CWE Coverage for Red Hat Customer Portal

Present CWE coverage for Red Hat Customer Portal

Update Oct 2022: This article has been updated with new coverage used for the Red Hat Customer Portal,
based on CWE version 4.9.

Update 24th May 2022: This article has been updated with new coverage used for the Red Hat Customer Portal, based on CWE version 4.7.

Update 3rd November 2020: This article has been updated with new coverage used for the Red Hat Customer Portal, based on CWE version 4.2.

Update 17th March 2020: This article has been updated with the new coverage used for the Red Hat Customer Portal, based on CWE version 4.0.

Update 27th August 2019: This article has been updated with new version of the coverage used for Red Hat Customer portal, based on CWE version 3.3.

Update 18th February 2015: This article has been updated to new revison 2.8_1 of the coverage, which is now used for Red Hat Customer Portal.

Update 4th September 2014: This article has been updated to reflect that CWE list version 2.8 (updated from version 2.5) and a new revision of the coverage is now used for Red Hat Customer Portal.

Update 12th August 2013: This article has been updated to reflect that CWE list version 2.5 (updated from version 2.4) and a new revision of the coverage is now used for Red Hat Customer Portal.

Update 22nd March 2013: This article has been updated to make corrections to two of the entries in the CWE list.

Update 28th February 2013: This article has been updated to reflect that CWE list version 2.4 (updated from version 2.3) is now used for Red Hat Customer Portal.

Update 27th November 2012: This article has been updated to reflect that CWE list version 2.3 (updated from version 2.2) is now used for Red Hat Customer Portal.

For the elements in the CWE coverage for Red Hat Customer Portal, we carefully selected abstractions with enough relevant information for developers to detect and mitigate all its related weaknesses.

CWE identifiers are assigned to Red Hat vulnerabilities using the present CWE coverage at the time of the vulnerability assessment. Thus, references to vulnerabilities are divided into time slices based upon the date the vulnerability was assessed and the present CWE coverage at that time.

The following is the present CWE coverage for Red Hat Customer Portal and is based on CWE version 4.9.

