoned) DNS source; CAPEC-142 exploits the CWE only partially as one narrow DNS-specific variant among many possible less-trusted-source abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-348",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 supplies a less-trusted data path that the CAPEC-73 payload can ride, yet the attack still requires separate filename-to-HTML mishandling; conversely the narrow filename variant only partially exercises the two-source trust decision."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-348",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-348 supplies a less-trusted data source that CAPEC-76 can ride, yet the attack fundamentally needs missing path validation rather than the source-selection flaw itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-141",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-141 relies on trusting a poisoned cache entry itself rather than mixing extraneous untrusted data with trusted data as CWE-349 describes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-142",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-142 hinges on unauthenticated DNS response spoofing rather than mixing trusted/untrusted data, though some poisoning variants may touch CWE-349."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-349",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-75",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-75 primarily exploits file-permission and external-control weaknesses rather than mixing of extraneous untrusted data with trusted data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-350",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-142",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-142 targets forward DNS A-record poisoning while CWE-350 is strictly about unverified reverse (PTR) lookups."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-350",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-275",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-275 exploits dynamic forward DNS resolution to bypass hostname-based checks, only partially overlapping the reverse-DNS-specific weakness in CWE-350."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-111",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CSRF weakness permits the credential-bearing request that JSON hijacking needs, yet the attack itself exploits SOP/script-inclusion rather than forged state-changing actions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-462",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-462 uses cross-domain authenticated requests only as a vehicle for timing side-channel leaks, not to perform the state-changing forgeries that define CWE-352."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-467",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-352 is not required for CAPEC-467 (payload delivery and session harvesting can occur via XSS or other means), while the attack pattern only partially exploits CSRF surfaces by forging cross-origin session-bearing requests."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-352",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-62",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-352 enables CAPEC-62 fully because the attack cannot succeed without the missing request-intent check, while CAPEC-62 exploits CWE-352 only partially as one narrow CSRF variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-389",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing transmission integrity enables undetected message tampering (partial) while the API-manipulation pattern only incidentally relies on that surface rather than exploiting the CWE family directly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-353 directly enables CAPEC-39 by removing the integrity verification that would otherwise block token tampering, while CAPEC-39 is only one narrow client-token variant among many possible integrity failures covered by CWE-353."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-665",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-665 exploits implementation flaws in existing Thunderbolt verification/authorization schemes plus physical firmware access, not absence of integrity checking as defined by CWE-353."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-353",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-74",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing transmission integrity enables undetected state tampering mostly via network vectors, while CAPEC-74 exploits that surface only partially as one of many state-manipulation avenues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-354",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-145",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-354 enables CAPEC-145 fully (spoofed checksum is accepted only when validation is absent or broken) while CAPEC-145 exploits the CWE only partially (narrow checksum spoofing is one specific variant of the broad integrity-check family)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-354",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-463",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-354 concerns failure to detect tampering via checksums/MACs while CAPEC-463 requires only side-channel leakage of a correct padding check result, so the weakness does not enable the pattern but the pattern touches a narrow integrity-check surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-464",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 does not enable cookie persistence mechanics at all, while CAPEC-464 can serve as one narrow tracking vector that partially surfaces the privacy exposure described by CWE-359."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-467",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 supplies the exact exposure surface the CAPEC-467 cross-site request needs to succeed, yet CAPEC-467 is only one narrow session-harvesting variant among many possible manifestations of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-498",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 enables CAPEC-498 fully because displaying private data on-screen directly creates the screenshot exposure surface the attack needs; CAPEC-498 exploits that surface only partially as one iOS-specific variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-359",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-508",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-359 does not enable shoulder surfing (attack succeeds via physical observation regardless of product exposure controls), while CAPEC-508 only partially exploits the CWE by targeting one physical manifestation of visible private data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-36",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-597",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-36's missing neutralization of absolute paths directly enables CAPEC-597 execution (full), yet the CAPEC is a narrow variant that also mixes relative '..' steps and thus exploits the CWE surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-362 supplies the exact timing window the CAPEC-26 adversary must occupy, enabling the pattern fully, yet CAPEC-26 only instantiates one broad family of race surfaces and is therefore only a partial-to-mostly exploitation of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-362",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-362 enables CAPEC-29 fully because TOCTOU is a direct instance of the improper shared-resource synchronization; CAPEC-29 exploits CWE-362 only partially as one narrow TOCTOU variant among many race-condition manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-363",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-363 is one narrow TOCTOU instance that enables only a subset of CAPEC-26 variants, while the broad CAPEC-26 pattern covers that weakness among many other race conditions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-366",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-366 supplies one thread-specific race surface that CAPEC-26 can leverage, yet the attack pattern is defined for concurrent processes and can succeed against other race conditions."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-366",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-366's thread race condition is a prerequisite for any TOCTOU execution (full enablement), yet CAPEC-29 is only one narrow TOCTOU variant and not limited to intra-thread races (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-367",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-27",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-367 enables CAPEC-27 fully because the symlink race is a direct TOCTOU instance, while CAPEC-27 exploits CWE-367 only partially as one narrow symlink variant among many TOCTOU manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-367",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-367 is the exact condition the attack requires, so it enables CAPEC-29 fully; CAPEC-29 is one concrete exploitation variant of that weakness family and therefore exploits it only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-368",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-368 is one narrow race-condition instance that CAPEC-26 can target, but the broad attack pattern neither requires nor is limited to this specific weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-368",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-368's non-atomic context-switch surface directly supplies the timing window TOCTOU needs (mostly enabling), yet CAPEC-29 is the classic file-system variant that only partially maps onto the narrower context-switch CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-370",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-370 is a time-of-check/time-of-use revocation gap unrelated to concurrent resource manipulation, so neither direction holds."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-370",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-370 is itself a TOCTOU instance on certificate state, directly enabling CAPEC-29's race window while CAPEC-29 remains a broad pattern that only partially targets this specific revocation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-372",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-140",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-372's missing state tracking directly enables form-sequence bypass (full), while CAPEC-140 is only one narrow manifestation of that state flaw (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-372",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-74",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-372's failure to track/distinguish states directly enables any state-manipulation attack to succeed, while CAPEC-74 broadly covers many state flaws and only partially exploits this specific distinction weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-377",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-149",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-377's predictable-name surface is exactly what CAPEC-149 requires (full enablement), yet the CAPEC is only one narrow manifestation among the broader set of insecure-temp-file issues covered by the CWE (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-377",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-155",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-377 directly supplies the sensitive temp-file exposure that CAPEC-155 requires, yet CAPEC-155 is only one narrow information-disclosure variant among many possible exploits of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-196",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384's failure to invalidate existing SIDs directly supplies the post-auth surface a forged credential needs (mostly), while CAPEC-196's forging variant only exercises one narrow slice of that surface (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 directly supplies the known session ID that CAPEC-21 rides, yet CAPEC-21 also covers guessing and other acquisition methods unrelated to fixation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 enables cookie-based session impersonation only as one possible vector while CAPEC-31 executes independently via direct cookie access/modification, and the narrow cookie pattern only partially overlaps the fixation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384's missing session invalidation does not enable token tampering (CAPEC-39 works on any client-side state regardless), while CAPEC-39 can exploit session-ID tokens only as one narrow case among many data-token targets."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384 enables session-ID reuse only when the ID is obtained via fixation rather than other theft vectors, while CAPEC-60 is a narrow replay variant that touches the fixation surface only incidentally."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-384",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-61",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-384's failure to invalidate existing session IDs directly enables the exact attack in CAPEC-61, which in turn fully exploits that same weakness surface with no narrower variant gap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-385",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-462",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-385 supplies the observable timing side-channel that CAPEC-462 directly requires, enabling the pattern fully, yet CAPEC-462 remains only one narrow cross-domain search variant among many possible timing-channel exploits."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-400",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-147",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 enables CAPEC-147 fully because the DoS hinges on absent resource controls, yet CAPEC-147 exploits the CWE only partially as one narrow XML-flooding variant among many resource-consumption manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-400",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-227",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 is a direct prerequisite for CAPEC-227 to succeed, yet the CAPEC is only one narrow sustained-engagement variant among many resource-consumption attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-400",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-492",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-400 enables CAPEC-492 fully because exponential regex blowup directly produces uncontrolled resource exhaustion, while CAPEC-492 exploits the CWE only partially as one narrow regex-specific variant among many exhaustion techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-404",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-131",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 is the direct cause of the leaks CAPEC-131 triggers, enabling the pattern fully, yet CAPEC-131 remains one narrow variant of the broad CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-404",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-496",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-404 can contribute to exhaustion under fragment floods but is not required for CAPEC-496 execution; the CAPEC variant targets reassembly/header handling rather than release semantics."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-404",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-666",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "BlueSmacking is a proximity-based L2CAP flooding DoS that succeeds regardless of resource-release behavior, and it targets protocol buffering rather than any shutdown/release surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-41",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-41's failure to canonicalize equivalent path forms directly supplies the surface that leading-ghost bypasses rely on, yet CAPEC-3 is only one narrow syntactic variant among many possible path-equivalence manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-412",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-25",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-412 directly supplies the external lock control surface that CAPEC-25 requires to induce deadlock, while CAPEC-25 is only one narrow deadlock variant among many possible misuses of that surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-419",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-383",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-383 exploits information leakage via framework event monitoring/AiTM and is unrelated to admin or primary-channel protection."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-424",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-127",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-424 directly enables directory listing by leaving the dir-path access unprotected, but CAPEC-127 is only one narrow manifestation of that broad weakness class."