CWE - Differences between Version 4.17 and Version 4.18

Home > CWE List > Reports > Differences between Version 4.17 and Version 4.18

Differences between Version 4.17 and Version 4.18

Summary | Field Change Summary | Important Changes | Detailed Difference Report

Summary

Total weaknesses/chains/composites (Version 4.18)	944
Total weaknesses/chains/composites (Version 4.17)	943
Total new	3
Total deprecated	0
Total with major changes	323
Total with only minor changes	1
Total unchanged	1108

Summary of Entry Types

Type	Version 4.17	Version 4.18
Weakness	943	944
Category	374	375
View	51	52
Deprecated	64	64
Total	1432	1435

Field Change Summary

Any change with respect to whitespace is ignored. "Minor" changes are text changes that only affect capitalization and punctuation. Most other changes are marked as "Major." Simple schema changes are treated as Minor, such as the change from AffectedResource to Affected_Resource in Draft 8, or the relationship name change from "IsRequiredBy" to "RequiredBy" in Version 1.0. For each mutual relationship between nodes A and B (such as ParentOf and ChildOf), a relationship change is noted for both A and B.

Field	Major	Minor
Name	1	0
Description	15	0
Diagram	14	0
Relationships	21	0
Common_Consequences	16	0
Applicable_Platforms	7	0
Modes_of_Introduction	3	0
Detection_Factors	47	0
Potential_Mitigations	27	1
Demonstrative_Examples	15	0
Observed_Examples	17	0
Related_Attack_Patterns	0	0
Weakness_Ordinalities	0	0
Time_of_Introduction	0	0
Likelihood_of_Exploit	0	0
References	225	1
Mapping_Notes	1	0
Terminology_Notes	0	0
Alternate_Terms	2	0
Relationship_Notes	0	0
Taxonomy_Mappings	0	0
Maintenance_Notes	1	0
Affected_Resources	63	0
Functional_Areas	82	0
Research_Gaps	0	0
Background_Details	1	0
Theoretical_Notes	0	0
Other_Notes	4	0
View_Type	0	0
View_Structure	0	0
View_Filter	0	0
View_Audience	0	0
Type	0	0
Source_Taxonomy	0	0

Form and Abstraction Changes

From	To	Total	CWE IDs
Unchanged		1432

Status Changes

From	To	Total
Unchanged		1432

Relationship Changes

The "Version 4.18 Total" lists the total number of relationships in Version 4.18. The "Shared" value is the total number of relationships in entries that were in both Version 4.18 and Version 4.17. The "New" value is the total number of relationships involving entries that did not exist in Version 4.17. Thus, the total number of relationships in Version 4.18 would combine stats from Shared entries and New entries.

Relationship	Version 4.18 Total	Version 4.17 Total	Version 4.18 Shared	Unchanged	Version 4.18 New
ALL	12578	12534	12534	12534	44
ChildOf	5303	5295	5295	5295	8
ParentOf	5303	5295	5295	5295	8
MemberOf	727	715	715	715	12
HasMember	727	715	715	715	12
CanPrecede	143	142	142	142	1
CanFollow	143	142	142	142	1
StartsWith	3	3	3	3
Requires	13	13	13	13
RequiredBy	13	13	13	13
CanAlsoBe	27	27	27	27
PeerOf	176	174	174	174	2

Nodes Removed in Version 4.18

CWE-ID	CWE Name
None.

Nodes Added to Version 4.18

CWE-ID	CWE Name
1432	Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List
1433	2025 MIHW Supplement: Expert Insights
1434	Insecure Setting of Generative AI/ML Model Inference Parameters

Nodes Deprecated in Version 4.18

CWE-ID	CWE Name
None.

Important Changes

A node change is labeled "important" if it is a major field change and the field is critical to the meaning of the node. The critical fields are description, name, and relationships.