CWE-5: J2EE Misconfiguration: Data Transmission Without Encryption
CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length
CWE-7: J2EE Misconfiguration: Missing Custom Error Page
CWE-8: J2EE Misconfiguration: Entity Bean Declared Remote
CWE-9: J2EE Misconfiguration: Weak Access Permissions for EJB Methods
CWE-11: ASP.NET Misconfiguration: Creating Debug Binary
CWE-12: ASP.NET Misconfiguration: Missing Custom Error Page
CWE-13: ASP.NET Misconfiguration: Password in Configuration File
CWE-14: Compiler Removal of Code to Clear Buffers
CWE-15: External Control of System or Configuration Setting
CWE-20: Improper Input Validation
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23: Relative Path Traversal
CWE-24: Path Traversal: '../filedir'
CWE-25: Path Traversal: '/../filedir'
CWE-26: Path Traversal: '/dir/../filename'
CWE-27: Path Traversal: 'dir/../../filename'
CWE-28: Path Traversal: '..\filedir'
CWE-29: Path Traversal: '\..\filename'
CWE-30: Path Traversal: '\dir\..\filename'
CWE-31: Path Traversal: 'dir\..\..\filename'
CWE-32: Path Traversal: '...' (Triple Dot)
CWE-33: Path Traversal: '....' (Multiple Dot)
CWE-34: Path Traversal: '....//'
CWE-35: Path Traversal: '.../...//'
CWE-36: Absolute Path Traversal
CWE-37: Path Traversal: '/absolute/pathname/here'
CWE-38: Path Traversal: '\absolute\pathname\here'
CWE-39: Path Traversal: 'C:dirname'
CWE-40: Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
CWE-41: Improper Resolution of Path Equivalence
CWE-42: Path Equivalence: 'filename.' (Trailing Dot)
CWE-43: Path Equivalence: 'filename....' (Multiple Trailing Dot)
CWE-44: Path Equivalence: 'file.name' (Internal Dot)
CWE-45: Path Equivalence: 'file...name' (Multiple Internal Dot)
CWE-46: Path Equivalence: 'filename ' (Trailing Space)
CWE-47: Path Equivalence: ' filename' (Leading Space)
CWE-48: Path Equivalence: 'file name' (Internal Whitespace)
CWE-49: Path Equivalence: 'filename/' (Trailing Slash)
CWE-50: Path Equivalence: '//multiple/leading/slash'
CWE-51: Path Equivalence: '/multiple//internal/slash'
CWE-52: Path Equivalence: '/multiple/trailing/slash//'
CWE-53: Path Equivalence: '\multiple\\internal\backslash'
CWE-54: Path Equivalence: 'filedir\' (Trailing Backslash)
CWE-55: Path Equivalence: '/./' (Single Dot Directory)
CWE-56: Path Equivalence: 'filedir*' (Wildcard)
CWE-57: Path Equivalence: 'fakedir/../realdir/filename'
CWE-58: Path Equivalence: Windows 8.3 Filename
CWE-59: Improper Link Resolution Before File Access ('Link Following')
CWE-61: UNIX Symbolic Link (Symlink) Following
CWE-62: UNIX Hard Link
CWE-64: Windows Shortcut Following (.LNK)
CWE-65: Windows Hard Link
CWE-66: Improper Handling of File Names that Identify Virtual Resources
CWE-67: Improper Handling of Windows Device Names
CWE-69: Improper Handling of Windows ::DATA Alternate Data Stream
CWE-71: DEPRECATED: Apple '.DS_Store'
CWE-72: Improper Handling of Apple HFS+ Alternate Data Stream Path
CWE-73: External Control of File Name or Path
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-75: Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-76: Improper Neutralization of Equivalent Special Elements
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-81: Improper Neutralization of Script in an Error Message Web Page
CWE-82: Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-83: Improper Neutralization of Script in Attributes in a Web Page
CWE-84: Improper Neutralization of Encoded URI Schemes in a Web Page
CWE-85: Doubled Character XSS Manipulations
CWE-86: Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-87: Improper Neutralization of Alternate XSS Syntax
CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91: XML Injection (aka Blind XPath Injection)
CWE-92: DEPRECATED: Improper Sanitization of Custom Special Characters
CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-96: Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-97: Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-99: Improper Control of Resource Identifiers ('Resource Injection')
CWE-102: Struts: Duplicate Validation Forms
CWE-103: Struts: Incomplete validate() Method Definition
CWE-104: Struts: Form Bean Does Not Extend Validation Class
CWE-105: Struts: Form Field Without Validator
CWE-106: Struts: Plug-in Framework not in Use
CWE-107: Struts: Unused Validation Form
CWE-108: Struts: Unvalidated Action Form
CWE-109: Struts: Validator Turned Off
CWE-110: Struts: Validator Without Form Field
CWE-111: Direct Use of Unsafe JNI
CWE-112: Missing XML Validation
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
CWE-114: Process Control
CWE-115: Misinterpretation of Input
CWE-116: Improper Encoding or Escaping of Output
CWE-117: Improper Output Neutralization for Logs
CWE-118: Incorrect Access of Indexable Resource ('Range Error')
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-121: Stack-based Buffer Overflow
CWE-122: Heap-based Buffer Overflow
CWE-123: Write-what-where Condition
CWE-124: Buffer Underwrite ('Buffer Underflow')
CWE-125: Out-of-bounds Read
CWE-126: Buffer Over-read
CWE-127: Buffer Under-read
CWE-128: Wrap-around Error
CWE-129: Improper Validation of Array Index
CWE-130: Improper Handling of Length Parameter Inconsistency
CWE-131: Incorrect Calculation of Buffer Size
CWE-132: DEPRECATED: Miscalculated Null Termination
CWE-134: Use of Externally-Controlled Format String
CWE-135: Incorrect Calculation of Multi-Byte String Length
CWE-138: Improper Neutralization of Special Elements
CWE-140: Improper Neutralization of Delimiters
CWE-141: Improper Neutralization of Parameter/Argument Delimiters
CWE-142: Improper Neutralization of Value Delimiters
CWE-143: Improper Neutralization of Record Delimiters
CWE-144: Improper Neutralization of Line Delimiters
CWE-145: Improper Neutralization of Section Delimiters
CWE-146: Improper Neutralization of Expression/Command Delimiters
CWE-147: Improper Neutralization of Input Terminators
CWE-148: Improper Neutralization of Input Leaders
CWE-149: Improper Neutralization of Quoting Syntax
CWE-150: Improper Neutralization of Escape, Meta, or Control Sequences
CWE-151: Improper Neutralization of Comment Delimiters
CWE-152: Improper Neutralization of Macro Symbols
CWE-153: Improper Neutralization of Substitution Characters
CWE-154: Improper Neutralization of Variable Name Delimiters
CWE-155: Improper Neutralization of Wildcards or Matching Symbols
CWE-156: Improper Neutralization of Whitespace
CWE-157: Failure to Sanitize Paired Delimiters
CWE-158: Improper Neutralization of Null Byte or NUL Character
CWE-159: Improper Handling of Invalid Use of Special Elements
CWE-160: Improper Neutralization of Leading Special Elements
CWE-161: Improper Neutralization of Multiple Leading Special Elements
CWE-162: Improper Neutralization of Trailing Special Elements
CWE-163: Improper Neutralization of Multiple Trailing Special Elements
CWE-164: Improper Neutralization of Internal Special Elements
CWE-165: Improper Neutralization of Multiple Internal Special Elements
CWE-166: Improper Handling of Missing Special Element
CWE-167: Improper Handling of Additional Special Element
CWE-168: Improper Handling of Inconsistent Special Elements
CWE-170: Improper Null Termination