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-424",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-554",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-424 directly supplies one bypass vector (unprotected alternate paths) but CAPEC-554 can succeed via many other weaknesses, and the broad attack pattern only partially covers this narrow CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-425",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-127",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 permits direct access to protected paths but directory indexing is primarily a server-configuration behavior rather than an authorization bypass, so the weakness only partially enables the pattern and the pattern does not exploit the CWE surface at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-425",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-143",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 directly enables CAPEC-143 by exposing unpublicized resources (full); CAPEC-143 is only one reconnaissance variant among many forced-browsing manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-425",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-144",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 directly enables CAPEC-144 by leaving unpublished endpoints reachable via forced browsing, while CAPEC-144 is only one narrow discovery variant among many CWE-425 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-425",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-87",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-425 is the precise missing authorization control that CAPEC-87 directly exercises, so the weakness enables the pattern completely and the pattern exploits that surface completely."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-426",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-38",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-426 fully enables CAPEC-38 because the attack cannot succeed without an untrusted search path, while CAPEC-38 exploits the CWE only partially as one narrow manipulation variant among many possible search-path weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-38",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 fully enables CAPEC-38 (attack cannot execute without the uncontrolled path), while CAPEC-38 only partially exploits the broader CWE family as one narrow search-path variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-427",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-471",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-427 fully enables CAPEC-471 because the attack requires an uncontrolled search path element, while CAPEC-471 only partially exploits CWE-427 as one narrow library-loading variant among many possible search-path weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-430",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-11",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-430 enables CAPEC-11 fully because wrong-handler deployment is the direct precondition the attack needs, while CAPEC-11 exploits the weakness only partially as one narrow filename/extension variant among many possible causes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-436",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-105",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-436 enables CAPEC-105 fully because the attack requires an interpretation conflict between HTTP agents, while CAPEC-105 exploits CWE-436 only partially as one narrow HTTP-specific variant among many possible conflicts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-436",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-273",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-436 supplies the exact semantic gap HTTP agents need for response smuggling to succeed, yet CAPEC-273 is only one narrow realization among many possible interpretation conflicts."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-436",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-34",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-436 enables CAPEC-34 fully because the attack requires conflicting HTTP interpretations to succeed, while CAPEC-34 exploits the broad CWE only partially as one narrow header-injection variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-219",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-441's failure to preserve request source directly supplies the unintended-intermediary surface that CAPEC-219 needs to subvert, yet the CAPEC is only one narrow XML-routing variant among many possible confused-deputy abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-441",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-465",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-441's failure to preserve request source directly enables transparent-proxy abuse, while CAPEC-465 is only one narrow variant among many possible confused-deputy manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-273",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-444 enables CAPEC-273 fully because inconsistent HTTP interpretation is the direct prerequisite for response smuggling, while CAPEC-273 exploits the CWE only partially as one narrow response-focused variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-444",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-33",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-444 is the exact inconsistent-interpretation condition the smuggling attack requires, yet CAPEC-33 is only one narrow request-focused variant of that broad weakness family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-154",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 fully enables CAPEC-154 because resource-location spoofing cannot succeed without UI misrepresentation of the true source, yet CAPEC-154 is only one narrow variant among many CWE-451 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-163",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 supplies the deceptive surface that spear-phishing messages rely on for credibility, yet CAPEC-163 is only one narrow, targeted variant among many phishing techniques that can exploit the same weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-164",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 directly supplies the spoofing surface that any phishing attack (including CAPEC-164) requires to succeed, yet CAPEC-164 is only one narrow mobile-SMS variant among many possible CWE-451 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-173",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 enables CAPEC-173 mostly via technical/UI vectors such as clickjacking but not social-engineering variants; CAPEC-173 exploits the CWE only partially because it is one narrow manifestation among several possible UI-misrepresentation abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-451",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-98",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-451 supplies the UI spoofing surface that phishing commonly needs, yet phishing can succeed via non-UI vectors such as email spoofing alone; conversely, CAPEC-98 is a broad social-engineering pattern that only partially exercises the narrower UI-misrepresentation weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-470",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-138",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-470 directly supplies the uncontrolled reflection surface that CAPEC-138 requires, enabling the pattern fully, while CAPEC-138 is one concrete injection variant that exploits the CWE's surface only mostly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-471",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-384",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "MAID directly supplies the modifiable-assumed-immutable surface that MITM message tampering needs, yet CAPEC-384 is only one narrow delivery technique among many possible MAID manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-471",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-385",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 directly enables CAPEC-385 by permitting modification of transaction data assumed immutable, while the CAPEC is only one narrow API-manipulation variant among many possible MAID manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-471",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-386",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 fully enables CAPEC-386 because the attack requires successful modification of assumed-immutable navigation data; CAPEC-386 exploits the CWE only partially as one narrow API-remapping variant among many MAID manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-471",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-387",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 fully enables the attack because navigation/content remapping cannot succeed without the ability to alter assumed-immutable data, yet CAPEC-387 is only one narrow variant among many possible MAID manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-471",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-388",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-471 enables CAPEC-388 fully because button hijacking requires the ability to modify data the app treats as immutable; CAPEC-388 exploits CWE-471 only partially as one narrow API-specific variant among many MAID manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-472",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-146",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 enables schema poisoning by allowing external modification of parameters assumed immutable (e.g., schema refs in hidden fields), but CAPEC-146 is one narrow XML-specific variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-472",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-226",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 fully enables CAPEC-226 because the attack requires the server to trust externally-manipulated assumed-immutable values such as cookies; CAPEC-226 exploits CWE-472 only partially as it is one narrow credential-falsification variant among many possible immutable-parameter abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-472",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 enables cookie modification attacks by allowing client tampering of assumed-immutable state, but CAPEC-31 only partially exploits it as one narrow variant among several cookie attack forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-472",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-472 fully enables CAPEC-39 because the attack requires the app to trust unverified client-side tokens, while CAPEC-39 exploits the CWE only partially as one narrow variant among many assumed-immutable parameter issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-473",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-473 is the precise PHP neutralization failure that CAPEC-77 directly requires, yet CAPEC-77 remains a broader pattern that also covers non-PHP variable manipulation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-488",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-488 concerns cross-session data leakage from missing isolation boundaries, while CAPEC-59 requires guessable session-ID generation; neither enables nor exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-488",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-488 can supply a valid ID via cross-session leakage (one possible step for replay) but CAPEC-60 does not target or rely on inter-session exposure boundaries."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-489",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-121",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-489 is the exact condition (active debug code) that CAPEC-121 requires, enabling it fully, yet the CAPEC covers a broader set of non-production interfaces so exploits the CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-489",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-661",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Active debug code directly supplies the debugger attachment surface the CAPEC requires, while the CAPEC itself is only one narrow root-evasion variant among many possible debug-code abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-184",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 directly supplies the missing verification step that most download-based instances of CAPEC-184 rely on, yet CAPEC-184 remains a broad family that also covers non-download integrity violations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-185",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is the direct precondition that lets CAPEC-185 succeed, yet CAPEC-185 is a broad social-engineering pattern that can also exploit other weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-186",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-186 fully because absent any integrity/origin check the spoofed update executes; CAPEC-186 exploits the CWE only partially as one narrow update-spoofing variant among many possible downloads."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-187",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 fully enables CAPEC-187 because the attack cannot succeed without the missing integrity validation on downloaded code, while CAPEC-187 exploits the CWE only partially as one narrow redirection-based update variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-533",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-533 fully because the attack requires executing an unverified download, while CAPEC-533 exploits CWE-494 only partially as one narrow manual-update variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-538",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-538 fully because absent integrity verification the implanted OSS code executes; CAPEC-538 exploits the CWE only partially as one narrow supply-chain variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-657",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is a prerequisite for any successful malicious update, enabling CAPEC-657 fully, yet the CAPEC only covers one narrow spoofing variant of the broader integrity-check weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-662",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 can facilitate Trojan install via unverified download (one possible vector for AiTB) but is not required, while CAPEC-662 uses that surface only as a narrow delivery step rather than its core MITB exploitation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-691",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-691 fully because the attack succeeds only when downloaded code is executed without integrity verification, while CAPEC-691 exploits that weakness only partially as one narrow metadata-spoofing variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-692",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-692 fully because spoofed VCS metadata only succeeds in delivering malicious code when no integrity verification occurs; CAPEC-692 exploits the CWE only partially as one narrow metadata-spoofing variant among many possible integrity failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-693",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 enables CAPEC-693 fully because the spoofed package is only executable without origin/integrity verification; CAPEC-693 exploits CWE-494 only partially as one narrow metadata-spoofing variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-494",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-695",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-494 is a prerequisite for successful repo jacking (full enablement) yet CAPEC-695 is only one narrow VCS-redirect variant among many possible integrity failures (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-497",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-170",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-497 directly supplies the sensitive version/implementation data that CAPEC-170 probes for, enabling the pattern to a high degree, yet the narrow fingerprinting variant only partially exploits the broad exposure surface of CWE-497."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-497",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-694",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-497 exposure directly supplies the locale/timezone data that CAPEC-694 collects, enabling the pattern in most cases, yet CAPEC-694 remains only one narrow variant among many possible manifestations of that exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-502",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-586",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-502 enables CAPEC-586 fully as the attack cannot occur without unsafe deserialization, while CAPEC-586 exploits the CWE only partially as a narrow object-injection variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-442",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the direct consequence of executing CAPEC-442, so the weakness cannot enable the attack pattern while the pattern fully realizes the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-448",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the outcome of embedding malicious code rather than a precondition that enables CAPEC-448, while CAPEC-448 is one narrow binary-tampering variant that can produce the CWE-506 condition."