CWE — cumulative coverage
666 of 969 CWE items carry authoritative control / attack-technique coverage. Each control's verdict is the strongest single inbound mapping; the bar shows the spread and the row shows how many sources (and from which frameworks) contribute. Authoritative mappings only.
Base 372/539 · 372 covered
CWE-770Allocation of Resources Without Limits or ThrottlingFull32 src · CAPEC 19, MITRE ATT&CK 7, DISA STIG Oracle Linux 8 2, DISA STIG Oracle Linux 9 2, DISA STIG Rhel 8 1, OWASP ASVS 5.0 1
CWE-308Use of Single-factor AuthenticationFull30 src · MITRE ATT&CK 13, CAPEC 13, OWASP ASVS 5.0 3, OWASP Web Top 10 (2025) 1
CWE-654Reliance on a Single Factor in a Security DecisionFull29 src · MITRE ATT&CK 15, CAPEC 10, OWASP ASVS 5.0 1, DISA STIG Ubuntu 22 04 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1
CWE-829Inclusion of Functionality from Untrusted Control SphereFull28 src · CAPEC 11, MITRE ATT&CK 8, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 7 1, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1, DISA STIG Windows 10 1
CWE-290Authentication Bypass by SpoofingFull27 src · MITRE ATT&CK 10, CAPEC 10, OWASP ASVS 5.0 3, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 7 1, DISA STIG Rhel 8 1
CWE-309Use of Password System for Primary AuthenticationFull25 src · CAPEC 12, MITRE ATT&CK 11, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1
CWE-521Weak Password RequirementsFull24 src · MITRE ATT&CK 9, CAPEC 9, OWASP ASVS 5.0 3, DISA STIG Rhel 7 2, OWASP Web Top 10 (2025) 1
CWE-494Download of Code Without Integrity CheckFull23 src · CAPEC 12, MITRE ATT&CK 4, DISA STIG Rhel 7 2, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 9 1
CWE-778Insufficient LoggingFull23 src · NIST CSF 2.0 14, DISA STIG Rhel 8 4, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1
CWE-328Use of Weak HashFull19 src · MITRE ATT&CK 8, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 2, CAPEC 2, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2022 1, DISA STIG Windows 10 1, DISA STIG Windows Server 2019 1
CWE-354Improper Validation of Integrity Check ValueFull19 src · MITRE ATT&CK 9, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 2, DISA STIG Rhel 8 2, CAPEC 2, DISA STIG Oracle Linux 9 1, OWASP Web Top 10 (2025) 1
CWE-757Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')Full19 src · OWASP ASVS 5.0 8, CAPEC 3, MITRE ATT&CK 2, DISA STIG Windows 10 1, OWASP Web Top 10 (2025) 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1
CWE-223Omission of Security-relevant InformationFull17 src · NIST CSF 2.0 12, DISA STIG Ubuntu 22 04 2, DISA STIG Ubuntu 24 04 2, OWASP Web Top 10 (2025) 1
CWE-294Authentication Bypass by Capture-replayFull17 src · MITRE ATT&CK 8, CAPEC 6, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1
CWE-306Missing Authentication for Critical FunctionFull16 src · CAPEC 4, OWASP ASVS 5.0 3, DISA STIG Rhel 8 2, DISA STIG Rhel 7 2, DISA STIG Oracle Linux 8 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-353Missing Support for Integrity CheckFull16 src · MITRE ATT&CK 4, CAPEC 4, OWASP ASVS 5.0 3, DISA STIG Oracle Linux 8 3, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 8 1
CWE-94Improper Control of Generation of Code ('Code Injection')Full16 src · MITRE ATT&CK 10, CAPEC 3, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1, NIST CSF 2.0 1
CWE-347Improper Verification of Cryptographic SignatureFull15 src · MITRE ATT&CK 5, DISA STIG Oracle Linux 9 2, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 2, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1, CAPEC 1, OWASP Web Top 10 (2025) 1
CWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')Full15 src · CAPEC 5, MITRE ATT&CK 5, OWASP ASVS 5.0 2, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1
CWE-288Authentication Bypass Using an Alternate Path or ChannelFull14 src · DISA STIG Rhel 7 3, MITRE ATT&CK 3, DISA STIG Oracle Linux 9 2, DISA STIG Oracle Linux 8 2, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-307Improper Restriction of Excessive Authentication AttemptsFull14 src · CAPEC 6, MITRE ATT&CK 5, DISA STIG Rhel 7 2, OWASP Web Top 10 (2025) 1
CWE-78Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')Full14 src · CAPEC 5, MITRE ATT&CK 4, OWASP ASVS 5.0 2, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1
CWE-1188Initialization of a Resource with an Insecure DefaultFull13 src · MITRE ATT&CK 4, OWASP ASVS 5.0 2, DISA STIG Rhel 7 1, DISA STIG Windows Server 2019 1, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1, CAPEC 1, DISA STIG Windows Server 2016 1, DISA STIG Oracle Linux 8 1
CWE-1241Use of Predictable Algorithm in Random Number GeneratorFull12 src · OWASP ASVS 5.0 4, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 8 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-1284Improper Validation of Specified Quantity in InputFull12 src · OWASP ASVS 5.0 7, MITRE ATT&CK 5
CWE-295Improper Certificate ValidationFull12 src · DISA STIG Oracle Linux 8 3, MITRE ATT&CK 3, DISA STIG Rhel 7 2, DISA STIG Rhel 8 2, CAPEC 1, OWASP Web Top 10 (2025) 1
CWE-343Predictable Value Range from Previous ValuesFull12 src · OWASP ASVS 5.0 7, MITRE ATT&CK 4, DISA STIG Oracle Linux 8 1
CWE-940Improper Verification of Source of a Communication ChannelFull12 src · MITRE ATT&CK 4, CAPEC 4, OWASP ASVS 5.0 3, OWASP Web Top 10 (2025) 1
CWE-1285Improper Validation of Specified Index, Position, or Offset in InputFull10 src · OWASP ASVS 5.0 5, MITRE ATT&CK 5
CWE-88Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')Full10 src · MITRE ATT&CK 4, CAPEC 4, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Full9 src · CAPEC 5, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1, NIST CSF 2.0 1
CWE-302Authentication Bypass by Assumed-Immutable DataFull9 src · CAPEC 6, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-798Use of Hard-coded CredentialsFull9 src · MITRE ATT&CK 5, CAPEC 2, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1
CWE-89Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Full9 src · CAPEC 5, NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1240Use of a Cryptographic Primitive with a Risky ImplementationFull8 src · DISA STIG Oracle Linux 8 2, DISA STIG Rhel 8 2, DISA STIG Oracle Linux 9 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1, CAPEC 1