CWE-172: Encoding Error
CWE-173: Improper Handling of Alternate Encoding
CWE-174: Double Decoding of the Same Data
CWE-175: Improper Handling of Mixed Encoding
CWE-176: Improper Handling of Unicode Encoding
CWE-177: Improper Handling of URL Encoding (Hex Encoding)
CWE-178: Improper Handling of Case Sensitivity
CWE-179: Incorrect Behavior Order: Early Validation
CWE-180: Incorrect Behavior Order: Validate Before Canonicalize
CWE-181: Incorrect Behavior Order: Validate Before Filter
CWE-182: Collapse of Data into Unsafe Value
CWE-183: Permissive List of Allowed Inputs
CWE-184: Incomplete List of Disallowed Inputs
CWE-185: Incorrect Regular Expression
CWE-186: Overly Restrictive Regular Expression
CWE-187: Partial String Comparison
CWE-188: Reliance on Data/Memory Layout
CWE-190: Integer Overflow or Wraparound
CWE-191: Integer Underflow (Wrap or Wraparound)
CWE-192: Integer Coercion Error
CWE-193: Off-by-one Error
CWE-194: Unexpected Sign Extension
CWE-195: Signed to Unsigned Conversion Error
CWE-196: Unsigned to Signed Conversion Error
CWE-197: Numeric Truncation Error
CWE-198: Use of Incorrect Byte Ordering
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
CWE-201: Insertion of Sensitive Information Into Sent Data
CWE-202: Exposure of Sensitive Information Through Data Queries
CWE-203: Observable Discrepancy
CWE-204: Observable Response Discrepancy
CWE-205: Observable Behavioral Discrepancy
CWE-206: Observable Internal Behavioral Discrepancy
CWE-207: Observable Behavioral Discrepancy With Equivalent Products
CWE-208: Observable Timing Discrepancy
CWE-209: Generation of Error Message Containing Sensitive Information
CWE-210: Self-generated Error Message Containing Sensitive Information
CWE-211: Externally-Generated Error Message Containing Sensitive Information
CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer
CWE-213: Exposure of Sensitive Information Due to Incompatible Policies
CWE-214: Invocation of Process Using Visible Sensitive Information
CWE-215: Insertion of Sensitive Information Into Debugging Code
CWE-216: DEPRECATED: Containment Errors (Container Errors)
CWE-217: DEPRECATED: Failure to Protect Stored Data from Modification
CWE-218: DEPRECATED: Failure to provide confidentiality for stored data
CWE-219: Storage of File with Sensitive Data Under Web Root
CWE-220: Storage of File With Sensitive Data Under FTP Root
CWE-221: Information Loss or Omission
CWE-222: Truncation of Security-relevant Information
CWE-223: Omission of Security-relevant Information
CWE-224: Obscured Security-relevant Information by Alternate Name
CWE-225: DEPRECATED: General Information Management Problems
CWE-226: Sensitive Information in Resource Not Removed Before Reuse
CWE-228: Improper Handling of Syntactically Invalid Structure
CWE-229: Improper Handling of Values
CWE-230: Improper Handling of Missing Values
CWE-231: Improper Handling of Extra Values
CWE-232: Improper Handling of Undefined Values
CWE-233: Improper Handling of Parameters
CWE-234: Failure to Handle Missing Parameter
CWE-235: Improper Handling of Extra Parameters
CWE-236: Improper Handling of Undefined Parameters
CWE-237: Improper Handling of Structural Elements
CWE-238: Improper Handling of Incomplete Structural Elements
CWE-239: Failure to Handle Incomplete Element
CWE-240: Improper Handling of Inconsistent Structural Elements
CWE-241: Improper Handling of Unexpected Data Type
CWE-242: Use of Inherently Dangerous Function
CWE-243: Creation of chroot Jail Without Changing Working Directory
CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')
CWE-245: J2EE Bad Practices: Direct Management of Connections
CWE-246: J2EE Bad Practices: Direct Use of Sockets
CWE-247: DEPRECATED: Reliance on DNS Lookups in a Security Decision
CWE-248: Uncaught Exception
CWE-249: DEPRECATED: Often Misused: Path Manipulation
CWE-250: Execution with Unnecessary Privileges
CWE-252: Unchecked Return Value
CWE-253: Incorrect Check of Function Return Value
CWE-256: Plaintext Storage of a Password
CWE-257: Storing Passwords in a Recoverable Format
CWE-258: Empty Password in Configuration File
CWE-259: Use of Hard-coded Password
CWE-260: Password in Configuration File
CWE-261: Weak Encoding for Password
CWE-262: Not Using Password Aging
CWE-263: Password Aging with Long Expiration
CWE-266: Incorrect Privilege Assignment
CWE-267: Privilege Defined With Unsafe Actions
CWE-268: Privilege Chaining
CWE-269: Improper Privilege Management
CWE-270: Privilege Context Switching Error
CWE-271: Privilege Dropping / Lowering Errors
CWE-272: Least Privilege Violation
CWE-273: Improper Check for Dropped Privileges
CWE-274: Improper Handling of Insufficient Privileges
CWE-276: Incorrect Default Permissions
CWE-277: Insecure Inherited Permissions
CWE-278: Insecure Preserved Inherited Permissions
CWE-279: Incorrect Execution-Assigned Permissions
CWE-280: Improper Handling of Insufficient Permissions or Privileges 
CWE-281: Improper Preservation of Permissions
CWE-282: Improper Ownership Management
CWE-283: Unverified Ownership
CWE-284: Improper Access Control
CWE-285: Improper Authorization
CWE-286: Incorrect User Management
CWE-287: Improper Authentication
CWE-288: Authentication Bypass Using an Alternate Path or Channel
CWE-289: Authentication Bypass by Alternate Name
CWE-290: Authentication Bypass by Spoofing
CWE-291: Reliance on IP Address for Authentication
CWE-292: DEPRECATED: Trusting Self-reported DNS Name
CWE-293: Using Referer Field for Authentication
CWE-294: Authentication Bypass by Capture-replay
CWE-295: Improper Certificate Validation
CWE-296: Improper Following of a Certificate's Chain of Trust
CWE-297: Improper Validation of Certificate with Host Mismatch
CWE-298: Improper Validation of Certificate Expiration
CWE-299: Improper Check for Certificate Revocation
CWE-300: Channel Accessible by Non-Endpoint
CWE-301: Reflection Attack in an Authentication Protocol
CWE-302: Authentication Bypass by Assumed-Immutable Data
CWE-303: Incorrect Implementation of Authentication Algorithm
CWE-304: Missing Critical Step in Authentication
CWE-305: Authentication Bypass by Primary Weakness
CWE-306: Missing Authentication for Critical Function
CWE-307: Improper Restriction of Excessive Authentication Attempts
CWE-308: Use of Single-factor Authentication
CWE-309: Use of Password System for Primary Authentication
CWE-311: Missing Encryption of Sensitive Data
CWE-312: Cleartext Storage of Sensitive Information
CWE-313: Cleartext Storage in a File or on Disk
CWE-314: Cleartext Storage in the Registry
CWE-315: Cleartext Storage of Sensitive Information in a Cookie
CWE-316: Cleartext Storage of Sensitive Information in Memory
CWE-317: Cleartext Storage of Sensitive Information in GUI
CWE-318: Cleartext Storage of Sensitive Information in Executable
CWE-319: Cleartext Transmission of Sensitive Information
CWE-321: Use of Hard-coded Cryptographic Key
CWE-322: Key Exchange without Entity Authentication
CWE-323: Reusing a Nonce, Key Pair in Encryption
CWE-324: Use of a Key Past its Expiration Date
CWE-325: Missing Cryptographic Step
CWE-326: Inadequate Encryption Strength
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-328: Use of Weak Hash