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-506",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-636",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-506 is the resulting condition rather than a precondition for the hiding technique, while CAPEC-636 is one narrow file-format method of achieving embedded malicious code."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-507",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-698",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-507 is the resulting hidden malicious functionality itself, while CAPEC-698 is the upstream act of introducing it; neither direction enables or exploits the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-112",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements shrink the search space and thereby enable rapid brute-force attempts on passwords (mostly), while CAPEC-112 brute force is a broad technique that only partially exploits the specific password-requirement surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements fully enable dictionary attacks by allowing guessable words, yet the narrow CAPEC variant only partially exploits the broader CWE surface of all possible weak-password flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements enable brute-force by making short/simple passwords feasible targets, while brute-force is only one narrow exploitation variant among many possible attacks on weak policies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-509",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements directly enable successful offline cracking in Kerberoasting (mostly), while the CAPEC is a narrow Kerberos-specific variant that only partially targets the CWE's broad password-policy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-55",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements enable rainbow-table success by allowing common passwords (mostly) while the CAPEC is only one narrow hash-chain variant among many ways to exploit that weakness (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-555",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak password requirements directly facilitate credential acquisition for CAPEC-555 (mostly enabling), yet the CAPEC is only one narrow remote-use variant among many possible exploitation paths for CWE-521 (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak passwords enable guessing within CAPEC-561 but are unnecessary for its steal/purchase paths, while the narrow admin-share pattern only partially covers the broad CWE-521 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-565",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Weak requirements directly enable spraying success by permitting the common passwords it targets, while spraying is only one narrow variant among many ways to exploit that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-521",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-70",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-521 directly permits the default/weak credentials that CAPEC-70 requires to succeed, yet CAPEC-70 is only one narrow variant among many possible manifestations of weak password policy."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-102",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Unprotected credential transmission fully enables sidejacking (no token to sniff without it), while CAPEC-102 only partially exploits the broader CWE-522 family as one narrow sniffing variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-474",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables key theft fully as the attack cannot succeed without the protection failure, while CAPEC-474 exploits it only partially as a narrow signature-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-50",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 does not enable CAPEC-50 (recovery attacks succeed via weak questions alone) while CAPEC-50 only partially touches the credential-exposure surface described by CWE-522."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-509",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables CAPEC-509 fully because the attack requires extractable, crackable credential material; CAPEC-509 exploits the CWE only partially as one narrow Kerberos-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-555",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 directly supplies the stolen credentials that CAPEC-555 requires, yet CAPEC-555 is only one narrow use of those credentials among many possible theft vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 directly enables the steal/obtain step that drives CAPEC-560, yet the pattern can still succeed via guessing or purchase; conversely CAPEC-560 is only one narrow usage of many possible credential sources covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-561",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables credential theft (one of several acquisition methods listed in CAPEC-561) so only partially enables the pattern; CAPEC-561 is a narrow admin-share usage of stolen creds and therefore only partially exploits the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-600",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 supplies the bulk of credential lists that make stuffing feasible, yet CAPEC-600 itself only exploits password reuse, not the storage/transmission flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-644",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables hash capture (and thus CAPEC-644) in most cases, but CAPEC-644 is only one narrow NTLM-specific variant of credential theft."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-645",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522's failure to protect credentials directly enables ticket theft required by CAPEC-645, yet the narrow Kerberos ticket variant exploits only one slice of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables credential theft via interception (partial, since purchasing bypasses it) while CAPEC-652 is one narrow Kerberos-specific variant that may leverage such exposure (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-522",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-522 enables credential theft used by CAPEC-653 but guessing/purchase paths bypass it; CAPEC-653 only sometimes exploits the CWE surface via stolen OS creds."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-523",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-102",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-523 is narrowly about login credentials in transit while CAPEC-102 targets session tokens, so the weakness does not enable the attack pattern at all, yet the attack still exploits the same general unprotected-transport surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-524",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-204",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-524 directly supplies the unprotected sensitive cache that CAPEC-204 reads, enabling the attack fully, yet CAPEC-204 remains one narrow manifestation among possible cache exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-525",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-37",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-525 places sensitive data in an accessible client cache (one embedding location among many), enabling CAPEC-37 only for cache-based retrievals, while the broad CAPEC-37 pattern exploits this CWE only when it specifically targets cached data."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-532",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-215",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-532 does not enable CAPEC-215 (fuzzing succeeds against any informative logs), yet CAPEC-215 can partially exploit the weakness by surfacing sensitive entries during log observation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-538",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-95",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-538 places the sensitive WSDL content in an accessible location, directly enabling CAPEC-95; the CAPEC is only one narrow WSDL-specific variant of that exposure."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies the exact sensitive cookie value that CAPEC-21 needs, enabling the pattern fully, yet CAPEC-21 only partially exploits this CWE because it also covers many other identifier types."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies the sensitive persistent-cookie data that CAPEC-31 directly mines, enabling the access form of the attack (mostly) while the broader CAPEC pattern only partially maps onto this single CWE manifestation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-539 supplies one client-side token type the CAPEC can target, but the attack works on URLs/data files too so enablement is only partial; CAPEC-39 broadly covers any opaque token and therefore only partially exploits the narrow cookie-specific weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-539",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Persistent cookies can supply stealable session IDs as one vector for replay, but CAPEC-60 works via any theft method and only partially maps onto the CWE's storage flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-150",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 fully enables CAPEC-150 by exposing the predictable locations the attack needs, while CAPEC-150 only partially exploits CWE-552 as one broad collection tactic among many possible weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-552",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-639",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-552 directly enables CAPEC-639 by exposing the files the probe needs, yet CAPEC-639 is only one narrow manifestation of the broad accessibility weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-553",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-650",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-553 is the post-upload state rather than a precondition for the upload action in CAPEC-650, so A enables B not at all; the attack does however target the same externally-writable directory surface that CWE-553 describes, exploiting it only partially as one concrete variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-564",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-109",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-564 is the exact Hibernate-specific weakness that CAPEC-109 requires to succeed, yet CAPEC-109 covers many ORM frameworks so it only partially targets this one CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-565",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-226",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-565 directly supplies the missing cookie validation that CAPEC-226 requires to succeed, yet CAPEC-226 is only one narrow manipulation variant among many possible exploitations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-565",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-565's missing validation directly enables cookie modification/impersonation attacks to succeed, while CAPEC-31 is only one narrow variant among many possible exploits of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-565",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-39",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-565's missing validation is the exact precondition the CAPEC-39 manipulation requires, yet CAPEC-39 also covers non-cookie tokens so it only partially maps onto this cookie-specific CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-59",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-132",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-59 enables CAPEC-132 fully because symlink attacks require the missing link-resolution check, yet CAPEC-132 exploits the CWE only partially as one narrow symlink variant within the broader link-following family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-59",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-59 can serve as one optional step in a CAPEC-76 input-to-FS-call attack when a symlink is involved, but CAPEC-76 does not depend on or specifically target link-resolution failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-6",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insufficient session-ID length directly enables guessing (a core step in CAPEC-21) but the pattern also covers sniffing/riding and many non-session identifiers, so exploitation of this specific CWE surface remains only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-6",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Insufficient session-ID length directly supplies the predictability that CAPEC-59 requires, enabling the pattern fully, yet the CAPEC remains only one narrow prediction variant among many possible CWE-6 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-601",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-178",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Open redirect supplies one possible vector for attacker-controlled external URLs referenced by Flash, but CAPEC-178 fundamentally exploits Flash's own URL-handling surface rather than depending on CWE-601."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-162",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 fully enables the attack by letting the server trust client-controlled values, while CAPEC-162 exploits that surface only partially as one narrow hidden-field variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-202",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-202 fully because server reliance on client enforcement is the direct precondition the malicious client violates, while CAPEC-202 exploits the CWE only partially as one narrow client-creation variant among many possible exploitation surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-207",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-207 fully because the attack directly removes client functionality the server trusts, while CAPEC-207 exploits the CWE only partially as one narrow removal variant among many possible bypasses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-208",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 fully enables CAPEC-208 because the attack requires server trust in client-side monetary logic, while CAPEC-208 exploits the CWE only partially as one narrow monetary variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602's reliance on client-supplied checks directly enables tampering with trusted identifiers, but CAPEC-21 is only one narrow variant among many possible CWE-602 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables cookie tampering fully because the attack succeeds only when the server trusts client-controlled cookie state; CAPEC-31 exploits that surface only partially as one narrow variant among many client-trust failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-384",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 is a prerequisite for CAPEC-384 success (server must trust manipulated client messages), yet the CAPEC is only one narrow MITM variant among many CWE-602 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-385",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-385 fully because absent server-side validation the MITM tampering succeeds; CAPEC-385 exploits the CWE only partially as one narrow API-manipulation variant among many possible client-trust abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-386",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 enables CAPEC-386 mostly by letting client-supplied navigation data control outcomes the server should enforce, while the narrow remapping variant exploits that surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-387",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602's client-side trust directly enables CAPEC-387's client-data manipulation to succeed, while the CAPEC is only one narrow navigation-remapping variant among many CWE-602 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-602",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-388",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-602 fully enables CAPEC-388 because button-destination manipulation succeeds only when the server trusts client-side API handling; CAPEC-388 exploits the CWE only partially as one narrow API-framework variant among many client-enforcement failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-61",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-27",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-61 fully enables CAPEC-27 because the attack cannot succeed without improper symlink resolution to an unauthorized target, while CAPEC-27 exploits the CWE only partially as one narrow TOCTOU race variant among many symlink-following manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-610",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-219",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-610 directly supplies the external reference control that WS-Routing detours rely on, yet CAPEC-219 is only one narrow XML-intermediary variant among many possible CWE-610 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-611",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-221",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-611 fully enables CAPEC-221 because the DoS attack requires unrestricted external entity resolution, yet CAPEC-221 only partially exploits CWE-611 by covering one narrow DoS variant among many possible XXE abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-614",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-102",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Missing Secure flag directly exposes the cookie to any HTTP channel (enabling sidejacking fully), yet sidejacking can capture tokens via many other exposure methods (exploiting this CWE only partially)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-638",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-104",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-638 does not enable zone bypass (attack works via content-loading flaws regardless of repeated mediation), while CAPEC-104 only partially exploits the CWE surface as one narrow manifestation of unchecked zone assignments."