CWE-209Generation of Error Message Containing Sensitive InformationFull8 src · CAPEC 3, MITRE ATT&CK 3, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-419Unprotected Primary ChannelFull8 src · MITRE ATT&CK 3, DISA STIG Oracle Linux 8 2, DISA STIG Oracle Linux 9 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-444Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')Full8 src · OWASP ASVS 5.0 4, CAPEC 2, MITRE ATT&CK 1, OWASP Web Top 10 (2025) 1
CWE-538Insertion of Sensitive Information into Externally-Accessible File or DirectoryFull8 src · OWASP ASVS 5.0 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, CAPEC 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1
CWE-565Reliance on Cookies without Validation and Integrity CheckingFull8 src · MITRE ATT&CK 4, CAPEC 3, OWASP Web Top 10 (2025) 1
CWE-749Exposed Dangerous Method or FunctionFull8 src · DISA STIG Ubuntu 22 04 3, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1, MITRE ATT&CK 1, CAPEC 1, DISA STIG Ubuntu 24 04 1
CWE-843Access of Resource Using Incompatible Type ('Type Confusion')Full8 src · MITRE ATT&CK 5, OWASP ASVS 5.0 3
CWE-1295Debug Messages Revealing Unnecessary InformationFull7 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1, CAPEC 1, DISA STIG Windows 10 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1
CWE-1392Use of Default CredentialsFull7 src · MITRE ATT&CK 5, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-201Insertion of Sensitive Information Into Sent DataFull7 src · CAPEC 3, MITRE ATT&CK 2, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-296Improper Following of a Certificate's Chain of TrustFull7 src · MITRE ATT&CK 2, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1, OWASP Web Top 10 (2025) 1
CWE-335Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)Full7 src · OWASP ASVS 5.0 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1
CWE-338Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)Full7 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Ubuntu 22 04 1, DISA STIG Rhel 8 1, MITRE ATT&CK 1
CWE-367Time-of-check Time-of-use (TOCTOU) Race ConditionFull7 src · MITRE ATT&CK 3, OWASP ASVS 5.0 2, CAPEC 2
CWE-838Inappropriate Encoding for Output ContextFull7 src · OWASP ASVS 5.0 4, MITRE ATT&CK 2, CAPEC 1
CWE-1104Use of Unmaintained Third Party ComponentsFull6 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1, DISA STIG Oracle Linux 8 1, NIST CSF 2.0 1
CWE-1204Generation of Weak Initialization Vector (IV)Full6 src · OWASP Web Top 10 (2025) 1, DISA STIG Rhel 7 1, CAPEC 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1, MITRE ATT&CK 1
CWE-23Relative Path TraversalFull6 src · MITRE ATT&CK 2, CAPEC 2, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-257Storing Passwords in a Recoverable FormatFull6 src · MITRE ATT&CK 4, OWASP ASVS 5.0 1, CAPEC 1
CWE-304Missing Critical Step in AuthenticationFull6 src · DISA STIG Rhel 7 2, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 22 04 1, OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-319Cleartext Transmission of Sensitive InformationFull6 src · CAPEC 4, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-524Use of Cache Containing Sensitive InformationFull6 src · MITRE ATT&CK 4, OWASP ASVS 5.0 1, CAPEC 1
CWE-603Use of Client-Side AuthenticationFull6 src · OWASP ASVS 5.0 4, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-76Improper Neutralization of Equivalent Special ElementsFull6 src · MITRE ATT&CK 5, OWASP Web Top 10 (2025) 1
CWE-918Server-Side Request Forgery (SSRF)Full6 src · OWASP ASVS 5.0 3, CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-93Improper Neutralization of CRLF Sequences ('CRLF Injection')Full6 src · CAPEC 2, MITRE ATT&CK 2, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-356Product UI does not Warn User of Unsafe ActionsFull5 src · MITRE ATT&CK 4, OWASP Web Top 10 (2025) 1
CWE-425Direct Request ('Forced Browsing')Full5 src · CAPEC 3, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-502Deserialization of Untrusted DataFull5 src · MITRE ATT&CK 3, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-523Unprotected Transport of CredentialsFull5 src · DISA STIG Rhel 8 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1, CAPEC 1
CWE-611Improper Restriction of XML External Entity ReferenceFull5 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-916Use of Password Hash With Insufficient Computational EffortFull5 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-917Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')Full5 src · OWASP ASVS 5.0 3, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1236Improper Neutralization of Formula Elements in a CSV FileFull4 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1
CWE-1336Improper Neutralization of Special Elements Used in a Template EngineFull4 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-210Self-generated Error Message Containing Sensitive InformationFull4 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1
CWE-260Password in Configuration FileFull4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 7 1
CWE-289Authentication Bypass by Alternate NameFull4 src · OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, MITRE ATT&CK 1, DISA STIG Rhel 7 1
CWE-601URL Redirection to Untrusted Site ('Open Redirect')Full4 src · OWASP ASVS 5.0 1, CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-643Improper Neutralization of Data within XPath Expressions ('XPath Injection')Full4 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-652Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')Full4 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-776Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')Full4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-836Use of Password Hash Instead of Password for AuthenticationFull4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-90Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')Full4 src · OWASP ASVS 5.0 1, CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-215Insertion of Sensitive Information Into Debugging CodeFull3 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-358Improperly Implemented Security Check for StandardFull3 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1