CWE-329: Generation of Predictable IV with CBC Mode
CWE-330: Use of Insufficiently Random Values
CWE-331: Insufficient Entropy
CWE-332: Insufficient Entropy in PRNG
CWE-333: Improper Handling of Insufficient Entropy in TRNG
CWE-334: Small Space of Random Values
CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
CWE-336: Same Seed in Pseudo-Random Number Generator (PRNG)
CWE-337: Predictable Seed in Pseudo-Random Number Generator (PRNG)
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-339: Small Seed Space in PRNG
CWE-340: Generation of Predictable Numbers or Identifiers
CWE-341: Predictable from Observable State
CWE-342: Predictable Exact Value from Previous Values
CWE-343: Predictable Value Range from Previous Values
CWE-344: Use of Invariant Value in Dynamically Changing Context
CWE-345: Insufficient Verification of Data Authenticity
CWE-346: Origin Validation Error
CWE-347: Improper Verification of Cryptographic Signature
CWE-348: Use of Less Trusted Source
CWE-349: Acceptance of Extraneous Untrusted Data With Trusted Data
CWE-350: Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-351: Insufficient Type Distinction
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-353: Missing Support for Integrity Check
CWE-354: Improper Validation of Integrity Check Value
CWE-356: Product UI does not Warn User of Unsafe Actions
CWE-357: Insufficient UI Warning of Dangerous Operations
CWE-358: Improperly Implemented Security Check for Standard
CWE-359: Exposure of Private Personal Information to an Unauthorized Actor
CWE-360: Trust of System Event Data
CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CWE-363: Race Condition Enabling Link Following
CWE-364: Signal Handler Race Condition
CWE-365: DEPRECATED: Race Condition in Switch
CWE-366: Race Condition within a Thread
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-368: Context Switching Race Condition
CWE-369: Divide By Zero
CWE-370: Missing Check for Certificate Revocation after Initial Check
CWE-372: Incomplete Internal State Distinction
CWE-373: DEPRECATED: State Synchronization Error
CWE-374: Passing Mutable Objects to an Untrusted Method
CWE-375: Returning a Mutable Object to an Untrusted Caller
CWE-377: Insecure Temporary File
CWE-378: Creation of Temporary File With Insecure Permissions
CWE-379: Creation of Temporary File in Directory with Insecure Permissions
CWE-382: J2EE Bad Practices: Use of System.exit()
CWE-383: J2EE Bad Practices: Direct Use of Threads
CWE-384: Session Fixation
CWE-385: Covert Timing Channel
CWE-386: Symbolic Name not Mapping to Correct Object
CWE-390: Detection of Error Condition Without Action
CWE-391: Unchecked Error Condition
CWE-392: Missing Report of Error Condition
CWE-393: Return of Wrong Status Code
CWE-394: Unexpected Status Code or Return Value
CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference
CWE-396: Declaration of Catch for Generic Exception
CWE-397: Declaration of Throws for Generic Exception
CWE-400: Uncontrolled Resource Consumption
CWE-401: Missing Release of Memory after Effective Lifetime
CWE-402: Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-403: Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-404: Improper Resource Shutdown or Release
CWE-405: Asymmetric Resource Consumption (Amplification)
CWE-406: Insufficient Control of Network Message Volume (Network Amplification)
CWE-407: Inefficient Algorithmic Complexity
CWE-408: Incorrect Behavior Order: Early Amplification
CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-410: Insufficient Resource Pool
CWE-412: Unrestricted Externally Accessible Lock
CWE-413: Improper Resource Locking
CWE-414: Missing Lock Check
CWE-415: Double Free
CWE-416: Use After Free
CWE-419: Unprotected Primary Channel
CWE-420: Unprotected Alternate Channel
CWE-421: Race Condition During Access to Alternate Channel
CWE-422: Unprotected Windows Messaging Channel ('Shatter')
CWE-423: DEPRECATED: Proxied Trusted Channel
CWE-424: Improper Protection of Alternate Path
CWE-425: Direct Request ('Forced Browsing')
CWE-426: Untrusted Search Path
CWE-427: Uncontrolled Search Path Element
CWE-428: Unquoted Search Path or Element
CWE-430: Deployment of Wrong Handler
CWE-431: Missing Handler
CWE-432: Dangerous Signal Handler not Disabled During Sensitive Operations
CWE-433: Unparsed Raw Web Content Delivery
CWE-434: Unrestricted Upload of File with Dangerous Type
CWE-435: Improper Interaction Between Multiple Correctly-Behaving Entities
CWE-436: Interpretation Conflict
CWE-437: Incomplete Model of Endpoint Features
CWE-439: Behavioral Change in New Version or Environment
CWE-440: Expected Behavior Violation
CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')
CWE-443: DEPRECATED: HTTP response splitting
CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-446: UI Discrepancy for Security Feature
CWE-447: Unimplemented or Unsupported Feature in UI
CWE-448: Obsolete Feature in UI
CWE-449: The UI Performs the Wrong Action
CWE-450: Multiple Interpretations of UI Input
CWE-451: User Interface (UI) Misrepresentation of Critical Information
CWE-453: Insecure Default Variable Initialization
CWE-454: External Initialization of Trusted Variables or Data Stores
CWE-455: Non-exit on Failed Initialization
CWE-456: Missing Initialization of a Variable
CWE-457: Use of Uninitialized Variable
CWE-458: DEPRECATED: Incorrect Initialization
CWE-459: Incomplete Cleanup
CWE-460: Improper Cleanup on Thrown Exception
CWE-462: Duplicate Key in Associative List (Alist)
CWE-463: Deletion of Data Structure Sentinel
CWE-464: Addition of Data Structure Sentinel
CWE-466: Return of Pointer Value Outside of Expected Range
CWE-467: Use of sizeof() on a Pointer Type
CWE-468: Incorrect Pointer Scaling
CWE-469: Use of Pointer Subtraction to Determine Size
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-471: Modification of Assumed-Immutable Data (MAID)
CWE-472: External Control of Assumed-Immutable Web Parameter
CWE-473: PHP External Variable Modification
CWE-474: Use of Function with Inconsistent Implementations
CWE-475: Undefined Behavior for Input to API
CWE-476: NULL Pointer Dereference
CWE-477: Use of Obsolete Function
CWE-478: Missing Default Case in Multiple Condition Expression
CWE-479: Signal Handler Use of a Non-reentrant Function
CWE-480: Use of Incorrect Operator
CWE-481: Assigning instead of Comparing
CWE-482: Comparing instead of Assigning
CWE-483: Incorrect Block Delimitation
CWE-484: Omitted Break Statement in Switch
CWE-486: Comparison of Classes by Name
CWE-487: Reliance on Package-level Scope
CWE-488: Exposure of Data Element to Wrong Session
CWE-489: Active Debug Code
CWE-491: Public cloneable() Method Without Final ('Object Hijack')
CWE-492: Use of Inner Class Containing Sensitive Data
CWE-493: Critical Public Variable Without Final Modifier
CWE-494: Download of Code Without Integrity Check
CWE-495: Private Data Structure Returned From A Public Method
CWE-496: Public Data Assigned to Private Array-Typed Field
CWE-497: Exposure of Sensitive System Information to an Unauthorized Control Sphere
CWE-498: Cloneable Class Containing Sensitive Information
CWE-499: Serializable Class Containing Sensitive Data