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-640",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-50",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-640's weak recovery mechanism directly enables CAPEC-50's exploitation (full), yet CAPEC-50 only covers narrow variants such as security-question attacks within the broader CWE family (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 enables CAPEC-21 fully because external access to trusted identifiers is a direct prerequisite, while CAPEC-21 exploits the CWE only partially as one narrow variant of broader critical-state exposures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-642",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-31",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-642 enables CAPEC-31 fully because the attack cannot occur without external storage of critical state in accessible cookies, while CAPEC-31 exploits CWE-642 only partially as one narrow cookie-specific variant of the broader weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-645",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-2",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-645's overly-sensitive lockout is the exact condition the CAPEC-2 attack requires, yet CAPEC-2 remains only one narrow manifestation among the broader family of lockout-abuse techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-646",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-209",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-646's extension-based misclassification can aid dangerous file handling in some upload scenarios but is not required for CAPEC-209's MIME/browser-autodetect vector; CAPEC-209 targets MIME handling, not name/extension surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-648",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-234",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-648 permits privilege escalation via API misuse but is not required for process hijacking (forward partial); CAPEC-234 can leverage that misuse surface among many others (reverse partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-649",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-463",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-649 fully enables the padding-oracle attack by permitting undetected ciphertext tampering, while CAPEC-463 exploits that surface only as one narrow cryptographic variant among many possible integrity failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-16",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-16 fully because dictionary attacks succeed precisely when authentication rests on a single factor; CAPEC-16 exploits the CWE only partially as one narrow password-specific variant among many possible single-factor abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-274",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 directly enables CAPEC-274 because verb-based access control is a canonical single-factor decision, yet the CAPEC is only one narrow manifestation among many possible single-factor flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-49",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 directly enables CAPEC-49 by leaving only one secret to guess, while CAPEC-49 is merely one narrow brute-force variant among many single-factor attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-55",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-55 hinges on unsalted hashes (CWE-759), not single-factor reliance; the attack only incidentally benefits from password-only auth."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-560",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance fully enables credential attacks because the stolen password alone grants access, while CAPEC-560 exploits that surface only as one narrow variant among many single-factor failure modes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-565",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-565 fully because spraying succeeds only when authentication rests on a single password factor; CAPEC-565 exploits the CWE only partially as one narrow variant among many single-factor attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-600",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-600 fully because stuffing succeeds only when a single factor grants access; CAPEC-600 exploits the CWE only partially as one narrow reuse-based variant among many single-factor failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-652",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 enables CAPEC-652 fully because stolen single-factor Kerberos credentials suffice for access, while the narrow Kerberos variant exploits the broad single-factor weakness only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-653",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Single-factor reliance directly enables credential-use attacks (no second factor blocks success), while the CAPEC is only one narrow password-based instance of that broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-654",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-70",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-654 fully enables CAPEC-70 because password guessing succeeds only when a single factor is the sole gate; CAPEC-70 exploits that surface only partially as one narrow guessing variant among many single-factor attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-25",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-662 creates the deadlock conditions that CAPEC-25 directly requires, while CAPEC-25 is only one narrow variant among many synchronization flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-662's missing synchronization is the direct prerequisite that makes any race condition possible (full enablement), yet CAPEC-26 only exercises one narrow manifestation of that broad weakness family (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-27",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-662's missing synchronization is the direct root of the race the CAPEC-27 symlink attack requires, yet the attack is only one narrow manifestation of that broad weakness class."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-662",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-662 enables CAPEC-29 fully because TOCTOU is a direct consequence of missing synchronization on a shared resource, while CAPEC-29 exploits the broad CWE only partially as one narrow race-condition variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-196",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664's lifetime-control failure directly supplies the surface needed to forge usable credentials (mostly enabling), yet CAPEC-196 is only one narrow forgery variant among many possible resource-control failures (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-21",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables CAPEC-21 mostly via lifetime mismanagement of identifiers (no expiry, reuse); CAPEC-21 exploits that surface only partially as one narrow variant among many resource-control failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664's failure to manage session lifetime directly enables replay, while CAPEC-60 is only one narrow manifestation of that broad weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-61",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 fully enables CAPEC-61 because failure to regenerate or control session IDs after privilege change is exactly the required lifetime-control flaw, while CAPEC-61 only partially exploits the broad CWE-664 surface as one narrow session-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-664",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-62",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-664 enables CSRF mostly via missing lifetime controls on session resources that the attack directly relies on, while CAPEC-62 exploits only one narrow slice of that broad CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-665",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper initialization can create an exploitable window during concurrent access but is not required for race conditions, while CAPEC-26 targets ordering/synchronization flaws rather than initialization surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-667",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-25",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper locking directly creates the deadlock state that Forced Deadlock requires, yet CAPEC-25 is only one narrow way to trigger that CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-667",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper locking is a primary cause of exploitable race conditions so enables the pattern mostly, yet CAPEC-26 covers many synchronization flaws beyond locking and therefore exploits CWE-667 only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-667",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-27",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper locking enables the TOCTOU race that CAPEC-27 relies on (mostly) while the symlink-specific pattern only exercises one narrow slice of locking failures (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-674",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-230",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-674 enables CAPEC-230 fully because the attack's resource exhaustion depends on absent recursion controls, while CAPEC-230 exploits the CWE only partially as one narrow nesting variant among many recursion issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-674",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-231",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Uncontrolled recursion enables only the deep-nesting subset of oversized-payload attacks and only in recursive parsers, while CAPEC-231 is a broad payload-size pattern that exploits the recursion surface only incidentally."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-10",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680's allocation miscalculation is unrelated to CAPEC-10's env-var data injection, so neither enables nor is exploited by the other."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-100",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 directly produces the buffer overflow that CAPEC-100 executes, while CAPEC-100 is a broad pattern that only partially exploits this one specific integer-overflow variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 produces one class of BOF that CAPEC-14 could leverage, but the attack pattern works with any client BOF and never targets the integer-calculation surface itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies one specific route to the buffer overflow required by CAPEC-24 (hence partial enablement) while CAPEC-24 never targets the allocation-arithmetic flaw itself (hence no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 produces buffer overflows only via miscalculated allocation sizes, while CAPEC-46 directly supplies oversized tag/variable data and never relies on or targets that integer-overflow step."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies one possible allocation miscalculation that can turn parameter expansion into overflow (partial enablement), while CAPEC-47 is a narrow expansion variant that only sometimes hinges on integer overflow (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-8",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 produces one specific root cause of BO that CAPEC-8 can exploit, yet CAPEC-8 neither requires integer overflow nor is limited to it."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-9",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies one specific root cause of the buffer overflows that CAPEC-9 targets, yet CAPEC-9 can succeed via other BO vectors and only partially matches the integer-overflow mechanism."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-680",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-680 supplies the exact unchecked allocation arithmetic that CAPEC-92 must trigger to reach buffer overflow, yet CAPEC-92 remains a broader forced-overflow technique usable against many other integer sinks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-682",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-128",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-682 enables CAPEC-128 fully because integer wrap/overflow directly produces the incorrect results the weakness describes, while CAPEC-128 exploits the CWE only partially as one narrow integer-specific variant among many calculation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-682",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-129",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect calculations (esp. integer errors) can supply bad pointer values and thus enable pointer manipulation as one step, while CAPEC-129 only sometimes exploits that surface via integer attacks rather than directly targeting calculation flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-689",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-26",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-689 is one narrow race-condition instance that partially enables the broad CAPEC-26 pattern while the pattern itself only partially exploits this specific permission-copy surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-69",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-168",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-69 is the direct precondition that lets CAPEC-168 succeed, yet CAPEC-168 is only one narrow ADS variant among the weakness's possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-691",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-29",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-691 enables CAPEC-29 fully because absent proper control-flow management the TOCTOU window cannot be closed; CAPEC-29 exploits CWE-691 only partially as one narrow race-condition variant among many control-flow failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-692",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist (CWE-692) fully enables double-encoding bypass (CAPEC-120) because the attack succeeds precisely when the denylist omits encoded forms; CAPEC-120 exploits that surface only partially as one narrow encoding variant among many possible XSS bypasses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-692",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist (CWE-692) directly permits alternate-encoding XSS to succeed, enabling CAPEC-267 fully, yet the encoding technique only exploits one narrow gap among many possible denylist deficiencies."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-692",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-692's incomplete denylist directly enables CAPEC-71 by omitting Unicode variants; CAPEC-71 is only one narrow bypass among many possible denylist gaps."