CWE-640Weak Password Recovery Mechanism for Forgotten PasswordFull3 src · OWASP Web Top 10 (2025) 1, CAPEC 1, OWASP ASVS 5.0 1
CWE-323Reusing a Nonce, Key Pair in EncryptionFull2 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-639Authorization Bypass Through User-Controlled KeyFull2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1271Uninitialized Value on Reset for Registers Holding Security SettingsFull1 src · OWASP Web Top 10 (2025) 1
CWE-15External Control of System or Configuration SettingMostly21 src · MITRE ATT&CK 12, CAPEC 8, OWASP Web Top 10 (2025) 1
CWE-212Improper Removal of Sensitive Information Before Storage or TransferMostly19 src · MITRE ATT&CK 12, DISA STIG Oracle Linux 8 3, OWASP ASVS 5.0 2, DISA STIG Rhel 8 1, DISA STIG Oracle Linux 9 1
CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')Mostly17 src · CAPEC 12, MITRE ATT&CK 5
CWE-552Files or Directories Accessible to External PartiesMostly16 src · MITRE ATT&CK 11, CAPEC 2, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1
CWE-1220Insufficient Granularity of Access ControlMostly15 src · OWASP ASVS 5.0 5, MITRE ATT&CK 4, NIST CSF 2.0 2, CAPEC 2, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2022 1
CWE-250Execution with Unnecessary PrivilegesMostly15 src · MITRE ATT&CK 4, CAPEC 3, OWASP ASVS 5.0 2, NIST CSF 2.0 1, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1
CWE-267Privilege Defined With Unsafe ActionsMostly15 src · MITRE ATT&CK 8, DISA STIG Ubuntu 22 04 3, CAPEC 2, DISA STIG Oracle Linux 9 1, OWASP ASVS 5.0 1
CWE-205Observable Behavioral DiscrepancyMostly14 src · MITRE ATT&CK 9, CAPEC 2, DISA STIG Oracle Linux 8 2, DISA STIG Oracle Linux 9 1
CWE-359Exposure of Private Personal Information to an Unauthorized ActorMostly14 src · MITRE ATT&CK 5, CAPEC 4, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1
CWE-226Sensitive Information in Resource Not Removed Before ReuseMostly13 src · MITRE ATT&CK 6, OWASP ASVS 5.0 2, CAPEC 1, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1
CWE-348Use of Less Trusted SourceMostly13 src · MITRE ATT&CK 6, CAPEC 4, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 7 1
CWE-73External Control of File Name or PathMostly13 src · CAPEC 8, MITRE ATT&CK 3, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-213Exposure of Sensitive Information Due to Incompatible PoliciesMostly12 src · MITRE ATT&CK 6, OWASP ASVS 5.0 4, DISA STIG Ubuntu 24 04 1, DISA STIG Windows Server 2019 1
CWE-276Incorrect Default PermissionsMostly12 src · MITRE ATT&CK 4, DISA STIG Windows Server 2016 2, DISA STIG Windows Server 2019 2, DISA STIG Windows Server 2022 2, CAPEC 1, OWASP Web Top 10 (2025) 1
CWE-312Cleartext Storage of Sensitive InformationMostly12 src · MITRE ATT&CK 6, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1, CAPEC 1, OWASP ASVS 5.0 1
CWE-427Uncontrolled Search Path ElementMostly12 src · MITRE ATT&CK 8, CAPEC 2, DISA STIG Oracle Linux 8 1, OWASP Web Top 10 (2025) 1
CWE-266Incorrect Privilege AssignmentMostly11 src · DISA STIG Ubuntu 24 04 2, DISA STIG Ubuntu 22 04 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1
CWE-497Exposure of Sensitive System Information to an Unauthorized Control SphereMostly11 src · CAPEC 2, DISA STIG Oracle Linux 8 2, MITRE ATT&CK 2, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1, OWASP ASVS 5.0 1
CWE-123Write-what-where ConditionMostly10 src · MITRE ATT&CK 6, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1
CWE-179Incorrect Behavior Order: Early ValidationMostly10 src · OWASP ASVS 5.0 6, CAPEC 3, MITRE ATT&CK 1
CWE-268Privilege ChainingMostly10 src · MITRE ATT&CK 4, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1, DISA STIG Windows 10 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1
CWE-325Missing Cryptographic StepMostly10 src · DISA STIG Oracle Linux 8 2, DISA STIG Rhel 8 1, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1, DISA STIG Oracle Linux 9 1, OWASP Web Top 10 (2025) 1, CAPEC 1, DISA STIG Rhel 7 1, MITRE ATT&CK 1
CWE-331Insufficient EntropyMostly10 src · MITRE ATT&CK 3, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 1, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1, CAPEC 1, OWASP ASVS 5.0 1
CWE-471Modification of Assumed-Immutable Data (MAID)Mostly10 src · CAPEC 5, MITRE ATT&CK 4, DISA STIG Windows 10 1
CWE-1269Product Released in Non-Release ConfigurationMostly9 src · MITRE ATT&CK 6, DISA STIG Rhel 7 1, DISA STIG Oracle Linux 8 1, CAPEC 1
CWE-1050Excessive Platform Resource Consumption within a LoopMostly8 src · MITRE ATT&CK 3, OWASP ASVS 5.0 3, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1
CWE-1125Excessive Attack SurfaceMostly8 src · DISA STIG Rhel 7 2, OWASP Web Top 10 (2025) 2, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 8 1, MITRE ATT&CK 1
CWE-1286Improper Validation of Syntactic Correctness of InputMostly8 src · OWASP ASVS 5.0 5, CAPEC 2, MITRE ATT&CK 1
CWE-130Improper Handling of Length Parameter InconsistencyMostly8 src · MITRE ATT&CK 4, OWASP ASVS 5.0 2, CAPEC 1, OWASP Web Top 10 (2025) 1
CWE-805Buffer Access with Incorrect Length ValueMostly8 src · MITRE ATT&CK 5, CAPEC 2, OWASP ASVS 5.0 1
CWE-823Use of Out-of-range Pointer OffsetMostly8 src · MITRE ATT&CK 5, OWASP ASVS 5.0 1, CAPEC 1, DISA STIG Windows 10 1
CWE-842Placement of User into Incorrect GroupMostly8 src · DISA STIG Windows Server 2016 2, DISA STIG Windows Server 2019 2, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2022 1, MITRE ATT&CK 1
CWE-1021Improper Restriction of Rendered UI Layers or FramesMostly7 src · CAPEC 5, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1230Exposure of Sensitive Information Through MetadataMostly7 src · OWASP ASVS 5.0 4, MITRE ATT&CK 3
CWE-1289Improper Validation of Unsafe Equivalence in InputMostly7 src · OWASP ASVS 5.0 6, MITRE ATT&CK 1