CWE-500: Public Static Field Not Marked Final
CWE-501: Trust Boundary Violation
CWE-502: Deserialization of Untrusted Data
CWE-506: Embedded Malicious Code
CWE-507: Trojan Horse
CWE-508: Non-Replicating Malicious Code
CWE-509: Replicating Malicious Code (Virus or Worm)
CWE-510: Trapdoor
CWE-511: Logic/Time Bomb
CWE-512: Spyware
CWE-514: Covert Channel
CWE-515: Covert Storage Channel
CWE-516: DEPRECATED: Covert Timing Channel
CWE-520: .NET Misconfiguration: Use of Impersonation
CWE-521: Weak Password Requirements
CWE-522: Insufficiently Protected Credentials
CWE-523: Unprotected Transport of Credentials
CWE-524: Use of Cache Containing Sensitive Information
CWE-525: Use of Web Browser Cache Containing Sensitive Information
CWE-526: Exposure of Sensitive Information Through Environmental Variables
CWE-527: Exposure of Version-Control Repository to an Unauthorized Control Sphere
CWE-528: Exposure of Core Dump File to an Unauthorized Control Sphere
CWE-529: Exposure of Access Control List Files to an Unauthorized Control Sphere
CWE-530: Exposure of Backup File to an Unauthorized Control Sphere
CWE-531: Inclusion of Sensitive Information in Test Code
CWE-532: Insertion of Sensitive Information into Log File
CWE-533: DEPRECATED: Information Exposure Through Server Log Files
CWE-534: DEPRECATED: Information Exposure Through Debug Log Files
CWE-535: Exposure of Information Through Shell Error Message
CWE-536: Servlet Runtime Error Message Containing Sensitive Information
CWE-537: Java Runtime Error Message Containing Sensitive Information
CWE-538: Insertion of Sensitive Information into Externally-Accessible File or Directory
CWE-539: Use of Persistent Cookies Containing Sensitive Information
CWE-540: Inclusion of Sensitive Information in Source Code
CWE-541: Inclusion of Sensitive Information in an Include File
CWE-542: DEPRECATED: Information Exposure Through Cleanup Log Files
CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context
CWE-544: Missing Standardized Error Handling Mechanism
CWE-545: DEPRECATED: Use of Dynamic Class Loading
CWE-546: Suspicious Comment
CWE-547: Use of Hard-coded, Security-relevant Constants
CWE-548: Exposure of Information Through Directory Listing
CWE-549: Missing Password Field Masking
CWE-550: Server-generated Error Message Containing Sensitive Information
CWE-551: Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
CWE-552: Files or Directories Accessible to External Parties
CWE-553: Command Shell in Externally Accessible Directory
CWE-554: ASP.NET Misconfiguration: Not Using Input Validation Framework
CWE-555: J2EE Misconfiguration: Plaintext Password in Configuration File
CWE-556: ASP.NET Misconfiguration: Use of Identity Impersonation
CWE-558: Use of getlogin() in Multithreaded Application
CWE-560: Use of umask() with chmod-style Argument
CWE-561: Dead Code
CWE-562: Return of Stack Variable Address
CWE-563: Assignment to Variable without Use
CWE-564: SQL Injection: Hibernate
CWE-565: Reliance on Cookies without Validation and Integrity Checking
CWE-566: Authorization Bypass Through User-Controlled SQL Primary Key
CWE-567: Unsynchronized Access to Shared Data in a Multithreaded Context
CWE-568: finalize() Method Without super.finalize()
CWE-570: Expression is Always False
CWE-571: Expression is Always True
CWE-572: Call to Thread run() instead of start()
CWE-573: Improper Following of Specification by Caller
CWE-574: EJB Bad Practices: Use of Synchronization Primitives
CWE-575: EJB Bad Practices: Use of AWT Swing
CWE-576: EJB Bad Practices: Use of Java I/O
CWE-577: EJB Bad Practices: Use of Sockets
CWE-578: EJB Bad Practices: Use of Class Loader
CWE-579: J2EE Bad Practices: Non-serializable Object Stored in Session
CWE-580: clone() Method Without super.clone()
CWE-581: Object Model Violation: Just One of Equals and Hashcode Defined
CWE-582: Array Declared Public, Final, and Static
CWE-583: finalize() Method Declared Public
CWE-584: Return Inside Finally Block
CWE-585: Empty Synchronized Block
CWE-586: Explicit Call to Finalize()
CWE-587: Assignment of a Fixed Address to a Pointer
CWE-588: Attempt to Access Child of a Non-structure Pointer
CWE-589: Call to Non-ubiquitous API
CWE-590: Free of Memory not on the Heap
CWE-591: Sensitive Data Storage in Improperly Locked Memory
CWE-592: DEPRECATED: Authentication Bypass Issues
CWE-593: Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
CWE-594: J2EE Framework: Saving Unserializable Objects to Disk
CWE-595: Comparison of Object References Instead of Object Contents
CWE-596: DEPRECATED: Incorrect Semantic Object Comparison
CWE-597: Use of Wrong Operator in String Comparison
CWE-598: Use of GET Request Method With Sensitive Query Strings
CWE-599: Missing Validation of OpenSSL Certificate
CWE-600: Uncaught Exception in Servlet 
CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
CWE-602: Client-Side Enforcement of Server-Side Security
CWE-603: Use of Client-Side Authentication
CWE-605: Multiple Binds to the Same Port
CWE-606: Unchecked Input for Loop Condition
CWE-607: Public Static Final Field References Mutable Object
CWE-608: Struts: Non-private Field in ActionForm Class
CWE-609: Double-Checked Locking
CWE-610: Externally Controlled Reference to a Resource in Another Sphere
CWE-611: Improper Restriction of XML External Entity Reference
CWE-612: Improper Authorization of Index Containing Sensitive Information
CWE-613: Insufficient Session Expiration
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-615: Inclusion of Sensitive Information in Source Code Comments
CWE-616: Incomplete Identification of Uploaded File Variables (PHP)
CWE-617: Reachable Assertion
CWE-618: Exposed Unsafe ActiveX Method
CWE-619: Dangling Database Cursor ('Cursor Injection')
CWE-620: Unverified Password Change
CWE-621: Variable Extraction Error
CWE-622: Improper Validation of Function Hook Arguments
CWE-623: Unsafe ActiveX Control Marked Safe For Scripting
CWE-624: Executable Regular Expression Error
CWE-625: Permissive Regular Expression
CWE-626: Null Byte Interaction Error (Poison Null Byte)
CWE-627: Dynamic Variable Evaluation
CWE-628: Function Call with Incorrectly Specified Arguments
CWE-636: Not Failing Securely ('Failing Open')
CWE-637: Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
CWE-638: Not Using Complete Mediation
CWE-639: Authorization Bypass Through User-Controlled Key
CWE-640: Weak Password Recovery Mechanism for Forgotten Password
CWE-641: Improper Restriction of Names for Files and Other Resources
CWE-642: External Control of Critical State Data
CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-645: Overly Restrictive Account Lockout Mechanism
CWE-646: Reliance on File Name or Extension of Externally-Supplied File
CWE-647: Use of Non-Canonical URL Paths for Authorization Decisions
CWE-648: Incorrect Use of Privileged APIs
CWE-649: Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-650: Trusting HTTP Permission Methods on the Server Side
CWE-651: Exposure of WSDL File Containing Sensitive Information
CWE-652: Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE-653: Improper Isolation or Compartmentalization
CWE-654: Reliance on a Single Factor in a Security Decision