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-692",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incomplete denylist fully enables UTF-8 bypass by omitting encoded variants, while the narrow encoding attack only partially exploits the broad denylist weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-1 fully because absent ACL protection failure the attack has no surface, while CAPEC-1 exploits CWE-693 only partially as one narrow ACL-specific variant among many protection-mechanism failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-107",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-107 mostly by leaving TRACE unprotected, yet CAPEC-107 exploits that surface only partially as one narrow XSS-assisted variant among many possible protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-127",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-127 fully because directory listing occurs only when protective controls are absent or misconfigured; CAPEC-127 exploits the CWE only partially as one narrow variant among many possible protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-17",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Absence of any protection mechanism directly enables arbitrary malicious-file execution, while CAPEC-17 is only one narrow variant among the many ways CWE-693 can be manifested."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-20",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 does not enable CAPEC-20 (brute-force key search succeeds or fails based on key space size alone), while CAPEC-20 exploits the CWE only narrowly when the protection in question is the cipher itself."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-22",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-22 fully because the attack requires a missing or broken protection mechanism (e.g., client authentication); CAPEC-22 exploits CWE-693 only partially as one narrow variant among many protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-237",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693's missing protection fully enables the sandbox escape (attack cannot succeed without it), yet CAPEC-237 is only one narrow cross-language variant among many possible protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-36",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-36 fully because absent any protection failure the unpublished interfaces cannot be invoked; CAPEC-36 exploits CWE-693 only partially as one narrow discovery+invocation variant among many protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-477",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Absent correct use of a signature protection mechanism the mixing attack succeeds directly, yet CAPEC-477 is only one narrow manifestation among many possible protection-mechanism failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-480",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-480 fully because virtualization escape is impossible without a failure of the isolation protection; CAPEC-480 exploits CWE-693 only partially as one narrow variant among many protection-mechanism failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-51",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-51 fully because the registry-poisoning attack requires absent or broken protection on WS-Addressing/registry data; CAPEC-51 exploits the CWE only partially as one narrow registry-specific variant among many possible protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-57",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-57 fully because the attack requires absent post-termination protections, while CAPEC-57 exploits the broad weakness only partially as one narrow REST-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-59",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-59 fully because absent any protection mechanism the predictable-ID vector has no obstacle, yet CAPEC-59 exploits only one narrow slice of the broad CWE-693 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-65",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Lack of any protection mechanism directly enables passive capture of plaintext code, while CAPEC-65 is only one narrow sniffing variant among many possible exploits of CWE-693."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-668",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-668 fully because the attack requires the Bluetooth key-negotiation protection to be absent or bypassed, yet the narrow KNOB variant exploits only one slice of the broad protection-mechanism-failure surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-74",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-74 fully because absent any working protection mechanism the state manipulation succeeds, yet CAPEC-74 only partially exploits the broad CWE as one narrow state-focused variant among many possible protection failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-693",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-87",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-693 enables CAPEC-87 fully because the attack cannot succeed without a missing or broken protection mechanism, yet CAPEC-87 exploits only one narrow slice of the broad CWE-693 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-695",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-36",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-695 directly supplies the prohibited low-level surface that CAPEC-36 requires, enabling the pattern fully, while CAPEC-36 is only one narrow variant among many possible low-level misuse cases."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-696",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-463",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect operation ordering can produce distinguishable padding-error states that enable the oracle leak, yet the CAPEC is a narrow crypto side-channel variant that only partially maps onto the broad CWE-696 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-10",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can contribute to faulty bounds checks that permit env-var overflows (partial enablement) while CAPEC-10 specifically targets env-var trust and buffer sizing rather than comparison logic itself (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison enables double-encoding bypass by failing to normalize/decode before matching (mostly), while CAPEC-120 is only one narrow encoding-specific variant of that broad CWE (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-14 requires a buffer-overflow vuln whose root cause may be an incorrect comparison but can equally be many other CWEs; the CAPEC itself never depends on CWE-697."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison in denylist validation directly enables delimiter injection, yet CAPEC-15 is only one narrow variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-182",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can be one enabling factor for loading attacker-controlled Flash references but is not required for the pattern, while CAPEC-182 is a narrow injection variant that only sometimes exploits comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-24 hinges on buffer overflow plus insecure failure handling, not on an incorrect comparison."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables alternate-encoding bypass (full) while CAPEC-267 is only one narrow manifestation of that CWE (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison enables the ghost-character bypass because the filter must equate semantically identical syntactic forms and fails to do so; the CAPEC is only one narrow syntactic variant among many possible incorrect-comparison failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can allow a layered bypass to succeed but is neither necessary nor the core issue; CAPEC-43 targets multi-pass parsing, exploiting CWE-697 only as one narrow validation flaw among others."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-44",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can contribute to flawed size checks that enable a binary-resource overflow, yet buffer overflows are primarily enabled by absent bounds checks rather than comparison errors; CAPEC-44 therefore only partially exploits this CWE surface as one narrow variant among many buffer-overflow vectors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-45",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Buffer overflow via symlinks depends on missing bounds checks, not incorrect comparison, so the weakness neither enables nor is exploited by the pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-46 hinges on absent boundary checks that produce buffer overflows, only incidentally touching an incorrect length comparison."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-47",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can enable the overflow when a flawed size/limit check permits expansion, but the attack can also succeed from a missing check entirely; CAPEC-47 is one narrow expansion variant among many possible CWE-697 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison of string inputs directly enables null-byte truncation attacks by failing to treat embedded NUL as a terminator, yet CAPEC-52 is only one narrow manifestation among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison is required for the filter bypass to succeed, enabling the pattern fully, yet CAPEC-53 is only one narrow encoding variant among many possible manifestations of CWE-697."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-6",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can contribute to failed argument validation (partial enablement) while argument injection broadly targets missing validation/filtering rather than comparison flaws specifically (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables the bypass (attack cannot succeed without it), while CAPEC-64 is only one narrow encoding/slash variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison fully enables the Unicode bypass (no correct normalization means the filter fails outright), while CAPEC-71 is only one narrow encoding variant among many possible manifestations of CWE-697."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can partially enable the attack by allowing a malicious filename to pass a flawed check, but CAPEC-73 exploits missing filename sanitization rather than any comparison flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables the encoding bypass (filter fails to normalize/decode before matching), while CAPEC-78 is only one narrow encoding variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison directly enables the slash-encoding bypass (no canonicalization means the attack lands), yet CAPEC-79 is only one narrow variant among many possible incorrect-comparison flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-8",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can be one contributing factor in certain buffer-overflow preconditions but is neither necessary nor the primary cause for CAPEC-8, and CAPEC-8 does not target comparison flaws at all."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison enables the UTF-8 bypass by allowing flawed validation to be evaded, but the narrow encoding-specific attack only partially exploits the broad CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-9",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-9 hinges on buffer overflow (CWE-120 family), not incorrect comparison, though some BOF cases involve flawed size checks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-697",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-92",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect comparison can allow overflowed values to pass checks and produce the attack effect, yet Forced Integer Overflow can succeed via other downstream misuse and only represents one narrow manifestation of comparison errors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-706",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-159",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 supplies the exact incorrect-resolution surface CAPEC-159 needs, yet the CAPEC is only one narrow library-redirection variant among many CWE-706 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-706",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-177",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-706's incorrect name resolution is the direct prerequisite that lets CAPEC-177 succeed (full enablement), yet CAPEC-177 is only one narrow file-name-collision variant among many CWE-706 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-706",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-48",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 supplies the exact incorrect name/reference resolution that CAPEC-48 requires to reach local files, yet CAPEC-48 is only one narrow filename-vs-URL variant among many CWE-706 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-706",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-641",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-706 fully enables CAPEC-641 because side-loading succeeds only when a DLL name resolves outside the intended control sphere, yet the CAPEC remains one narrow variant among many CWE-706 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-250",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-250 fully because XML injection requires failure to neutralize structured input, yet CAPEC-250 exploits the broad CWE only partially as one narrow variant among many neutralization failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-276",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Improper neutralization directly enables protocol manipulation by allowing malformed inter-component messages, yet the CAPEC is only one narrow variant among many possible protocol flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-277",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 is the direct root cause that lets protocol data be altered or misinterpreted, enabling CAPEC-277 fully, while the CAPEC only partially exploits that surface as one of several possible protocol weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-278",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-278 mostly because unsanitized inputs let unexpected protocol values succeed, while the narrow CAPEC variant exploits that surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-279",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-279 mostly because SOAP parameter tampering directly depends on missing XML neutralization, yet CAPEC-279 exploits only one narrow XML/SOAP slice of the broad CWE-707 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to handle alternate syntactic forms fully enables the ghost-character bypass, while CAPEC-3 is only one narrow variant among many possible manifestations of the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to neutralize layered input directly enables CAPEC-43's bypass technique, yet the narrow multi-pass variant only partially covers the broad neutralization weakness surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-468",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-468 fully by permitting attacker-controlled CSS text, while the narrow CSS-parser abuse exploits only one slice of the broad neutralization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to neutralize special bytes directly enables CAPEC-52's null-byte termination trick, yet the narrow CAPEC variant only partially exploits the broad neutralization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's failure to enforce well-formed data fully enables the NULL/postfix encoding bypass, yet CAPEC-53 is only one narrow filter-evasion variant among many neutralization flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is a prerequisite the CAPEC-64 encoding bypass cannot succeed without, yet the pattern is only one narrow URL-slash variant among the CWE's many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-7",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is the direct prerequisite for any SQLi (hence full enablement), while CAPEC-7 is only one narrow blind variant among many neutralization manifestations (hence partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is a prerequisite for CAPEC-78's encoding bypass (full enablement), yet the narrow slash-escape variant only partially covers the broad CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707 enables CAPEC-79 fully because the slash-encoding bypass requires a neutralization failure to succeed, while CAPEC-79 exploits CWE-707 only partially as one narrow encoding variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-83",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's missing neutralization is the direct prerequisite that fully enables CAPEC-83, yet the narrow XPath variant only partially exploits the broad CWE-707 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-707",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-84",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-707's neutralization failure is a prerequisite for any XQuery injection to succeed, enabling CAPEC-84 fully, yet the narrow XQuery variant only partially exploits the broad CWE-707 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 does not enable CAPEC-13 (env-var subversion works on many non-path settings), while CAPEC-13 exploits CWE-73 only in the narrow path-related subset of env vars."