CWE-183Permissive List of Allowed InputsMostly7 src · CAPEC 4, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-281Improper Preservation of PermissionsMostly7 src · MITRE ATT&CK 3, DISA STIG Windows Server 2022 2, DISA STIG Windows Server 2019 1, OWASP Web Top 10 (2025) 1
CWE-349Acceptance of Extraneous Untrusted Data With Trusted DataMostly7 src · CAPEC 3, OWASP ASVS 5.0 2, DISA STIG Oracle Linux 8 1, MITRE ATT&CK 1
CWE-454External Initialization of Trusted Variables or Data StoresMostly7 src · OWASP ASVS 5.0 4, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-649Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity CheckingMostly7 src · DISA STIG Rhel 8 2, MITRE ATT&CK 2, OWASP ASVS 5.0 1, CAPEC 1, DISA STIG Oracle Linux 9 1
CWE-96Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')Mostly7 src · CAPEC 4, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-117Improper Output Neutralization for LogsMostly6 src · CAPEC 3, OWASP Web Top 10 (2025) 2, MITRE ATT&CK 1
CWE-1329Reliance on Component That is Not UpdateableMostly6 src · MITRE ATT&CK 5, OWASP Web Top 10 (2025) 1
CWE-280Improper Handling of Insufficient Permissions or PrivilegesMostly6 src · DISA STIG Rhel 9 2, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1
CWE-305Authentication Bypass by Primary WeaknessMostly6 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1, MITRE ATT&CK 1
CWE-434Unrestricted Upload of File with Dangerous TypeMostly6 src · MITRE ATT&CK 4, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-472External Control of Assumed-Immutable Web ParameterMostly6 src · CAPEC 4, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-532Insertion of Sensitive Information into Log FileMostly6 src · MITRE ATT&CK 4, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-786Access of Memory Location Before Start of BufferMostly6 src · MITRE ATT&CK 5, OWASP ASVS 5.0 1
CWE-1190DMA Device Enabled Too Early in Boot PhaseMostly5 src · MITRE ATT&CK 3, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-1274Improper Access Control for Volatile Memory Containing Boot CodeMostly5 src · CAPEC 2, MITRE ATT&CK 2, NIST CSF 2.0 1
CWE-1299Missing Protection Mechanism for Alternate Hardware InterfaceMostly5 src · CAPEC 2, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1, MITRE ATT&CK 1
CWE-342Predictable Exact Value from Previous ValuesMostly5 src · MITRE ATT&CK 2, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1
CWE-59Improper Link Resolution Before File Access ('Link Following')Mostly5 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-91XML Injection (aka Blind XPath Injection)Mostly5 src · CAPEC 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-915Improperly Controlled Modification of Dynamically-Determined Object AttributesMostly5 src · MITRE ATT&CK 4, OWASP Web Top 10 (2025) 1
CWE-924Improper Enforcement of Message Integrity During Transmission in a Communication ChannelMostly5 src · DISA STIG Oracle Linux 8 4, MITRE ATT&CK 1
CWE-1250Improper Preservation of Consistency Between Independent Representations of Shared StateMostly4 src · OWASP ASVS 5.0 4
CWE-1288Improper Validation of Consistency within InputMostly4 src · OWASP ASVS 5.0 2, MITRE ATT&CK 2
CWE-1325Improperly Controlled Sequential Memory AllocationMostly4 src · MITRE ATT&CK 2, CAPEC 1, OWASP ASVS 5.0 1
CWE-303Incorrect Implementation of Authentication AlgorithmMostly4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-322Key Exchange without Entity AuthenticationMostly4 src · OWASP Web Top 10 (2025) 2, OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-344Use of Invariant Value in Dynamically Changing ContextMostly4 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1
CWE-379Creation of Temporary File in Directory with Insecure PermissionsMostly4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1
CWE-807Reliance on Untrusted Inputs in a Security DecisionMostly4 src · MITRE ATT&CK 3, OWASP Web Top 10 (2025) 1
CWE-1049Excessive Data Query Operations in a Large Data TableMostly3 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1
CWE-214Invocation of Process Using Visible Sensitive InformationMostly3 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1
CWE-283Unverified OwnershipMostly3 src · OWASP Web Top 10 (2025) 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1
CWE-466Return of Pointer Value Outside of Expected RangeMostly3 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1
CWE-470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')Mostly3 src · CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1431Driving Intermediate Cryptographic State/Results to Hardware Module OutputsMostly2 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-396Declaration of Catch for Generic ExceptionMostly2 src · OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-1058Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member ElementMostly1 src · OWASP ASVS 5.0 1
CWE-1429Missing Security-Relevant Feedback for Unexecuted Operations in Hardware InterfaceMostly1 src · OWASP Web Top 10 (2025) 1
CWE-211Externally-Generated Error Message Containing Sensitive InformationMostly1 src · OWASP ASVS 5.0 1
CWE-224Obscured Security-relevant Information by Alternate NameMostly1 src · OWASP Web Top 10 (2025) 1
CWE-1233Security-Sensitive Hardware Controls with Missing Lock Bit ProtectionPartial8 src · MITRE ATT&CK 6, CAPEC 2
CWE-270Privilege Context Switching ErrorPartial8 src · MITRE ATT&CK 4, CAPEC 2, DISA STIG Ubuntu 22 04 1, OWASP ASVS 5.0 1
CWE-509Replicating Malicious Code (Virus or Worm)Partial7 src · DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1, DISA STIG Oracle Linux 8 1, MITRE ATT&CK 1
CWE-1332Improper Handling of Faults that Lead to Instruction SkipsPartial6 src · MITRE ATT&CK 4, CAPEC 2
CWE-1256Improper Restriction of Software Interfaces to Hardware FeaturesPartial5 src · CAPEC 2, NIST CSF 2.0 2, MITRE ATT&CK 1
CWE-1258Exposure of Sensitive System Information Due to Uncleared Debug InformationPartial5 src · CAPEC 2, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1
CWE-272Least Privilege ViolationPartial5 src · CAPEC 1, DISA STIG Ubuntu 24 04 1, DISA STIG Windows 10 1, DISA STIG Windows Server 2022 1, MITRE ATT&CK 1