CWE-655: Insufficient Psychological Acceptability
CWE-656: Reliance on Security Through Obscurity
CWE-657: Violation of Secure Design Principles
CWE-662: Improper Synchronization
CWE-663: Use of a Non-reentrant Function in a Concurrent Context
CWE-664: Improper Control of a Resource Through its Lifetime
CWE-665: Improper Initialization
CWE-666: Operation on Resource in Wrong Phase of Lifetime
CWE-667: Improper Locking
CWE-668: Exposure of Resource to Wrong Sphere
CWE-669: Incorrect Resource Transfer Between Spheres
CWE-670: Always-Incorrect Control Flow Implementation
CWE-671: Lack of Administrator Control over Security
CWE-672: Operation on a Resource after Expiration or Release
CWE-673: External Influence of Sphere Definition
CWE-674: Uncontrolled Recursion
CWE-675: Multiple Operations on Resource in Single-Operation Context
CWE-676: Use of Potentially Dangerous Function
CWE-680: Integer Overflow to Buffer Overflow
CWE-681: Incorrect Conversion between Numeric Types
CWE-682: Incorrect Calculation
CWE-683: Function Call With Incorrect Order of Arguments
CWE-684: Incorrect Provision of Specified Functionality
CWE-685: Function Call With Incorrect Number of Arguments
CWE-686: Function Call With Incorrect Argument Type
CWE-687: Function Call With Incorrectly Specified Argument Value
CWE-688: Function Call With Incorrect Variable or Reference as Argument
CWE-689: Permission Race Condition During Resource Copy
CWE-690: Unchecked Return Value to NULL Pointer Dereference
CWE-691: Insufficient Control Flow Management
CWE-692: Incomplete Denylist to Cross-Site Scripting
CWE-693: Protection Mechanism Failure
CWE-694: Use of Multiple Resources with Duplicate Identifier
CWE-695: Use of Low-Level Functionality
CWE-696: Incorrect Behavior Order
CWE-697: Incorrect Comparison
CWE-698: Execution After Redirect (EAR)
CWE-703: Improper Check or Handling of Exceptional Conditions
CWE-704: Incorrect Type Conversion or Cast
CWE-705: Incorrect Control Flow Scoping
CWE-706: Use of Incorrectly-Resolved Name or Reference
CWE-707: Improper Neutralization
CWE-708: Incorrect Ownership Assignment
CWE-710: Improper Adherence to Coding Standards
CWE-732: Incorrect Permission Assignment for Critical Resource
CWE-733: Compiler Optimization Removal or Modification of Security-critical Code
CWE-749: Exposed Dangerous Method or Function
CWE-754: Improper Check for Unusual or Exceptional Conditions
CWE-755: Improper Handling of Exceptional Conditions
CWE-756: Missing Custom Error Page
CWE-757: Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CWE-758: Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
CWE-759: Use of a One-Way Hash without a Salt
CWE-760: Use of a One-Way Hash with a Predictable Salt
CWE-761: Free of Pointer not at Start of Buffer
CWE-762: Mismatched Memory Management Routines
CWE-763: Release of Invalid Pointer or Reference
CWE-764: Multiple Locks of a Critical Resource
CWE-765: Multiple Unlocks of a Critical Resource
CWE-766: Critical Data Element Declared Public
CWE-767: Access to Critical Private Variable via Public Method
CWE-768: Incorrect Short Circuit Evaluation
CWE-769: DEPRECATED: Uncontrolled File Descriptor Consumption
CWE-770: Allocation of Resources Without Limits or Throttling
CWE-771: Missing Reference to Active Allocated Resource
CWE-772: Missing Release of Resource after Effective Lifetime
CWE-773: Missing Reference to Active File Descriptor or Handle
CWE-774: Allocation of File Descriptors or Handles Without Limits or Throttling
CWE-775: Missing Release of File Descriptor or Handle after Effective Lifetime
CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-777: Regular Expression without Anchors
CWE-778: Insufficient Logging
CWE-779: Logging of Excessive Data
CWE-780: Use of RSA Algorithm without OAEP
CWE-781: Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
CWE-782: Exposed IOCTL with Insufficient Access Control
CWE-783: Operator Precedence Logic Error
CWE-784: Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-785: Use of Path Manipulation Function without Maximum-sized Buffer
CWE-786: Access of Memory Location Before Start of Buffer
CWE-787: Out-of-bounds Write
CWE-788: Access of Memory Location After End of Buffer
CWE-789: Memory Allocation with Excessive Size Value
CWE-790: Improper Filtering of Special Elements
CWE-791: Incomplete Filtering of Special Elements
CWE-792: Incomplete Filtering of One or More Instances of Special Elements
CWE-793: Only Filtering One Instance of a Special Element
CWE-794: Incomplete Filtering of Multiple Instances of Special Elements
CWE-795: Only Filtering Special Elements at a Specified Location
CWE-796: Only Filtering Special Elements Relative to a Marker
CWE-797: Only Filtering Special Elements at an Absolute Position
CWE-798: Use of Hard-coded Credentials
CWE-799: Improper Control of Interaction Frequency
CWE-804: Guessable CAPTCHA
CWE-805: Buffer Access with Incorrect Length Value
CWE-806: Buffer Access Using Size of Source Buffer
CWE-807: Reliance on Untrusted Inputs in a Security Decision
CWE-820: Missing Synchronization
CWE-821: Incorrect Synchronization
CWE-822: Untrusted Pointer Dereference
CWE-823: Use of Out-of-range Pointer Offset
CWE-824: Access of Uninitialized Pointer
CWE-825: Expired Pointer Dereference
CWE-826: Premature Release of Resource During Expected Lifetime
CWE-827: Improper Control of Document Type Definition
CWE-828: Signal Handler with Functionality that is not Asynchronous-Safe
CWE-829: Inclusion of Functionality from Untrusted Control Sphere
CWE-830: Inclusion of Web Functionality from an Untrusted Source
CWE-831: Signal Handler Function Associated with Multiple Signals
CWE-832: Unlock of a Resource that is not Locked
CWE-833: Deadlock
CWE-834: Excessive Iteration
CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-836: Use of Password Hash Instead of Password for Authentication
CWE-837: Improper Enforcement of a Single, Unique Action
CWE-838: Inappropriate Encoding for Output Context
CWE-839: Numeric Range Comparison Without Minimum Check
CWE-841: Improper Enforcement of Behavioral Workflow
CWE-842: Placement of User into Incorrect Group
CWE-843: Access of Resource Using Incompatible Type ('Type Confusion')
CWE-862: Missing Authorization
CWE-863: Incorrect Authorization
CWE-908: Use of Uninitialized Resource
CWE-909: Missing Initialization of Resource
CWE-910: Use of Expired File Descriptor
CWE-911: Improper Update of Reference Count
CWE-912: Hidden Functionality
CWE-913: Improper Control of Dynamically-Managed Code Resources
CWE-914: Improper Control of Dynamically-Identified Variables
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-916: Use of Password Hash With Insufficient Computational Effort
CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE-918: Server-Side Request Forgery (SSRF)
CWE-920: Improper Restriction of Power Consumption
CWE-921: Storage of Sensitive Data in a Mechanism without Access Control
CWE-922: Insecure Storage of Sensitive Information
CWE-923: Improper Restriction of Communication Channel to Intended Endpoints
CWE-924: Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-925: Improper Verification of Intent by Broadcast Receiver