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 permits externally supplied paths but does not itself require or depend on encoding bypasses, while CAPEC-267 is a generic encoding technique that can contribute to path-control flaws yet applies equally to many other input-validation surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 enables CAPEC-64 mostly because unsanitized path control is required for the slash/encoding bypass to reach the filesystem; CAPEC-64 exploits CWE-73 only partially as one narrow encoding variant among many path-control weaknesses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-72",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 enables URL-encoding attacks only when the target is path traversal, while CAPEC-72 is a narrow encoding technique that exploits path-control surfaces only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 enables CAPEC-76 fully because the attack cannot succeed without external path control, yet CAPEC-76 exploits the CWE only partially as one narrow web-input variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 supplies the uncontrolled path surface that CAPEC-78's encoding bypass needs to reach the filesystem, yet CAPEC-78 is only one narrow slash-encoding variant among many ways to abuse that surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 supplies the external path control surface that CAPEC-79 needs, yet CAPEC-79 only exercises one narrow encoding bypass among many possible manifestations of that weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-73",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-73 is unnecessary for executing the general UTF-8 bypass in CAPEC-80, yet that encoding attack can partially target the validation surface of path-control flaws."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-1",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732's missing/incorrect permissions directly enable the ACL-bypass attack with no alternative path, while CAPEC-1 is only one narrow functional-URL variant of the broad permission-assignment weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-122",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732's misconfigured permissions directly enable the described privilege abuse with no alternative path, while CAPEC-122 broadly covers multiple access-control failure modes beyond just resource permission assignment."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-127",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 governs read/modify rights on a resource while CAPEC-127 only triggers a directory-listing response; neither the listing behavior nor its exploitation surface depends on permission mis-assignment."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-17",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions directly grant the file access/execution surface CAPEC-17 needs, while the pattern itself is broader than permission errors alone."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-180",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 directly supplies the misconfigured permissions that CAPEC-180 requires, enabling the pattern fully, yet CAPEC-180 is a broad access-control family that only partially covers this specific permission-assignment weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-206",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Bad perms directly enable credential extraction for the attack (full), yet CAPEC-206 is only one narrow signing variant among many possible exploits of CWE-732 (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-234",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect permissions can serve as one enabling step for process hijacking (e.g., via binary replacement) but are not required for all variants, while the narrow CAPEC-234 pattern only partially covers the broad CWE-732 surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-60",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Incorrect perms can expose stored session IDs as one possible theft vector (partial enablement) but session replay itself targets session-management flaws, not resource permissions (no exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-61",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-61 hinges on unchanged/predictable session IDs and permissive ID acceptance, only incidentally touching permissive assignment of a critical resource."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-732",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-642",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-732 directly supplies the missing permissions that CAPEC-642 requires, yet CAPEC-642 is only one narrow binary-replacement variant among many possible mis-permission abuses."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-101",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-101 by leaving the required neutralization failure open, while CAPEC-101 exploits that surface only partially as one narrow SSI variant among many injection families."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-105",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-105 because the attack requires the ability to inject unneutralized CRLF elements into HTTP headers; CAPEC-105 exploits CWE-74 only partially as one narrow CRLF variant among many injection manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-108",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure is the direct prerequisite for the SQLi-to-shell sequence in CAPEC-108, yet the pattern is only one narrow manifestation among many CWE-74 variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-120",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure is the direct prerequisite that lets double-encoded payloads reach the parser (full enable), while CAPEC-120 is only one narrow encoding tactic among many injection variants (partial exploit)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-13",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-13 because improper neutralization of env-var inputs allows the subversion to succeed, while CAPEC-13 is only one narrow injection vector among the many covered by the broad CWE-74 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-135",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-135 by omitting neutralization of format specifiers, while the CAPEC only partially exploits the CWE as one narrow injection variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-14",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables the injection vector that CAPEC-14 requires to reach the client buffer overflow, but CAPEC-14 is only one narrow client-side manifestation of the broad CWE-74 family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-24",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-24 exploits buffer overflow to bypass filtering and is not an instance of improper neutralization of special elements."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-250",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-250 because XML injection requires unneutralized special elements, while CAPEC-250 only partially exploits CWE-74 as one narrow XML variant among many injection families."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-267",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure directly enables any encoding-based bypass (full), while CAPEC-267 is only one narrow encoding variant among many CWE-74 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-273",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization is the direct prerequisite that lets an attacker craft the duplicate-header or CRLF payload, yet CAPEC-273 is only one narrow HTTP-response variant among many possible CWE-74 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-28",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 does not enable fuzzing (a discovery technique usable against any interface), while fuzzing can partially surface injection flaws by probing input handling without targeting the CWE specifically."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-3",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization directly enables the ghost-character bypass (full), yet CAPEC-3 is only one narrow filter-evasion variant among many CWE-74 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-34",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-34 fully because response splitting requires unneutralized CR/LF injection, while CAPEC-34 exploits the broad CWE-74 family only partially as one narrow HTTP variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-42",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-42 centers on buffer overflow in MIME conversion (CWE-120 family), only incidentally touching the broad injection surface of CWE-74."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's neutralization failure is a prerequisite for any layered-interpretation bypass, enabling CAPEC-43 fully, yet CAPEC-43 is only one narrow variant among the many injection manifestations covered by the broad CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-46",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-46 relies on absent length checks for oversized tag values (buffer overflow), not the neutralization-of-special-elements flaw that defines CWE-74."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-51",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables registry poisoning by allowing unneutralized inputs to corrupt WS-Addressing or metadata entries, but CAPEC-51 is only one narrow variant among many injection surfaces covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-52",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-52 fully because unneutralized null bytes are a direct instance of the injection flaw, while CAPEC-52 exploits CWE-74 only partially as one narrow null-byte variant among many possible injections."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-53",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization is a prerequisite for the NULL/postfix encoding bypass to succeed (full enablement), yet CAPEC-53 is only one narrow encoding trick among the many injection variants covered by CWE-74 (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-6",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-6 fully because argument injection requires the neutralization failure, while CAPEC-6 exploits CWE-74 only partially as one narrow variant among many injection forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-64",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-64 fully because the slash/encoding bypass requires a neutralization failure on special URL elements; CAPEC-64 exploits CWE-74 only partially as one narrow encoding variant among many injection manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-67",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-67 because the format-string misuse is impossible without the missing neutralization, yet CAPEC-67 only partially exploits the broad CWE surface as one narrow syslog variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-7",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-7 fully (no neutralization failure means no injection possible) while CAPEC-7 exploits the CWE only partially (narrow blind-SQL variant among many injection forms)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-71",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 supplies the missing neutralization surface that CAPEC-71's Unicode bypass directly targets, yet the CAPEC remains only one narrow encoding variant among many possible injections."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-72",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's failure to neutralize special elements directly enables any URL-encoding bypass that alters interpretation, while CAPEC-72 is only one narrow encoding technique among many CWE-74 variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-76 because the attack requires unneutralized special elements to reach file-system calls, yet CAPEC-76 only partially exploits CWE-74 as it is one narrow variant among many injection surfaces covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-78",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-78 because the attack requires unneutralized special elements (backslash escapes) to reach the parser, while CAPEC-78 only partially exploits CWE-74 as one narrow encoding-specific variant of the broad injection family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-79",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 fully enables CAPEC-79 because the attack cannot succeed without failure to neutralize encoded slashes, while CAPEC-79 only partially exploits CWE-74 as one narrow encoding variant among many injection surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-80",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74's missing neutralization directly enables the UTF-8 bypass (attack fails without it), while CAPEC-80 is only one narrow encoding variant among many CWE-74 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-83",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-83 fully because XPath injection cannot occur without the neutralization failure, while CAPEC-83 exploits CWE-74 only partially as one narrow XPath variant among many injection types."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-74",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-84",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-74 enables CAPEC-84 fully (no neutralization failure means no XQuery injection surface), while CAPEC-84 exploits CWE-74 only partially (narrow XQuery variant of the broad injection family)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-749",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-500",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-749's unrestricted interfaces directly enable the WebView code injection in CAPEC-500, yet the narrow CAPEC variant only partially covers the broad CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-75",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-75 fully enables CAPEC-81 because log tampering by injection requires unsanitized special elements to reach the log plane, while CAPEC-81 exploits the CWE only partially as one narrow variant among many injection surfaces."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-75",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-93",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-75's missing sanitization of control-plane delimiters directly enables log forging (full), while CAPEC-93 is only one narrow manifestation of that broad weakness class (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-220",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 supplies one specific negotiable-algorithm flaw among many protocol weaknesses usable by the broad CAPEC-220 pattern, so each direction rates only partial."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-606",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 enables CAPEC-606 fully as the attack requires successful algorithm downgrade; CAPEC-606 exploits the CWE only partially as one narrow cellular variant among many downgrade manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-757",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-620",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-757 directly supplies the negotiable downgrade surface that CAPEC-620 requires, yet CAPEC-620 is only one narrow encryption-lowering variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-136",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-136 hinges on LDAP-specific neutralization failure (CWE-90), not the broader command-oriented CWE-77."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 fully enables CAPEC-15 because delimiter injection requires the absence of neutralization, while CAPEC-15 only partially exploits CWE-77 as one narrow variant among many command-injection techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-183",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 directly supplies the missing neutralization that CAPEC-183 requires, yet CAPEC-183 is only one narrow IMAP/SMTP variant of the broad command-injection family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-248",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 is the precise neutralization failure that CAPEC-248 requires, enabling it fully, yet CAPEC-248 remains one canonical pattern among the CWE family and therefore exploits the surface only mostly."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-77's neutralization failure is required for CAPEC-43's layered bypass to succeed against commands, yet CAPEC-43 is only one narrow multi-pass variant among many command-injection techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-77",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-76",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-77 enables file-system manipulation only when the calls occur via injectable shell commands (partial); CAPEC-76 is a narrow path-manipulation variant that exploits command-injection surfaces only incidentally (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-125",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-125 by removing any rate or allocation limits that flooding requires, while CAPEC-125 exploits that exact surface as its primary mechanism yet remains one broad variant among related resource-exhaustion patterns."