CWE-274Improper Handling of Insufficient PrivilegesPartial5 src · DISA STIG Oracle Linux 9 2, DISA STIG Rhel 9 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1007Insufficient Visual Distinction of Homoglyphs Presented to UserPartial4 src · MITRE ATT&CK 3, CAPEC 1
CWE-1067Excessive Execution of Sequential Searches of Data ResourcePartial4 src · OWASP ASVS 5.0 2, MITRE ATT&CK 2
CWE-1068Inconsistency Between Implementation and Documented DesignPartial4 src · DISA STIG Rhel 7 2, DISA STIG Oracle Linux 8 1, OWASP ASVS 5.0 1
CWE-1191On-Chip Debug and Test Interface With Improper Access ControlPartial4 src · MITRE ATT&CK 3, CAPEC 1
CWE-1224Improper Restriction of Write-Once Bit FieldsPartial4 src · MITRE ATT&CK 2, CAPEC 1, NIST CSF 2.0 1
CWE-1245Improper Finite State Machines (FSMs) in Hardware LogicPartial4 src · MITRE ATT&CK 3, CAPEC 1
CWE-1268Policy Privileges are not Assigned Consistently Between Control and Data AgentsPartial4 src · MITRE ATT&CK 2, CAPEC 1, NIST CSF 2.0 1
CWE-1272Sensitive Information Uncleared Before Debug/Power State TransitionPartial4 src · CAPEC 2, MITRE ATT&CK 2
CWE-1260Improper Handling of Overlap Between Protected Memory RangesPartial3 src · CAPEC 2, MITRE ATT&CK 1
CWE-1264Hardware Logic with Insecure De-Synchronization between Control and Data ChannelsPartial3 src · CAPEC 2, OWASP Web Top 10 (2025) 1
CWE-1301Insufficient or Incomplete Data Removal within Hardware ComponentPartial3 src · MITRE ATT&CK 2, CAPEC 1
CWE-1312Missing Protection for Mirrored Regions in On-Chip Fabric FirewallPartial3 src · CAPEC 2, MITRE ATT&CK 1
CWE-1322Use of Blocking Code in Single-threaded, Non-blocking ContextPartial3 src · MITRE ATT&CK 2, OWASP ASVS 5.0 1
CWE-508Non-Replicating Malicious CodePartial3 src · DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1
CWE-1278Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging TechniquesPartial2 src · CAPEC 2
CWE-1313Hardware Allows Activation of Test or Debug Logic at RuntimePartial2 src · CAPEC 1, MITRE ATT&CK 1
CWE-1334Unauthorized Error Injection Can Degrade Hardware RedundancyPartial2 src · CAPEC 1, MITRE ATT&CK 1
CWE-1386Insecure Operation on Windows Junction / Mount PointPartial2 src · OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-1051Initialization with Hard-Coded Network Resource Configuration DataPartial1 src · NIST CSF 2.0 1
CWE-1057Data Access Operations Outside of Expected Data Manager ComponentPartial1 src · MITRE ATT&CK 1
CWE-1100Insufficient Isolation of System-Dependent FunctionsPartial1 src · DISA STIG Oracle Linux 9 1
CWE-1304Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore OperationPartial1 src · CAPEC 1
CWE-1316Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected RangesPartial1 src · CAPEC 1
CWE-1320Improper Protection for Outbound Error Messages and Alert SignalsPartial1 src · MITRE ATT&CK 1
CWE-1342Information Exposure through Microarchitectural State after Transient ExecutionPartial1 src · CAPEC 1
CWE-478Missing Default Case in Multiple Condition ExpressionPartial1 src · OWASP Web Top 10 (2025) 1
CWE-551Incorrect Behavior Order: Authorization Before Parsing and CanonicalizationPartial1 src · MITRE ATT&CK 1
Variant 184/299 · 184 covered
CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)Full11 src · OWASP ASVS 5.0 4, MITRE ATT&CK 3, CAPEC 3, OWASP Web Top 10 (2025) 1
CWE-258Empty Password in Configuration FileFull10 src · MITRE ATT&CK 3, DISA STIG Oracle Linux 8 2, DISA STIG Oracle Linux 9 2, DISA STIG Rhel 7 2, OWASP Web Top 10 (2025) 1
CWE-337Predictable Seed in Pseudo-Random Number Generator (PRNG)Full9 src · OWASP ASVS 5.0 3, DISA STIG Oracle Linux 8 3, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-416Use After FreeFull9 src · MITRE ATT&CK 5, OWASP ASVS 5.0 1, DISA STIG Rhel 9 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1
CWE-539Use of Persistent Cookies Containing Sensitive InformationFull9 src · MITRE ATT&CK 4, CAPEC 4, OWASP Web Top 10 (2025) 1
CWE-95Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')Full9 src · MITRE ATT&CK 6, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-113Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')Full8 src · OWASP ASVS 5.0 3, CAPEC 3, MITRE ATT&CK 1, OWASP Web Top 10 (2025) 1
CWE-180Incorrect Behavior Order: Validate Before CanonicalizeFull8 src · CAPEC 6, OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-313Cleartext Storage in a File or on DiskFull8 src · MITRE ATT&CK 3, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1, OWASP Web Top 10 (2025) 1
CWE-333Improper Handling of Insufficient Entropy in TRNGFull8 src · DISA STIG Oracle Linux 8 3, OWASP ASVS 5.0 2, DISA STIG Rhel 8 2, DISA STIG Oracle Linux 9 1
CWE-646Reliance on File Name or Extension of Externally-Supplied FileFull7 src · MITRE ATT&CK 6, OWASP Web Top 10 (2025) 1
CWE-784Reliance on Cookies without Validation and Integrity Checking in a Security DecisionFull7 src · MITRE ATT&CK 5, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-332Insufficient Entropy in PRNGFull6 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1, MITRE ATT&CK 1
CWE-525Use of Web Browser Cache Containing Sensitive InformationFull6 src · OWASP ASVS 5.0 2, MITRE ATT&CK 2, CAPEC 1, OWASP Web Top 10 (2025) 1
CWE-614Sensitive Cookie in HTTPS Session Without 'Secure' AttributeFull6 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-83Improper Neutralization of Script in Attributes in a Web PageFull6 src · CAPEC 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-942Permissive Cross-domain Security Policy with Untrusted DomainsFull6 src · MITRE ATT&CK 3, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1
CWE-1321Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')Full5 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1, CAPEC 1
CWE-146Improper Neutralization of Expression/Command DelimitersFull5 src · MITRE ATT&CK 2, CAPEC 2, OWASP Web Top 10 (2025) 1
CWE-291Reliance on IP Address for AuthenticationFull5 src · MITRE ATT&CK 3, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-57Path Equivalence: 'fakedir/../realdir/filename'Full5 src · OWASP ASVS 5.0 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-12ASP.NET Misconfiguration: Missing Custom Error PageFull4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, NIST CSF 2.0 1