Key
D	Description
N	Name
R	Relationships

D			23	Relative Path Traversal
D			80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
D			120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
D			209	Generation of Error Message Containing Sensitive Information
		R	226	Sensitive Information in Resource Not Removed Before Reuse
D			250	Execution with Unnecessary Privileges
D			256	Plaintext Storage of a Password
D			295	Improper Certificate Validation
D			330	Use of Insufficiently Random Values
D			367	Time-of-check Time-of-use (TOCTOU) Race Condition
		R	440	Expected Behavior Violation
D			489	Active Debug Code
D			614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
		R	665	Improper Initialization
		R	684	Incorrect Provision of Specified Functionality
		R	691	Insufficient Control Flow Management
D			770	Allocation of Resources Without Limits or Throttling
D			772	Missing Release of Resource after Effective Lifetime
D	N		942	Permissive Cross-domain Security Policy with Untrusted Domains
		R	1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
		R	1191	On-Chip Debug and Test Interface With Improper Access Control
		R	1231	Improper Prevention of Lock Bit Modification
		R	1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
		R	1234	Hardware Internal or Debug Modes Allow Override of Locks
		R	1244	Internal Asset Exposed to Unsafe Debug Access Level or State
		R	1247	Improper Protection Against Voltage and Clock Glitches
		R	1256	Improper Restriction of Software Interfaces to Hardware Features
		R	1260	Improper Handling of Overlap Between Protected Memory Ranges
		R	1262	Improper Access Control for Register Interface
		R	1272	Sensitive Information Uncleared Before Debug/Power State Transition
		R	1300	Improper Protection of Physical Side Channels
D			1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
		R	1412	Comprehensive Categorization: Poor Coding Practices
		R	1421	Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
		R	1423	Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
		R	1431	Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Detailed Difference Report