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-130",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-130 fully because unlimited allocation is the direct prerequisite for the single-request exhaustion; CAPEC-130 exploits the CWE only partially as one narrow non-flooding variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-147",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-147 fully because unbounded allocation is required for any resource-depletion DoS to succeed, while CAPEC-147 exploits the CWE only partially as one narrow XML/SOAP flooding variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-197",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 directly enables CAPEC-197 by allowing unbounded growth from nested expansions, while CAPEC-197 is only one narrow variant among many possible resource-exhaustion techniques covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-229",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 directly supplies the unbounded allocation surface the parser blow-up attack needs to reach DoS, while CAPEC-229 is only one narrow serialized-data manifestation of that CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-230",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-230 because unbounded allocation is required for the nesting to exhaust resources, while CAPEC-230 only partially exploits CWE-770 as one narrow variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-231",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-231 fully because unbounded allocation is a prerequisite for serialized-payload exhaustion, while CAPEC-231 exploits the CWE only partially as one narrow variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-469",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-469 fully because unlimited allocation is the direct precondition for HTTP session exhaustion, while the CAPEC exploits the CWE only partially as one narrow flooding variant among many resource-depletion manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-482",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-482 fully (no resource caps lets unlimited TCP state accumulate), while the narrow SYN-flood variant exploits the CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-486",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 directly enables resource exhaustion from UDP floods (mostly) while CAPEC-486 is only one narrow flooding variant among many exhaustion techniques (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-487",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-487 mostly by allowing unbounded network-resource consumption, while CAPEC-487 exploits the CWE only partially as one narrow volumetric variant among many resource-exhaustion manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-488",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-488 fully because an HTTP flood succeeds only when no throttling exists, while CAPEC-488 exploits the CWE only partially as one narrow resource-exhaustion variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-489",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-489 since unbounded allocation is required for the SSL flood to exhaust resources, while CAPEC-489 exploits the weakness only partially as one narrow variant among many resource-exhaustion attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-490",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-490 mostly by letting unlimited incoming responses exhaust target resources, while CAPEC-490 exploits the CWE only partially as one specific spoofed-amplifier variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-491",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 fully enables CAPEC-491 because unbounded allocation is required for the quadratic expansion to produce DoS, while CAPEC-491 only partially exploits CWE-770 as one narrow entity-substitution variant among many resource-exhaustion techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-493",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-493 fully because unbounded allocation is required for the array to exhaust memory, while CAPEC-493 exploits the CWE only partially as one narrow SOAP-array variant among many possible resource-exhaustion techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-495",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-495 fully because the attack's resource exhaustion succeeds only when no allocation limits exist, while CAPEC-495 exploits CWE-770 only partially as one narrow UDP variant among many resource-consumption manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-496",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-496 fully (attack needs unbounded fragment reassembly buffers) while CAPEC-496 exploits CWE-770 only partially (one narrow ICMP variant among many resource-exhaustion techniques)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-770",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-528",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-770 enables CAPEC-528 fully because unbounded allocation is required for any XML flood to succeed, while CAPEC-528 exploits the CWE only partially as one narrow XML-specific variant among many resource-exhaustion attacks."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-772",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-469",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-772 enables CAPEC-469 fully because the attack requires the server to retain HTTP sessions indefinitely, while CAPEC-469 exploits the CWE only partially as one narrow resource-exhaustion variant among many."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-776",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-197",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-776 directly permits the nested DTD expansion that CAPEC-197 performs, so the weakness enables the pattern fully; CAPEC-197 however describes the general exponential-expansion technique across multiple data formats and therefore exploits only one narrow manifestation of CWE-776."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-108",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 is the direct, indispensable cause of the final command execution step, while CAPEC-108 is only one narrow SQL-mediated variant among many possible CWE-78 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 fully enables CAPEC-15 because the delimiter attack requires the neutralization failure, while CAPEC-15 only partially exploits CWE-78 as one narrow variant among many OS command injection techniques."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-43",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 is not required for CAPEC-43 (which targets many input-validation surfaces), yet CAPEC-43's layered-bypass technique can partially exploit the neutralization failure described by CWE-78."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-6",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-78's neutralization failure directly supplies the surface CAPEC-6 needs to succeed, yet CAPEC-6 is only one narrow argument-focused variant among many CWE-78 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-78",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-88",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-78 is the exact neutralization failure that CAPEC-88 requires to succeed, and CAPEC-88 is the canonical attack pattern written against that CWE surface rather than a narrow sub-variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-209",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 enables CAPEC-209 fully (neutralization failure is required for the MIME trick to execute), while CAPEC-209 exploits CWE-79 only partially (narrow MIME variant among many XSS forms)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-588",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 fully enables CAPEC-588 because DOM-based XSS requires the neutralization failure, while CAPEC-588 exploits the CWE only partially as one narrow variant among many XSS forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-591",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 enables CAPEC-591 fully because reflected XSS cannot execute without the neutralization flaw, while CAPEC-591 exploits CWE-79 only partially as one narrow reflected variant among many XSS manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-592",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 enables CAPEC-592 fully because stored XSS cannot occur without the neutralization failure, while CAPEC-592 exploits CWE-79 only partially as one narrow stored variant among many XSS manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-79",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-63",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-79 is the exact neutralization failure that CAPEC-63 requires to succeed, and CAPEC-63 is the canonical attack pattern written against that CWE family."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-191",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Hard-coded credentials are the canonical sensitive constant targeted by CAPEC-191, enabling the pattern fully, yet the pattern only covers the executable-analysis slice of the CWE's broader exploitation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-798",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-70",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Hard-coded credentials supply one possible set of known values an attacker might try, yet CAPEC-70 succeeds against any default configuration and does not require the credentials to be embedded in code; conversely the pattern only partially covers the CWE because many hard-coded secrets are not common/default strings."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-18",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-80's neutralization failure directly enables script injection via unexpected tags (mostly), while CAPEC-18 is only one narrow non-script variant among many CWE-80 manifestations (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-32",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-80 fully enables CAPEC-32 because the neutralization failure is required for any query-string XSS to succeed, while CAPEC-32 only partially exploits CWE-80 as one narrow delivery variant among many XSS forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-80",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-86",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-80's neutralization failure is the direct prerequisite for any header-based script injection (full enablement), while CAPEC-86 is only one narrow header-specific variant among many possible CWE-80 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-805",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-100",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-805 supplies the exact incorrect-length condition that CAPEC-100 requires to overflow, yet CAPEC-100 also encompasses many other bounds-checking failures beyond length-value errors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-805",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-256",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-805 enables CAPEC-256 fully because the attack depends on the server using the understated length for buffer operations, while CAPEC-256 exploits CWE-805 only partially as one narrow SOAP-array manifestation among many possible length-value errors."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-81",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-198",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-81 fully enables CAPEC-198 because the attack requires unneutralized script in error pages, while CAPEC-198 exploits the CWE only partially as one narrow error-page variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-822",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-129",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-822 fully enables CAPEC-129 because untrusted pointer values are the direct prerequisite for the described manipulation, while CAPEC-129 exploits the CWE only partially as one broad technique among many pointer variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-823",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-129",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-823's out-of-range arithmetic directly supplies the mechanism for CAPEC-129's unintended-memory access (full enablement), yet the broad CAPEC pattern covers many pointer techniques beyond this single offset flaw (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-175",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables CAPEC-175 fully because the attack cannot succeed without importing executable code from an untrusted sphere, while CAPEC-175 exploits the CWE only partially as one narrow reference-replacement variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-201",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 concerns executable code inclusion from untrusted sources while CAPEC-201 exploits parser handling of external entity references in data files; neither direction shows enablement or exploitation."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-251",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly supplies the untrusted-include surface that CAPEC-251 requires, yet the CAPEC is only one narrow (local-file) variant among many possible manifestations of the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-252",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables CAPEC-252 fully because LFI is a direct realization of including executable code from outside the intended control sphere, while CAPEC-252 exploits the CWE only partially as one narrow PHP-specific variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-253",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 enables CAPEC-253 fully because remote arbitrary-code loading is impossible without importing from an untrusted sphere, while CAPEC-253 exploits the CWE only partially as one narrow remote variant among broader inclusion scenarios."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-263",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly supplies the untrusted executable surface that CAPEC-263 corrupts, yet the attack pattern remains only one narrow file-based variant among many possible manifestations of the weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-538",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 fully enables CAPEC-538 because the attack succeeds only when developers include the malicious OSS; CAPEC-538 exploits CWE-829 only partially as one narrow OSS-implantation variant among many untrusted-inclusion scenarios."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-549",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 supplies one vector for an adversary-supplied payload to run locally (partial enablement) while CAPEC-549 can achieve local execution through many unrelated weaknesses (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-640",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 directly supplies the untrusted-code surface that CAPEC-640 needs to run malicious code inside a live process, yet CAPEC-640 only covers one narrow verification-bypass variant among many possible CWE-829 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-660",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 permits loading of attacker-controlled code that hooking can abuse, but CAPEC-660 is a narrow runtime-evasion variant that does not require developer-introduced untrusted includes."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-695",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829 fully enables repo jacking by permitting direct inclusion of VCS dependencies from an externally controlled sphere, while CAPEC-695 exploits that surface only partially as one narrow redirect-based variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-829",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-698",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-829's inclusion of untrusted functionality directly enables malicious extension installation (attack cannot succeed without that surface), while CAPEC-698 is only one narrow installation variant among many CWE-829 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-83",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-243",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-83 directly supplies the attribute neutralization failure CAPEC-243 requires (full enablement), yet CAPEC-243 is only one narrow attribute-vector variant among many possible CWE-83 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-83",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-244",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-83 fully enables the attack by permitting unneutralized javascript:/data: URIs in attributes, while CAPEC-244 only partially exploits it as one narrow URI-placeholder variant of the broader weakness."