CWE-527Exposure of Version-Control Repository to an Unauthorized Control SphereFull4 src · MITRE ATT&CK 4
CWE-550Server-generated Error Message Containing Sensitive InformationFull4 src · MITRE ATT&CK 3, OWASP Web Top 10 (2025) 1
CWE-598Use of HTTP Request With Sensitive Query StringFull4 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-647Use of Non-Canonical URL Paths for Authorization DecisionsFull4 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-82Improper Neutralization of Script in Attributes of IMG Tags in a Web PageFull4 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1
CWE-11ASP.NET Misconfiguration: Creating Debug BinaryFull3 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1275Sensitive Cookie with Improper SameSite AttributeFull3 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-37Path Traversal: '/absolute/pathname/here'Full3 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-38Path Traversal: '\absolute\pathname\here'Full3 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-5J2EE Misconfiguration: Data Transmission Without EncryptionFull3 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-760Use of a One-Way Hash with a Predictable SaltFull3 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-81Improper Neutralization of Script in an Error Message Web PageFull3 src · OWASP ASVS 5.0 1, CAPEC 1, MITRE ATT&CK 1
CWE-97Improper Neutralization of Server-Side Includes (SSI) Within a Web PageFull3 src · CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')Full3 src · CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1174ASP.NET Misconfiguration: Improper Model ValidationFull2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-40Path Traversal: '\\UNC\share\name\' (Windows UNC Share)Full2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-537Java Runtime Error Message Containing Sensitive InformationFull2 src · OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-566Authorization Bypass Through User-Controlled SQL Primary KeyFull2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-774Allocation of File Descriptors or Handles Without Limits or ThrottlingFull2 src · MITRE ATT&CK 2
CWE-780Use of RSA Algorithm without OAEPFull2 src · OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1
CWE-277Insecure Inherited PermissionsMostly9 src · MITRE ATT&CK 4, DISA STIG Windows Server 2016 2, DISA STIG Windows Server 2019 2, DISA STIG Windows Server 2022 1
CWE-318Cleartext Storage of Sensitive Information in ExecutableMostly8 src · MITRE ATT&CK 3, CAPEC 2, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1
CWE-150Improper Neutralization of Escape, Meta, or Control SequencesMostly6 src · CAPEC 4, OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-207Observable Behavioral Discrepancy With Equivalent ProductsMostly6 src · MITRE ATT&CK 3, OWASP ASVS 5.0 2, DISA STIG Oracle Linux 8 1
CWE-153Improper Neutralization of Substitution CharactersMostly5 src · MITRE ATT&CK 3, OWASP ASVS 5.0 2
CWE-314Cleartext Storage in the RegistryMostly5 src · MITRE ATT&CK 3, CAPEC 1, DISA STIG Oracle Linux 8 1
CWE-316Cleartext Storage of Sensitive Information in MemoryMostly5 src · MITRE ATT&CK 4, DISA STIG Oracle Linux 9 1
CWE-1004Sensitive Cookie Without 'HttpOnly' FlagMostly4 src · NIST CSF 2.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-158Improper Neutralization of Null Byte or NUL CharacterMostly4 src · CAPEC 2, OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-297Improper Validation of Certificate with Host MismatchMostly4 src · MITRE ATT&CK 3, OWASP ASVS 5.0 1
CWE-336Same Seed in Pseudo-Random Number Generator (PRNG)Mostly4 src · OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-650Trusting HTTP Permission Methods on the Server SideMostly4 src · OWASP ASVS 5.0 3, MITRE ATT&CK 1
CWE-1022Use of Web Link to Untrusted Target with window.opener AccessMostly3 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-535Exposure of Information Through Shell Error MessageMostly3 src · OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-792Incomplete Filtering of One or More Instances of Special ElementsMostly3 src · MITRE ATT&CK 3
CWE-830Inclusion of Web Functionality from an Untrusted SourceMostly3 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-219Storage of File with Sensitive Data Under Web RootMostly2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-293Using Referer Field for AuthenticationMostly2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-526Cleartext Storage of Sensitive Information in an Environment VariableMostly2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-529Exposure of Access Control List Files to an Unauthorized Control SphereMostly2 src · OWASP ASVS 5.0 1, MITRE ATT&CK 1
CWE-548Exposure of Information Through Directory ListingMostly2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-644Improper Neutralization of HTTP Headers for Scripting SyntaxMostly2 src · OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-1096Singleton Class Instance Creation without Proper Locking or SynchronizationMostly1 src · OWASP ASVS 5.0 1
CWE-173Improper Handling of Alternate EncodingPartial17 src · CAPEC 12, OWASP ASVS 5.0 3, MITRE ATT&CK 2
CWE-121Stack-based Buffer OverflowPartial7 src · MITRE ATT&CK 5, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1
CWE-230Improper Handling of Missing ValuesPartial6 src · DISA STIG Oracle Linux 8 4, DISA STIG Rhel 7 1, DISA STIG Ubuntu 24 04 1
CWE-164Improper Neutralization of Internal Special ElementsPartial5 src · MITRE ATT&CK 4, OWASP ASVS 5.0 1
CWE-370Missing Check for Certificate Revocation after Initial CheckPartial5 src · MITRE ATT&CK 2, CAPEC 1, DISA STIG Rhel 7 1, DISA STIG Ubuntu 24 04 1
CWE-86Improper Neutralization of Invalid Characters in Identifiers in Web PagesPartial5 src · CAPEC 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-528Exposure of Core Dump File to an Unauthorized Control SpherePartial4 src · MITRE ATT&CK 3, DISA STIG Oracle Linux 8 1
