CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.20)  
ID

CWE VIEW: Weaknesses Related to AI/ML Products

View ID: 1448
Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
Type: Graph
Downloads: Booklet | CSV | XML
+ Objective
CWE entries in this view (graph) are unique to AI/ML products, or are commonly encountered in products that use or support AI/ML.
+ Audience
Stakeholder Description
Software Developers This view outlines the most important issues for developers who are using or adopting AI/ML.
Product Customers This view outlines the most important issues that provide product customers with a way of asking their software development teams to follow minimum expectations for secure code.
Educators Since AI/ML is a growing influence within industry, this view could provide educators and students with a focused set of weaknesses to learn about first.
Academic Researchers Academic researchers could consult the "Research Gaps" notes to consider potential research opportunities for weakness-focused research.
+ Relationships
The following graph shows the tree-like relationships between weaknesses that exist at different levels of abstraction. At the highest level, categories and pillars exist to group weaknesses. Categories (which are not technically weaknesses) are special CWE entries used to group weaknesses that share a common characteristic. Pillars are weaknesses that are described in the most abstract fashion. Below these top-level entries are weaknesses are varying levels of abstraction. Classes are still very abstract, typically independent of any specific language or technology. Base level weaknesses are used to present a more specific type of weakness. A variant is a weakness that is described at a very low level of detail, typically limited to a specific language or technology. A chain is a set of weaknesses that must be reachable consecutively in order to produce an exploitable vulnerability. While a composite is a set of weaknesses that must all be present simultaneously in order to produce an exploitable vulnerability.
Show Details:
1448 - Weaknesses Related to AI/ML Products
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. Weaknesses That are Specific to AI/ML Technology - (1446)
1448 (Weaknesses Related to AI/ML Products) > 1446 (Weaknesses That are Specific to AI/ML Technology)
This category identifies weaknesses that are uniquely applicable to AI/ML technology.
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism - (1039)
1448 (Weaknesses Related to AI/ML Products) > 1446 (Weaknesses That are Specific to AI/ML Technology) > 1039 (Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism)
The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or category, but it does not properly detect or handle inputs that have been modified or constructed in a way that causes the mechanism to detect a different, incorrect concept.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Validation of Generative AI Output - (1426)
1448 (Weaknesses Related to AI/ML Products) > 1446 (Weaknesses That are Specific to AI/ML Technology) > 1426 (Improper Validation of Generative AI Output)
The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align with the intended security, content, or privacy policy.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input Used for LLM Prompting - (1427)
1448 (Weaknesses Related to AI/ML Products) > 1446 (Weaknesses That are Specific to AI/ML Technology) > 1427 (Improper Neutralization of Input Used for LLM Prompting)
The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives. prompt injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insecure Setting of Generative AI/ML Model Inference Parameters - (1434)
1448 (Weaknesses Related to AI/ML Products) > 1446 (Weaknesses That are Specific to AI/ML Technology) > 1434 (Insecure Setting of Generative AI/ML Model Inference Parameters)
The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.
+ Category Category - a CWE entry that contains a set of other entries that share a common characteristic. General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology - (1447)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology)
This category lists general software weaknesses in software that insecurely uses AI/ML components, but frequently appear in many kinds of software products that do not use AI/ML.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - (22)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 22 (Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'))
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory. Path traversal Directory traversal Path transversal
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Neutralization of Special Elements used in a Command ('Command Injection') - (77)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 77 (Improper Neutralization of Special Elements used in a Command ('Command Injection'))
The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. Command injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - (78)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 78 (Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'))
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. Shell injection Shell metacharacters OS Command Injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - (79)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 79 (Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'))
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. XSS HTML Injection Reflected XSS / Non-Persistent XSS / Type 1 XSS Stored XSS / Persistent XSS / Type 2 XSS DOM-Based XSS / Type 0 XSS CSS
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Control of Generation of Code ('Code Injection') - (94)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 94 (Improper Control of Generation of Code ('Code Injection'))
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. Code Injection
* Variant Variant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') - (95)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 95 (Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection'))
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Improper Encoding or Escaping of Output - (116)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 116 (Improper Encoding or Escaping of Output)
The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. Output Sanitization Output Validation Output Encoding
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Execution with Unnecessary Privileges - (250)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 250 (Execution with Unnecessary Privileges)
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses. Excessive Agency
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Unrestricted Upload of File with Dangerous Type - (434)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 434 (Unrestricted Upload of File with Dangerous Type)
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. Unrestricted File Upload
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Deserialization of Untrusted Data - (502)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 502 (Deserialization of Untrusted Data)
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. Marshaling/Marshalling, Unmarshaling/Unmarshalling Pickling, Unpickling PHP Object Injection
* Class Class - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. Missing Authorization - (862)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 862 (Missing Authorization)
The product does not perform an authorization check when an actor attempts to access a resource or perform an action. AuthZ
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Server-Side Request Forgery (SSRF) - (918)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 918 (Server-Side Request Forgery (SSRF))
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. XSPA SSRF
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Special Elements Used in a Template Engine - (1336)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 1336 (Improper Neutralization of Special Elements Used in a Template Engine)
The product uses a template engine to insert or process externally-influenced input, but it does not neutralize or incorrectly neutralizes special elements or syntax that can be interpreted as template expressions or other code directives when processed by the engine. Server-Side Template Injection / SSTI Client-Side Template Injection / CSTI
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Validation of Generative AI Output - (1426)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 1426 (Improper Validation of Generative AI Output)
The product invokes a generative AI/ML component whose behaviors and outputs cannot be directly controlled, but the product does not validate or insufficiently validates the outputs to ensure that they align with the intended security, content, or privacy policy.
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Improper Neutralization of Input Used for LLM Prompting - (1427)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 1427 (Improper Neutralization of Input Used for LLM Prompting)
The product uses externally-provided data to build prompts provided to large language models (LLMs), but the way these prompts are constructed causes the LLM to fail to distinguish between user-supplied inputs and developer provided system directives. prompt injection
* Base Base - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. Insecure Setting of Generative AI/ML Model Inference Parameters - (1434)
1448 (Weaknesses Related to AI/ML Products) > 1447 (General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology) > 1434 (Insecure Setting of Generative AI/ML Model Inference Parameters)
The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.
Back to top
+ Vulnerability Mapping Notes