12	ASP.NET Misconfiguration: Missing Custom Error Page
	Major	References
	Minor	None
14	Compiler Removal of Code to Clear Buffers
	Major	References
	Minor	None
20	Improper Input Validation
	Major	Detection_Factors, References
	Minor	None
22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
	Major	Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References
	Minor	None
23	Relative Path Traversal
	Major	Affected_Resources, Applicable_Platforms, Common_Consequences, Description, Diagram, Functional_Areas, Observed_Examples, Potential_Mitigations, References
	Minor	None
24	Path Traversal: '../filedir'
	Major	Affected_Resources, Functional_Areas
	Minor	None
25	Path Traversal: '/../filedir'
	Major	Affected_Resources, Functional_Areas
	Minor	None
26	Path Traversal: '/dir/../filename'
	Major	Affected_Resources, Functional_Areas
	Minor	None
27	Path Traversal: 'dir/../../filename'
	Major	Affected_Resources, Functional_Areas
	Minor	None
28	Path Traversal: '..\filedir'
	Major	Affected_Resources, Functional_Areas
	Minor	None
29	Path Traversal: '\..\filename'
	Major	Affected_Resources, Functional_Areas
	Minor	None
30	Path Traversal: '\dir\..\filename'
	Major	Affected_Resources, Functional_Areas
	Minor	None
31	Path Traversal: 'dir\..\..\filename'
	Major	Affected_Resources, Functional_Areas
	Minor	None
32	Path Traversal: '...' (Triple Dot)
	Major	Affected_Resources, Functional_Areas
	Minor	None
33	Path Traversal: '....' (Multiple Dot)
	Major	Affected_Resources, Functional_Areas
	Minor	None
34	Path Traversal: '....//'
	Major	Affected_Resources, Detection_Factors, Functional_Areas, References
	Minor	None
35	Path Traversal: '.../...//'
	Major	Affected_Resources, Functional_Areas
	Minor	None
36	Absolute Path Traversal
	Major	Affected_Resources, Applicable_Platforms, Functional_Areas, Observed_Examples, Potential_Mitigations, References
	Minor	None
37	Path Traversal: '/absolute/pathname/here'
	Major	Affected_Resources, Functional_Areas
	Minor	None
38	Path Traversal: '\absolute\pathname\here'
	Major	Affected_Resources, Functional_Areas
	Minor	None
39	Path Traversal: 'C:dirname'
	Major	Affected_Resources, Functional_Areas
	Minor	None
40	Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
	Major	Affected_Resources, Functional_Areas
	Minor	None
41	Improper Resolution of Path Equivalence
	Major	Detection_Factors, Functional_Areas, References
	Minor	None
42	Path Equivalence: 'filename.' (Trailing Dot)
	Major	Affected_Resources, Functional_Areas
	Minor	None
43	Path Equivalence: 'filename....' (Multiple Trailing Dot)
	Major	Affected_Resources, Functional_Areas
	Minor	None
44	Path Equivalence: 'file.name' (Internal Dot)
	Major	Affected_Resources, Functional_Areas
	Minor	None
45	Path Equivalence: 'file...name' (Multiple Internal Dot)
	Major	Affected_Resources, Functional_Areas
	Minor	None
46	Path Equivalence: 'filename ' (Trailing Space)
	Major	Affected_Resources, Functional_Areas
	Minor	None
47	Path Equivalence: ' filename' (Leading Space)
	Major	Affected_Resources, Functional_Areas
	Minor	None
48	Path Equivalence: 'file name' (Internal Whitespace)
	Major	Affected_Resources, Functional_Areas
	Minor	None
49	Path Equivalence: 'filename/' (Trailing Slash)
	Major	Affected_Resources, Functional_Areas
	Minor	None
50	Path Equivalence: '//multiple/leading/slash'
	Major	Affected_Resources, Functional_Areas
	Minor	None
51	Path Equivalence: '/multiple//internal/slash'
	Major	Affected_Resources, Functional_Areas
	Minor	None
52	Path Equivalence: '/multiple/trailing/slash//'
	Major	Affected_Resources, Functional_Areas
	Minor	None
53	Path Equivalence: '\multiple\\internal\backslash'
	Major	Affected_Resources, Functional_Areas
	Minor	None
54	Path Equivalence: 'filedir\' (Trailing Backslash)
	Major	Affected_Resources, Functional_Areas
	Minor	None
55	Path Equivalence: '/./' (Single Dot Directory)
	Major	Affected_Resources, Functional_Areas
	Minor	None
56	*Path Equivalence: 'filedir' (Wildcard)**
	Major	Affected_Resources, Functional_Areas
	Minor	None
57	Path Equivalence: 'fakedir/../realdir/filename'
	Major	Affected_Resources, Functional_Areas
	Minor	None
58	Path Equivalence: Windows 8.3 Filename
	Major	Affected_Resources
	Minor	None
59	Improper Link Resolution Before File Access ('Link Following')
	Major	Detection_Factors, References
	Minor	None
61	UNIX Symbolic Link (Symlink) Following
	Major	Affected_Resources, Functional_Areas, References
	Minor	None
62	UNIX Hard Link
	Major	Affected_Resources, Functional_Areas
	Minor	None
64	Windows Shortcut Following (.LNK)
	Major	Affected_Resources, Functional_Areas