CWE-591Sensitive Data Storage in Improperly Locked MemoryPartial4 src · MITRE ATT&CK 2, NIST CSF 2.0 1, DISA STIG Oracle Linux 8 1
CWE-1222Insufficient Granularity of Address Regions Protected by Register LocksPartial3 src · MITRE ATT&CK 2, CAPEC 1
CWE-350Reliance on Reverse DNS Resolution for a Security-Critical ActionPartial3 src · CAPEC 2, MITRE ATT&CK 1
CWE-244Improper Clearing of Heap Memory Before Release ('Heap Inspection')Partial2 src · MITRE ATT&CK 2
CWE-775Missing Release of File Descriptor or Handle after Effective LifetimePartial1 src · MITRE ATT&CK 1
Class 94/114 · 94 covered
CWE-74Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')Full52 src · CAPEC 32, MITRE ATT&CK 11, OWASP ASVS 5.0 8, OWASP Web Top 10 (2025) 1
CWE-287Improper AuthenticationFull40 src · OWASP ASVS 5.0 11, CAPEC 9, NIST CSF 2.0 6, MITRE ATT&CK 5, DISA STIG Rhel 7 3, DISA STIG Ubuntu 24 04 2, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 22 04 1, DISA STIG Oracle Linux 8 1, DISA STIG Rhel 8 1
CWE-285Improper AuthorizationFull36 src · MITRE ATT&CK 13, CAPEC 12, NIST CSF 2.0 4, DISA STIG Rhel 7 3, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 8 1
CWE-732Incorrect Permission Assignment for Critical ResourceFull29 src · MITRE ATT&CK 13, CAPEC 8, DISA STIG Windows Server 2016 2, DISA STIG Windows Server 2019 2, DISA STIG Windows Server 2022 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1
CWE-311Missing Encryption of Sensitive DataFull27 src · CAPEC 10, MITRE ATT&CK 8, NIST CSF 2.0 2, DISA STIG Windows Server 2019 1, DISA STIG Oracle Linux 8 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1, DISA STIG Windows Server 2016 1, OWASP Web Top 10 (2025) 1
CWE-1390Weak AuthenticationFull26 src · MITRE ATT&CK 11, OWASP ASVS 5.0 8, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 7 1, DISA STIG Rhel 8 1, DISA STIG Ubuntu 22 04 1, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Oracle Linux 8 1
CWE-522Insufficiently Protected CredentialsFull26 src · MITRE ATT&CK 12, CAPEC 12, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-346Origin Validation ErrorFull23 src · CAPEC 12, MITRE ATT&CK 7, DISA STIG Oracle Linux 8 3, OWASP Web Top 10 (2025) 1
CWE-300Channel Accessible by Non-EndpointFull22 src · CAPEC 9, MITRE ATT&CK 6, DISA STIG Oracle Linux 8 4, DISA STIG Oracle Linux 9 1, OWASP ASVS 5.0 1, OWASP Web Top 10 (2025) 1
CWE-114Process ControlFull19 src · MITRE ATT&CK 8, DISA STIG Oracle Linux 8 3, CAPEC 2, OWASP Web Top 10 (2025) 1, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1
CWE-668Exposure of Resource to Wrong SphereFull19 src · MITRE ATT&CK 10, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2019 1, DISA STIG Rhel 7 1, DISA STIG Windows 10 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2022 1
CWE-77Improper Neutralization of Special Elements used in a Command ('Command Injection')Full19 src · MITRE ATT&CK 8, CAPEC 6, OWASP ASVS 5.0 4, OWASP Web Top 10 (2025) 1
CWE-602Client-Side Enforcement of Server-Side SecurityFull18 src · CAPEC 11, OWASP ASVS 5.0 5, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-923Improper Restriction of Communication Channel to Intended EndpointsFull18 src · MITRE ATT&CK 6, CAPEC 4, OWASP ASVS 5.0 3, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 8 2, DISA STIG Rhel 7 1
CWE-327Use of a Broken or Risky Cryptographic AlgorithmFull17 src · CAPEC 7, MITRE ATT&CK 2, DISA STIG Windows 10 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 8 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, NIST CSF 2.0 1
CWE-330Use of Insufficiently Random ValuesFull16 src · MITRE ATT&CK 4, DISA STIG Oracle Linux 8 3, DISA STIG Rhel 8 3, CAPEC 3, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1
CWE-506Embedded Malicious CodeFull16 src · MITRE ATT&CK 10, CAPEC 3, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1, OWASP Web Top 10 (2025) 1
CWE-636Not Failing Securely ('Failing Open')Full13 src · OWASP ASVS 5.0 12, OWASP Web Top 10 (2025) 1
CWE-653Improper Isolation or CompartmentalizationFull13 src · MITRE ATT&CK 6, DISA STIG Rhel 9 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1
CWE-863Incorrect AuthorizationFull13 src · MITRE ATT&CK 8, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 7 1, DISA STIG Rhel 8 1
CWE-326Inadequate Encryption StrengthFull12 src · CAPEC 3, OWASP ASVS 5.0 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 8 1, DISA STIG Rhel 9 1, DISA STIG Windows Server 2016 1
CWE-405Asymmetric Resource Consumption (Amplification)Full12 src · MITRE ATT&CK 6, DISA STIG Oracle Linux 8 2, DISA STIG Oracle Linux 9 2, DISA STIG Rhel 8 2
CWE-116Improper Encoding or Escaping of OutputFull11 src · MITRE ATT&CK 4, OWASP ASVS 5.0 3, CAPEC 3, OWASP Web Top 10 (2025) 1
CWE-799Improper Control of Interaction FrequencyFull11 src · MITRE ATT&CK 10, OWASP Web Top 10 (2025) 1
CWE-862Missing AuthorizationFull11 src · MITRE ATT&CK 5, DISA STIG Rhel 7 2, DISA STIG Oracle Linux 8 2, OWASP Web Top 10 (2025) 1, CAPEC 1
CWE-410Insufficient Resource PoolFull10 src · MITRE ATT&CK 3, OWASP ASVS 5.0 2, DISA STIG Oracle Linux 9 2, DISA STIG Rhel 8 2, DISA STIG Oracle Linux 8 1
CWE-362Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')Full9 src · OWASP ASVS 5.0 5, CAPEC 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-657Violation of Secure Design PrinciplesFull9 src · DISA STIG Windows Server 2016 2, DISA STIG Windows Server 2019 2, DISA STIG Windows Server 2022 2, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 24 04 1, DISA STIG Ubuntu 22 04 1
CWE-754Improper Check for Unusual or Exceptional ConditionsFull6 src · DISA STIG Oracle Linux 8 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1
CWE-1395Dependency on Vulnerable Third-Party ComponentFull5 src · NIST CSF 2.0 2, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1
CWE-200Exposure of Sensitive Information to an Unauthorized ActorMostly101 src · CAPEC 43, MITRE ATT&CK 31, NIST CSF 2.0 15, OWASP ASVS 5.0 4, DISA STIG Ubuntu 24 04 2, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1, OWASP Web Top 10 (2025) 1, DISA STIG Ubuntu 22 04 1, DISA STIG Windows 10 1