Usage: PROHIBITED

(this CWE ID must not be used to map to real-world vulnerabilities)

Reason: View

Rationale:

This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.

Comments:

Use this View or other Views to search and navigate for the appropriate weakness.
+ Notes

Research Gap

As of CWE 4.20, it is still difficult to distinguish common AI/ML related attacks from the underlying weaknesses. The CWE AI Working Group has had many discussions about this general topic. Much of the latest research has focused on the attacks, and/or characterizing the underlying design and implementation of AI/ML related systems. From a CWE perspective, the distinction between "control" and "data" is not necessarily as deep as currently considered within the AI/ML community, since most weaknesses are characterized in terms of potentially insecure "behavior" - whether that behavior occurred due to design, insecure code, insecure configuration, or data-driven behaviors such as AI/ML. Since AI/ML is frequently derived from repositories of software that consume AI/ML components - many public reports of AI/ML vulnerabilities ultimately result from commonly-occurring weaknesses that appear in most kinds of software. There are several weakness-focused research efforts within the industry, but these efforts are still in the early stages.

Maintenance

This view is likely to be updated frequently in future versions. See Research Gaps.
+ References
[REF-1522] Christine Lai and Jonathan Spring. "Software Must Be Secure by Design, and Artificial Intelligence Is No Exception". US Cybersecurity and Infrastructure Security Agency. 2023-08-18. <https://www.cisa.gov/news-events/news/software-must-be-secure-design-and-artificial-intelligence-no-exception>. URL validated: 2026-04-27.
[REF-1523] Jonathan Spring. "AI Systems Are Software Systems". US Cybersecurity and Infrastructure Security Agency. 2023-08-18. <https://www.first.org/conference/vulncon26/program#pAI-Systems-Are-Software-Systems>. URL validated: 2026-04-27.
[REF-1525] CVE Program. "CVE ID Assignment and CVE Record Publication for AI-Related Vulnerabilities". <https://www.cve.org/Media/News/item/blog/2025/02/18/CVE-ID-CVE-Record-AIrelated-Vulnerabilities>. URL validated: 2026-04-28.
+ View Metrics
CWEs in this view Total CWEs
Weaknesses 17 out of 944
Categories 2 out of 387
Views 0 out of 55
Total 19 out of 1386
+ Content History
+ Submissions
Submission Date Submitter Organization
2026-04-27
(CWE 4.20, 2026-04-30) 		CWE Content Team MITRE
Page Last Updated: April 30, 2026
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.