	Minor	None
65	Windows Hard Link
	Major	Affected_Resources, Functional_Areas
	Minor	None
66	Improper Handling of File Names that Identify Virtual Resources
	Major	Detection_Factors, References
	Minor	None
67	Improper Handling of Windows Device Names
	Major	Functional_Areas
	Minor	None
69	Improper Handling of Windows ::DATA Alternate Data Stream
	Major	Affected_Resources, Functional_Areas
	Minor	None
72	Improper Handling of Apple HFS+ Alternate Data Stream Path
	Major	Affected_Resources, Functional_Areas
	Minor	None
73	External Control of File Name or Path
	Major	References
	Minor	None
74	Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
	Major	Demonstrative_Examples
	Minor	None
78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
	Major	Applicable_Platforms, Detection_Factors, Observed_Examples, Potential_Mitigations, References
	Minor	None
79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
	Major	Applicable_Platforms, Observed_Examples, Potential_Mitigations, References
	Minor	None
80	Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
	Major	Common_Consequences, Description, Diagram, Other_Notes
	Minor	None
88	Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
	Major	Functional_Areas
	Minor	None
89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
	Major	Detection_Factors, Potential_Mitigations, References
	Minor	None
98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
	Major	Potential_Mitigations, References
	Minor	None
114	Process Control
	Major	Functional_Areas
	Minor	None
116	Improper Encoding or Escaping of Output
	Major	References
	Minor	None
119	Improper Restriction of Operations within the Bounds of a Memory Buffer
	Major	Demonstrative_Examples, Detection_Factors, Functional_Areas, References
	Minor	None
120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
	Major	Description, Detection_Factors, Diagram, Other_Notes, References
	Minor	None
121	Stack-based Buffer Overflow
	Major	Affected_Resources, Functional_Areas, References
	Minor	None
122	Heap-based Buffer Overflow
	Major	Functional_Areas, References
	Minor	None
123	Write-what-where Condition
	Major	Affected_Resources, Functional_Areas, Observed_Examples
	Minor	None
124	Buffer Underwrite ('Buffer Underflow')
	Major	Affected_Resources, Functional_Areas
	Minor	None
125	Out-of-bounds Read
	Major	Affected_Resources, Demonstrative_Examples, Functional_Areas
	Minor	None
126	Buffer Over-read
	Major	Affected_Resources, Common_Consequences, Demonstrative_Examples, Functional_Areas
	Minor	None
127	Buffer Under-read
	Major	Affected_Resources, Common_Consequences, Demonstrative_Examples, Functional_Areas
	Minor	None
129	Improper Validation of Array Index
	Major	Demonstrative_Examples, Functional_Areas
	Minor	None
130	Improper Handling of Length Parameter Inconsistency
	Major	Demonstrative_Examples
	Minor	None
131	Incorrect Calculation of Buffer Size
	Major	Affected_Resources, Detection_Factors, Functional_Areas, Potential_Mitigations, References
	Minor	None
134	Use of Externally-Controlled Format String
	Major	Detection_Factors, Functional_Areas, References
	Minor	None
188	Reliance on Data/Memory Layout
	Major	Affected_Resources, Functional_Areas
	Minor	None
190	Integer Overflow or Wraparound
	Major	Detection_Factors, Observed_Examples, Potential_Mitigations, References
	Minor	None
193	Off-by-one Error
	Major	References
	Minor	None
198	Use of Incorrect Byte Ordering
	Major	Affected_Resources, Functional_Areas
	Minor	None
200	Exposure of Sensitive Information to an Unauthorized Actor
	Major	Detection_Factors, References
	Minor	None
209	Generation of Error Message Containing Sensitive Information
	Major	Common_Consequences, Description, Diagram, Other_Notes, References
	Minor	None
214	Invocation of Process Using Visible Sensitive Information
	Major	Functional_Areas
	Minor	None
226	Sensitive Information in Resource Not Removed Before Reuse
	Major	Relationships
	Minor	None
240	Improper Handling of Inconsistent Structural Elements
	Major	Demonstrative_Examples
	Minor	None
244	Improper Clearing of Heap Memory Before Release ('Heap Inspection')
	Major	Functional_Areas
	Minor	None
250	Execution with Unnecessary Privileges
	Major	Common_Consequences, Description, Detection_Factors, Diagram, Other_Notes, References
	Minor	None
252	Unchecked Return Value
	Major	Potential_Mitigations, References
	Minor	None
256	Plaintext Storage of a Password
	Major	Common_Consequences, Description, Diagram
	Minor	None
262	Not Using Password Aging
	Major	References
	Minor	None
263	Password Aging with Long Expiration