CWE-926: Improper Export of Android Application Components
CWE-927: Use of Implicit Intent for Sensitive Communication
CWE-939: Improper Authorization in Handler for Custom URL Scheme
CWE-940: Improper Verification of Source of a Communication Channel
CWE-941: Incorrectly Specified Destination in a Communication Channel
CWE-942: Permissive Cross-domain Policy with Untrusted Domains
CWE-943: Improper Neutralization of Special Elements in Data Query Logic
CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
CWE-1007: Insufficient Visual Distinction of Homoglyphs Presented to User
CWE-1021: Improper Restriction of Rendered UI Layers or Frames
CWE-1022: Use of Web Link to Untrusted Target with window.opener Access
CWE-1023: Incomplete Comparison with Missing Factors
CWE-1024: Comparison of Incompatible Types
CWE-1025: Comparison Using Wrong Factors
CWE-1037: Processor Optimization Removal or Modification of Security-critical Code
CWE-1038: Insecure Automated Optimizations
CWE-1039: Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
CWE-1041: Use of Redundant Code
CWE-1042: Static Member Data Element outside of a Singleton Class Element
CWE-1043: Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
CWE-1044: Architecture with Number of Horizontal Layers Outside of Expected Range
CWE-1045: Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
CWE-1046: Creation of Immutable Text Using String Concatenation
CWE-1047: Modules with Circular Dependencies
CWE-1048: Invokable Control Element with Large Number of Outward Calls
CWE-1049: Excessive Data Query Operations in a Large Data Table
CWE-1050: Excessive Platform Resource Consumption within a Loop
CWE-1051: Initialization with Hard-Coded Network Resource Configuration Data
CWE-1052: Excessive Use of Hard-Coded Literals in Initialization
CWE-1053: Missing Documentation for Design
CWE-1054: Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
CWE-1055: Multiple Inheritance from Concrete Classes
CWE-1056: Invokable Control Element with Variadic Parameters
CWE-1057: Data Access Operations Outside of Expected Data Manager Component
CWE-1058: Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
CWE-1059: Insufficient Technical Documentation
CWE-1060: Excessive Number of Inefficient Server-Side Data Accesses
CWE-1061: Insufficient Encapsulation
CWE-1062: Parent Class with References to Child Class
CWE-1063: Creation of Class Instance within a Static Code Block
CWE-1064: Invokable Control Element with Signature Containing an Excessive Number of Parameters
CWE-1065: Runtime Resource Management Control Element in a Component Built to Run on Application Servers
CWE-1066: Missing Serialization Control Element
CWE-1067: Excessive Execution of Sequential Searches of Data Resource
CWE-1068: Inconsistency Between Implementation and Documented Design
CWE-1069: Empty Exception Block
CWE-1070: Serializable Data Element Containing non-Serializable Item Elements
CWE-1071: Empty Code Block
CWE-1072: Data Resource Access without Use of Connection Pooling
CWE-1073: Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
CWE-1074: Class with Excessively Deep Inheritance
CWE-1075: Unconditional Control Flow Transfer outside of Switch Block
CWE-1076: Insufficient Adherence to Expected Conventions
CWE-1077: Floating Point Comparison with Incorrect Operator
CWE-1078: Inappropriate Source Code Style or Formatting
CWE-1079: Parent Class without Virtual Destructor Method
CWE-1080: Source Code File with Excessive Number of Lines of Code
CWE-1082: Class Instance Self Destruction Control Element
CWE-1083: Data Access from Outside Expected Data Manager Component
CWE-1084: Invokable Control Element with Excessive File or Data Access Operations
CWE-1085: Invokable Control Element with Excessive Volume of Commented-out Code
CWE-1086: Class with Excessive Number of Child Classes
CWE-1087: Class with Virtual Method without a Virtual Destructor
CWE-1088: Synchronous Access of Remote Resource without Timeout
CWE-1089: Large Data Table with Excessive Number of Indices
CWE-1090: Method Containing Access of a Member Element from Another Class
CWE-1091: Use of Object without Invoking Destructor Method
CWE-1092: Use of Same Invokable Control Element in Multiple Architectural Layers
CWE-1093: Excessively Complex Data Representation
CWE-1094: Excessive Index Range Scan for a Data Resource
CWE-1095: Loop Condition Value Update within the Loop
CWE-1096: Singleton Class Instance Creation without Proper Locking or Synchronization
CWE-1097: Persistent Storable Data Element without Associated Comparison Control Element
CWE-1098: Data Element containing Pointer Item without Proper Copy Control Element
CWE-1099: Inconsistent Naming Conventions for Identifiers
CWE-1100: Insufficient Isolation of System-Dependent Functions
CWE-1101: Reliance on Runtime Component in Generated Code
CWE-1102: Reliance on Machine-Dependent Data Representation
CWE-1103: Use of Platform-Dependent Third Party Components
CWE-1104: Use of Unmaintained Third Party Components
CWE-1105: Insufficient Encapsulation of Machine-Dependent Functionality
CWE-1106: Insufficient Use of Symbolic Constants
CWE-1107: Insufficient Isolation of Symbolic Constant Definitions
CWE-1108: Excessive Reliance on Global Variables
CWE-1109: Use of Same Variable for Multiple Purposes
CWE-1110: Incomplete Design Documentation
CWE-1111: Incomplete I/O Documentation
CWE-1112: Incomplete Documentation of Program Execution
CWE-1113: Inappropriate Comment Style
CWE-1114: Inappropriate Whitespace Style
CWE-1115: Source Code Element without Standard Prologue
CWE-1116: Inaccurate Comments
CWE-1117: Callable with Insufficient Behavioral Summary
CWE-1118: Insufficient Documentation of Error Handling Techniques
CWE-1119: Excessive Use of Unconditional Branching
CWE-1120: Excessive Code Complexity
CWE-1121: Excessive McCabe Cyclomatic Complexity
CWE-1122: Excessive Halstead Complexity
CWE-1123: Excessive Use of Self-Modifying Code
CWE-1124: Excessively Deep Nesting
CWE-1125: Excessive Attack Surface
CWE-1126: Declaration of Variable with Unnecessarily Wide Scope
CWE-1127: Compilation with Insufficient Warnings or Errors
CWE-1164: Irrelevant Code
CWE-1173: Improper Use of Validation Framework
CWE-1174: ASP.NET Misconfiguration: Improper Model Validation
CWE-1176: Inefficient CPU Computation
CWE-1177: Use of Prohibited Code
CWE-1187: DEPRECATED: Use of Uninitialized Resource
CWE-1188: Insecure Default Initialization of Resource
CWE-1189: Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1190: DMA Device Enabled Too Early in Boot Phase
CWE-1191: On-Chip Debug and Test Interface With Improper Access Control
CWE-1192: System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
CWE-1193: Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
CWE-1204: Generation of Weak Initialization Vector (IV)
CWE-1209: Failure to Disable Reserved Bits
CWE-1220: Insufficient Granularity of Access Control
CWE-1221: Incorrect Register Defaults or Module Parameters
CWE-1222: Insufficient Granularity of Address Regions Protected by Register Locks
CWE-1223: Race Condition for Write-Once Attributes
CWE-1224: Improper Restriction of Write-Once Bit Fields
CWE-1229: Creation of Emergent Resource