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-83",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-588",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-83's server-side attribute neutralization flaw can indirectly aid certain DOM sinks but CAPEC-588 is driven by client-side validation/encoding defects unrelated to CWE-83."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-833",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-25",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-833 enables CAPEC-25 fully because the attack cannot succeed without an existing deadlock condition, while CAPEC-25 exploits the weakness only partially as one narrow forcing variant among possible deadlock manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-836",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-644",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-836 fully enables CAPEC-644 by making systems accept hashes directly for auth, while the narrow LM/NTLM pass-the-hash variant exploits that surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-838",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-468",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-838 enables CAPEC-468 mostly because missing context-appropriate output encoding lets attacker-controlled text be emitted and parsed as CSS; CAPEC-468 exploits that surface only partially as one narrow CSS-injection variant among many CWE-838 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-85",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-245",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-85 is the exact missing filter the CAPEC-245 bypass requires, enabling the pattern fully, yet the CAPEC remains one narrow variant among the broader XSS family and therefore exploits the CWE only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-86",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-247",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-86 enables CAPEC-247 fully because the attack cannot succeed without the missing neutralization of invalid identifier characters, while CAPEC-247 exploits the CWE only partially as one narrow invalid-character variant among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-86",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-86 neutralization failure directly supplies the injection surface filenames rely on, yet CAPEC-73 is only one narrow filename-based variant among many possible CWE-86 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-862",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-665",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-862 supplies the exact authorization flaw the CAPEC directly targets via firmware manipulation (full enablement), yet the CAPEC remains only one narrow Thunderbolt-specific variant among many possible CWE-862 manifestations (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-87",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-199",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-87 is the exact neutralization failure that CAPEC-199 relies on, so the weakness enables the pattern fully and the pattern exploits that surface fully."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-88",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-137",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-88's missing delimiter neutralization directly supplies the surface CAPEC-137 needs to succeed, yet CAPEC-137 is a broad parameter-manipulation pattern of which argument injection is only one narrow realization."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-88",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-174",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-174 exploits unsanitized FlashVars in an HTML/Flash context (leading to script injection), which only tangentially overlaps the general command-argument delimiter weakness described by CWE-88."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-88",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-460",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-460 performs delimiter injection strictly inside HTTP query strings, while CWE-88 concerns command-line argument delimiters; the two touch the same abstract idea but share no direct exploitation surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-88",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-88",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-88's delimiter neutralization failure directly supplies the injection surface CAPEC-88 needs, yet CAPEC-88 also covers other command-separator and quoting vectors beyond strict argument delimiters."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-108",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 enables CAPEC-108 fully because the attack pattern requires successful SQL injection to reach command-line execution, yet CAPEC-108 exploits the CWE only partially as one narrow command-execution variant among many SQLi manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-109",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 supplies the missing neutralization that CAPEC-109 requires to succeed, yet CAPEC-109 is only one narrow ORM-mediated variant among many SQL-injection manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-110",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 fully enables CAPEC-110 because the SOAP tampering succeeds only when neutralization fails, yet CAPEC-110 exploits the CWE only partially as one narrow delivery variant among many SQLi forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-470",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 supplies the DB foothold that CAPEC-470 then uses for OS expansion, but CAPEC-470 itself does not target the neutralization flaw."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-66",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 is the exact root weakness that fully enables the general SQL Injection attack in CAPEC-66, which directly and fully exploits that same surface rather than a narrow variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-89",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-7",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-89 enables CAPEC-7 fully because blind injection cannot occur without the underlying SQL neutralization flaw, while CAPEC-7 exploits CWE-89 only partially as one narrow error-suppressed variant among many SQLi forms."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-90",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-136",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-90 is the exact root weakness that CAPEC-136 requires and directly performs, so each fully satisfies the other's definition."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-91",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-250",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-91's missing neutralization directly supplies the entire attack surface CAPEC-250 needs, yet CAPEC-250 is one concrete XML-database variant among the broader family of XML-injection behaviors covered by the CWE."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-91",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-83",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-91's failure to neutralize XML metacharacters fully enables the XPath injection attack, yet CAPEC-83 is only one narrow variant within the broader XML-injection surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-912",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-133",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "Hidden functionality supplies the target surface that switch-probing seeks, enabling the pattern to succeed, yet the CAPEC remains only one narrow discovery tactic among many possible manifestations of CWE-912."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-912",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-190",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-912 supplies the hidden functionality that CAPEC-190 is designed to locate, enabling the pattern fully, yet the pattern itself is only one narrow reverse-engineering technique among many possible ways to surface such functionality."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-916",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-55",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-916's weak/fast hashes directly enable feasible rainbow-table precomputation (full), while CAPEC-55 is only one narrow precomputation technique among many that exploit such hashes (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-918",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-664",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-918 is the exact weakness the CAPEC-664 pattern requires, enabling it fully, yet the CAPEC remains one canonical variant within the broader CWE family so its exploitation is only mostly complete."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-161",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-923's missing endpoint verification directly enables routing/infra manipulation attacks, while CAPEC-161 is a broad pattern that only partially maps onto this specific CWE surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-481",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 enables CAPEC-481 fully because contradictory destinations succeed only when endpoint validation is absent, while CAPEC-481 exploits the CWE only partially as one narrow routing technique among many possible manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-501",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 fully enables the hijack by leaving implicit intents open to any endpoint, while CAPEC-501 exploits that surface only as one narrow Android-specific variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-923",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-697",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-923 enables CAPEC-697 fully because absent endpoint authentication the spoof succeeds, yet the narrow DHCP variant exploits that surface only partially."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-925",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-499",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-925 permits spoofed senders to reach a receiver, enabling only the data-injection facet of CAPEC-499 while the core intercept technique exploits implicit-intent exposure rather than receiver verification."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-93",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-15",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CRLF is one possible command delimiter so CWE-93 enables only that variant of CAPEC-15 while CAPEC-15 only partially targets the CRLF neutralization surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-93",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-93 fully enables CAPEC-81 because log tampering via forged entries directly requires unneutralized CRLF, while CAPEC-81 is only one narrow log-specific variant among many CRLF manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-242",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-94 directly supplies the missing neutralization that CAPEC-242 requires to succeed (full enablement), yet CAPEC-242 remains one narrow execution-focused variant among the broader family of code-injection manifestations covered by CWE-94 (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-35",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-94 directly enables CAPEC-35 by allowing unneutralized external input to become executable code, while CAPEC-35 is only one narrow file-based variant among many CWE-94 manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-94",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "partial",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-94 enables variable-manipulation attacks only when those variables feed into code generation, while CAPEC-77 is a narrow input-vector variant that exploits the CWE surface only incidentally."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-500",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-940's missing origin check directly enables an external malicious app to reach and inject into a WebView (mostly), while CAPEC-500 is only one narrow manifestation among many possible source-verification failures (partial)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-594",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-940's missing source verification directly enables any traffic injection to succeed, while CAPEC-594 is a broad network-level pattern that only partially and indirectly exploits this particular verification gap."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-595",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-940 enables CAPEC-595 fully because forged RST packets succeed only when origin verification is absent; CAPEC-595 exploits the CWE only partially as one narrow TCP-specific variant among many possible channel-source failures."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-940",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-596",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-940's missing origin check is a prerequisite for any TCP RST injection to succeed (full enablement), while CAPEC-596 is only one narrow TCP-specific variant among many possible channel-spoofing attacks (partial exploitation)."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-943",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-676",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-943 fully enables CAPEC-676 because the injection requires the neutralization failure, while CAPEC-676 exploits the CWE only partially as one narrow NoSQL variant among many query types."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-95",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-35",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-35 exploits file-trust issues via multiple mechanisms, only occasionally using dynamic eval, while CWE-95 is not a primary vector for this file-based pattern."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-35",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-96's failure to neutralize injected directives in config/resource files directly enables CAPEC-35's file-trust abuse, but CAPEC-35 is only one narrow manifestation among many possible static-injection variants."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-73",
      "extent": "mostly",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-96's failure to neutralize input before writing to saved resources directly enables filename-driven injection, but CAPEC-73 is only one narrow filename-based variant among many static-injection manifestations."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-77",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-77 targets variable overriding via unsanitized input to alter logic; CWE-96 is a narrower static-resource code-directive flaw that the attack pattern only incidentally touches via shared sanitization issues."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-96",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-81",
      "extent": "none",
      "relation": "covers",
      "authority": "manual_QA",
      "notes": "CAPEC-81 can exploit CWE-96 only in the narrow asynchronous log-processing subcase, while the CWE itself is unrelated to web-log tampering."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-97",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-101",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-97 is the exact missing neutralization that CAPEC-101 requires, so the weakness enables the pattern fully and the pattern exploits that surface fully rather than as a narrow sub-variant."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-98",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-193",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-98 is the exact weakness that CAPEC-193 is written to exploit, so the weakness enables the pattern fully and the pattern exploits that weakness's surface fully."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-240",
      "extent": "full",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-99 enables CAPEC-240 fully as the exact underlying flaw required for resource identifier manipulation, while CAPEC-240 exploits the CWE only partially as one narrow attack variant among the weakness's broader surface."
    },
    {
      "source_framework": "CWE",
      "source_id": "CWE-99",
      "target_framework": "CAPEC",
      "target_id": "CAPEC-75",
      "extent": "none",
      "relation": "enables",
      "authority": "manual_QA_v2",
      "notes": "CWE-99 resource-identifier flaws do not enable or underlie CAPEC-75 file-modification attacks, which instead hinge on write permissions and direct file access."
    }
  ]
}