CWE-345Insufficient Verification of Data AuthenticityMostly39 src · MITRE ATT&CK 16, CAPEC 12, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 2, DISA STIG Rhel 8 2, NIST CSF 2.0 1, OWASP ASVS 5.0 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1, OWASP Web Top 10 (2025) 1
CWE-1357Reliance on Insufficiently Trustworthy ComponentMostly36 src · NIST CSF 2.0 18, OWASP ASVS 5.0 5, MITRE ATT&CK 4, DISA STIG Oracle Linux 9 3, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 2, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1
CWE-1391Use of Weak CredentialsMostly23 src · MITRE ATT&CK 7, NIST CSF 2.0 6, OWASP ASVS 5.0 4, DISA STIG Oracle Linux 8 3, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 7 1, DISA STIG Rhel 8 1
CWE-269Improper Privilege ManagementMostly20 src · MITRE ATT&CK 7, NIST CSF 2.0 4, CAPEC 3, DISA STIG Windows 10 1, DISA STIG Windows 11 1, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1, OWASP Web Top 10 (2025) 1
CWE-119Improper Restriction of Operations within the Bounds of a Memory BufferMostly19 src · CAPEC 12, MITRE ATT&CK 6, OWASP ASVS 5.0 1
CWE-642External Control of Critical State DataMostly16 src · MITRE ATT&CK 9, DISA STIG Oracle Linux 9 2, CAPEC 2, DISA STIG Oracle Linux 8 1, OWASP Web Top 10 (2025) 1, DISA STIG Rhel 7 1
CWE-451User Interface (UI) Misrepresentation of Critical InformationMostly15 src · MITRE ATT&CK 9, CAPEC 5, OWASP Web Top 10 (2025) 1
CWE-286Incorrect User ManagementMostly13 src · MITRE ATT&CK 10, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1, OWASP Web Top 10 (2025) 1
CWE-282Improper Ownership ManagementMostly10 src · MITRE ATT&CK 7, OWASP Web Top 10 (2025) 1, CAPEC 1, DISA STIG Windows Server 2016 1
CWE-1263Improper Physical Access ControlMostly9 src · MITRE ATT&CK 4, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 2, CAPEC 1
CWE-340Generation of Predictable Numbers or IdentifiersMostly9 src · MITRE ATT&CK 3, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 1, OWASP ASVS 5.0 1, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1
CWE-913Improper Control of Dynamically-Managed Code ResourcesMostly9 src · MITRE ATT&CK 7, DISA STIG Windows 10 1, DISA STIG Windows 11 1
CWE-922Insecure Storage of Sensitive InformationMostly9 src · MITRE ATT&CK 5, DISA STIG Windows Server 2016 2, OWASP Web Top 10 (2025) 1, DISA STIG Windows Server 2019 1
CWE-402Transmission of Private Resources into a New Sphere ('Resource Leak')Mostly8 src · MITRE ATT&CK 4, OWASP ASVS 5.0 1, DISA STIG Oracle Linux 8 1, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1
CWE-424Improper Protection of Alternate PathMostly8 src · CAPEC 2, OWASP Web Top 10 (2025) 1, DISA STIG Oracle Linux 9 1, DISA STIG Rhel 9 1, DISA STIG Ubuntu 22 04 1, DISA STIG Ubuntu 24 04 1, MITRE ATT&CK 1
CWE-441Unintended Proxy or Intermediary ('Confused Deputy')Mostly8 src · OWASP ASVS 5.0 3, CAPEC 2, MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-656Reliance on Security Through ObscurityMostly5 src · MITRE ATT&CK 3, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-75Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)Mostly5 src · MITRE ATT&CK 3, CAPEC 2
CWE-841Improper Enforcement of Behavioral WorkflowMostly4 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-755Improper Handling of Exceptional ConditionsMostly3 src · MITRE ATT&CK 2, OWASP Web Top 10 (2025) 1
CWE-406Insufficient Control of Network Message Volume (Network Amplification)Mostly2 src · MITRE ATT&CK 2
CWE-671Lack of Administrator Control over SecurityMostly2 src · OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-943Improper Neutralization of Special Elements in Data Query LogicMostly2 src · MITRE ATT&CK 1, CAPEC 1
CWE-20Improper Input ValidationPartial57 src · CAPEC 50, MITRE ATT&CK 5, DISA STIG Rhel 8 1, OWASP Web Top 10 (2025) 1
CWE-118Incorrect Access of Indexable Resource ('Range Error')Partial14 src · CAPEC 8, MITRE ATT&CK 6
CWE-99Improper Control of Resource Identifiers ('Resource Injection')Partial7 src · OWASP ASVS 5.0 4, CAPEC 1, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-758Reliance on Undefined, Unspecified, or Implementation-Defined BehaviorPartial6 src · MITRE ATT&CK 6
CWE-159Improper Handling of Invalid Use of Special ElementsPartial5 src · MITRE ATT&CK 4, OWASP Web Top 10 (2025) 1
CWE-610Externally Controlled Reference to a Resource in Another SpherePartial4 src · MITRE ATT&CK 2, CAPEC 1, DISA STIG Oracle Linux 8 1
Pillar 9/10 · 9 covered
CWE-284Improper Access ControlFull71 src · MITRE ATT&CK 34, CAPEC 17, NIST CSF 2.0 10, DISA STIG Oracle Linux 9 2, DISA STIG Oracle Linux 8 2, DISA STIG Rhel 7 2, DISA STIG Rhel 8 2, OWASP Web Top 10 (2025) 1, OWASP ASVS 5.0 1
CWE-693Protection Mechanism FailureFull56 src · MITRE ATT&CK 27, CAPEC 17, OWASP ASVS 5.0 3, DISA STIG Windows 10 2, DISA STIG Oracle Linux 8 2, DISA STIG Windows Server 2016 1, DISA STIG Windows Server 2019 1, DISA STIG Windows Server 2022 1, DISA STIG Windows 11 1, OWASP Web Top 10 (2025) 1
CWE-703Improper Check or Handling of Exceptional ConditionsFull7 src · MITRE ATT&CK 6, OWASP Web Top 10 (2025) 1
CWE-664Improper Control of a Resource Through its LifetimeMostly21 src · MITRE ATT&CK 13, CAPEC 5, DISA STIG Windows Server 2016 2, DISA STIG Windows Server 2019 1
CWE-707Improper NeutralizationMostly21 src · CAPEC 16, MITRE ATT&CK 3, OWASP ASVS 5.0 1, DISA STIG Oracle Linux 9 1
CWE-691Insufficient Control Flow ManagementMostly19 src · MITRE ATT&CK 16, CAPEC 1, DISA STIG Windows 10 1, DISA STIG Windows 11 1
CWE-435Improper Interaction Between Multiple Correctly-Behaving EntitiesMostly5 src · OWASP ASVS 5.0 5
Compound 7/7 · 7 covered
CWE-384Session FixationFull10 src · CAPEC 6, OWASP ASVS 5.0 2, OWASP Web Top 10 (2025) 1, MITRE ATT&CK 1
CWE-352Cross-Site Request Forgery (CSRF)Full7 src · OWASP ASVS 5.0 3, CAPEC 3, OWASP Web Top 10 (2025) 1
CWE-61UNIX Symbolic Link (Symlink) FollowingMostly5 src · DISA STIG Oracle Linux 8 1, OWASP Web Top 10 (2025) 1, CAPEC 1, OWASP ASVS 5.0 1, MITRE ATT&CK 1
"Cumulative" here means breadth of corroboration, not summed coverage: overlapping partial mappings are NOT added up into "full". The headline per control is the best-attested single mapping, shown alongside the count and source frameworks behind it.