CWE-1230: Exposure of Sensitive Information Through Metadata
CWE-1231: Improper Prevention of Lock Bit Modification
CWE-1232: Improper Lock Behavior After Power State Transition
CWE-1233: Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1234: Hardware Internal or Debug Modes Allow Override of Locks
CWE-1235: Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
CWE-1236: Improper Neutralization of Formula Elements in a CSV File
CWE-1239: Improper Zeroization of Hardware Register
CWE-1240: Use of a Cryptographic Primitive with a Risky Implementation
CWE-1241: Use of Predictable Algorithm in Random Number Generator
CWE-1242: Inclusion of Undocumented Features or Chicken Bits
CWE-1243: Sensitive Non-Volatile Information Not Protected During Debug
CWE-1244: Internal Asset Exposed to Unsafe Debug Access Level or State
CWE-1245: Improper Finite State Machines (FSMs) in Hardware Logic
CWE-1246: Improper Write Handling in Limited-write Non-Volatile Memories
CWE-1247: Improper Protection Against Voltage and Clock Glitches
CWE-1248: Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
CWE-1249: Application-Level Admin Tool with Inconsistent View of Underlying Operating System
CWE-1250: Improper Preservation of Consistency Between Independent Representations of Shared State
CWE-1251: Mirrored Regions with Different Values
CWE-1252: CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
CWE-1253: Incorrect Selection of Fuse Values
CWE-1254: Incorrect Comparison Logic Granularity
CWE-1255: Comparison Logic is Vulnerable to Power Side-Channel Attacks
CWE-1256: Improper Restriction of Software Interfaces to Hardware Features
CWE-1257: Improper Access Control Applied to Mirrored or Aliased Memory Regions
CWE-1258: Exposure of Sensitive System Information Due to Uncleared Debug Information
CWE-1259: Improper Restriction of Security Token Assignment
CWE-1260: Improper Handling of Overlap Between Protected Memory Ranges
CWE-1261: Improper Handling of Single Event Upsets
CWE-1262: Improper Access Control for Register Interface
CWE-1263: Improper Physical Access Control
CWE-1264: Hardware Logic with Insecure De-Synchronization between Control and Data Channels
CWE-1265: Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
CWE-1266: Improper Scrubbing of Sensitive Data from Decommissioned Device
CWE-1267: Policy Uses Obsolete Encoding
CWE-1268: Policy Privileges are not Assigned Consistently Between Control and Data Agents
CWE-1269: Product Released in Non-Release Configuration
CWE-1270: Generation of Incorrect Security Tokens
CWE-1271: Uninitialized Value on Reset for Registers Holding Security Settings
CWE-1272: Sensitive Information Uncleared Before Debug/Power State Transition
CWE-1273: Device Unlock Credential Sharing
CWE-1274: Improper Access Control for Volatile Memory Containing Boot Code
CWE-1275: Sensitive Cookie with Improper SameSite Attribute
CWE-1276: Hardware Child Block Incorrectly Connected to Parent System
CWE-1277: Firmware Not Updateable
CWE-1278: Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
CWE-1279: Cryptographic Operations are run Before Supporting Units are Ready
CWE-1280: Access Control Check Implemented After Asset is Accessed
CWE-1281: Sequence of Processor Instructions Leads to Unexpected Behavior
CWE-1282: Assumed-Immutable Data is Stored in Writable Memory
CWE-1283: Mutable Attestation or Measurement Reporting Data
CWE-1284: Improper Validation of Specified Quantity in Input
CWE-1285: Improper Validation of Specified Index, Position, or Offset in Input
CWE-1286: Improper Validation of Syntactic Correctness of Input
CWE-1287: Improper Validation of Specified Type of Input
CWE-1288: Improper Validation of Consistency within Input
CWE-1289: Improper Validation of Unsafe Equivalence in Input
CWE-1290: Incorrect Decoding of Security Identifiers 
CWE-1291: Public Key Re-Use for Signing both Debug and Production Code
CWE-1292: Incorrect Conversion of Security Identifiers
CWE-1293: Missing Source Correlation of Multiple Independent Data
CWE-1294: Insecure Security Identifier Mechanism
CWE-1295: Debug Messages Revealing Unnecessary Information
CWE-1296: Incorrect Chaining or Granularity of Debug Components
CWE-1297: Unprotected Confidential Information on Device is Accessible by OSAT Vendors
CWE-1298: Hardware Logic Contains Race Conditions
CWE-1299: Missing Protection Mechanism for Alternate Hardware Interface
CWE-1300: Improper Protection of Physical Side Channels
CWE-1301: Insufficient or Incomplete Data Removal within Hardware Component
CWE-1302: Missing Security Identifier
CWE-1303: Non-Transparent Sharing of Microarchitectural Resources
CWE-1304: Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
CWE-1310: Missing Ability to Patch ROM Code
CWE-1311: Improper Translation of Security Attributes by Fabric Bridge
CWE-1312: Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
CWE-1313: Hardware Allows Activation of Test or Debug Logic at Runtime
CWE-1314: Missing Write Protection for Parametric Data Values
CWE-1315: Improper Setting of Bus Controlling Capability in Fabric End-point
CWE-1316: Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
CWE-1317: Improper Access Control in Fabric Bridge
CWE-1318: Missing Support for Security Features in On-chip Fabrics or Buses
CWE-1319: Improper Protection against Electromagnetic Fault Injection (EM-FI)
CWE-1320: Improper Protection for Outbound Error Messages and Alert Signals
CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE-1322: Use of Blocking Code in Single-threaded, Non-blocking Context
CWE-1323: Improper Management of Sensitive Trace Data
CWE-1324: Sensitive Information Accessible by Physical Probing of JTAG Interface
CWE-1325: Improperly Controlled Sequential Memory Allocation
CWE-1326: Missing Immutable Root of Trust in Hardware
CWE-1327: Binding to an Unrestricted IP Address
CWE-1328: Security Version Number Mutable to Older Versions
CWE-1329: Reliance on Component That is Not Updateable
CWE-1330: Remanent Data Readable after Memory Erase
CWE-1331: Improper Isolation of Shared Resources in Network On Chip (NoC)
CWE-1332: Improper Handling of Faults that Lead to Instruction Skips
CWE-1333: Inefficient Regular Expression Complexity
CWE-1334: Unauthorized Error Injection Can Degrade Hardware Redundancy
CWE-1335: Incorrect Bitwise Shift of Integer
CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
CWE-1338: Improper Protections Against Hardware Overheating
CWE-1339: Insufficient Precision or Accuracy of a Real Number
CWE-1341: Multiple Releases of Same Resource or Handle
CWE-1342: Information Exposure through Microarchitectural State after Transient Execution
CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments
CWE-1357: Reliance on Uncontrolled Component
CWE-1384: Improper Handling of Physical or Environmental Conditions
CWE-1385: Missing Origin Validation in WebSockets
CWE-1386: Insecure Operation on Windows Junction / Mount Point
CWE-1389: Incorrect Parsing of Numbers with Different Radices
CWE-1390: Weak Authentication
CWE-1391: Use of Weak Credentials
CWE-1392: Use of Default Credentials
CWE-1393: Use of Default Password
CWE-1394: Use of Default Cryptographic Key