	Major	Maintenance_Notes, Mapping_Notes, Potential_Mitigations, References
	Minor	None
272	Least Privilege Violation
	Major	Detection_Factors, References
	Minor	None
276	Incorrect Default Permissions
	Major	Detection_Factors, References
	Minor	None
285	Improper Authorization
	Major	Detection_Factors, References
	Minor	None
287	Improper Authentication
	Major	Demonstrative_Examples, Detection_Factors, References
	Minor	None
295	Improper Certificate Validation
	Major	Common_Consequences, Description, Detection_Factors, Diagram, References
	Minor	None
296	Improper Following of a Certificate's Chain of Trust
	Major	References
	Minor	None
297	Improper Validation of Certificate with Host Mismatch
	Major	References
	Minor	None
300	Channel Accessible by Non-Endpoint
	Major	Alternate_Terms, Detection_Factors
	Minor	None
306	Missing Authentication for Critical Function
	Major	Detection_Factors, References
	Minor	None
307	Improper Restriction of Excessive Authentication Attempts
	Major	Demonstrative_Examples, Detection_Factors, Potential_Mitigations, References
	Minor	None
311	Missing Encryption of Sensitive Data
	Major	Detection_Factors, References
	Minor	None
319	Cleartext Transmission of Sensitive Information
	Major	References
	Minor	None
327	Use of a Broken or Risky Cryptographic Algorithm
	Major	Detection_Factors, Potential_Mitigations, References
	Minor	None
328	Use of Weak Hash
	Major	References
	Minor	None
330	Use of Insufficiently Random Values
	Major	Description, Detection_Factors, Diagram, References
	Minor	None
332	Insufficient Entropy in PRNG
	Major	References
	Minor	None
334	Small Space of Random Values
	Major	References
	Minor	None
336	Same Seed in Pseudo-Random Number Generator (PRNG)
	Major	References
	Minor	None
337	Predictable Seed in Pseudo-Random Number Generator (PRNG)
	Major	References
	Minor	None
339	Small Seed Space in PRNG
	Major	References
	Minor	None
341	Predictable from Observable State
	Major	References
	Minor	None
342	Predictable Exact Value from Previous Values
	Major	References
	Minor	None
343	Predictable Value Range from Previous Values
	Major	References
	Minor	None
344	Use of Invariant Value in Dynamically Changing Context
	Major	References
	Minor	None
346	Origin Validation Error
	Major	Observed_Examples
	Minor	None
352	Cross-Site Request Forgery (CSRF)
	Major	Detection_Factors, Potential_Mitigations, References
	Minor	None
359	Exposure of Private Personal Information to an Unauthorized Actor
	Major	References
	Minor	None
362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
	Major	Detection_Factors, References
	Minor	None
367	Time-of-check Time-of-use (TOCTOU) Race Condition
	Major	Common_Consequences, Description, Diagram, Modes_of_Introduction
	Minor	None
384	Session Fixation
	Major	Potential_Mitigations, References
	Minor	None
392	Missing Report of Error Condition
	Major	References
	Minor	None
395	Use of NullPointerException Catch to Detect NULL Pointer Dereference
	Major	Detection_Factors, References
	Minor	None
400	Uncontrolled Resource Consumption
	Major	Observed_Examples, References
	Minor	None
403	Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
	Major	Functional_Areas
	Minor	None
415	Double Free
	Major	Functional_Areas
	Minor	None
416	Use After Free
	Major	Functional_Areas
	Minor	None
421	Race Condition During Access to Alternate Channel
	Major	Functional_Areas
	Minor	None
427	Uncontrolled Search Path Element
	Major	Affected_Resources, Functional_Areas, References
	Minor	None
434	Unrestricted Upload of File with Dangerous Type
	Major	Detection_Factors, References
	Minor	None
436	Interpretation Conflict
	Major	References
	Minor	None
440	Expected Behavior Violation
	Major	Relationships
	Minor	None
444	Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
	Major	References
	Minor	None
451	User Interface (UI) Misrepresentation of Critical Information
	Major	References
	Minor	None
456	Missing Initialization of a Variable
	Major	Potential_Mitigations, References
	Minor	None
457	Use of Uninitialized Variable
	Major	Potential_Mitigations, References
	Minor	None
466	Return of Pointer Value Outside of Expected Range
	Major	Affected_Resources, Functional_Areas
	Minor	None
476	NULL Pointer Dereference
	Major	Potential_Mitigations, References
	Minor	None
477	Use of Obsolete Function
	Major	Detection_Factors, References
	Minor	None
489	Active Debug Code
	Major	Common_Consequences, Description, Diagram, Modes_of_Introduction
	Minor	None
494	Download of Code Without Integrity Check
	Major	Potential_Mitigations, References
	Minor	None
502	Deserialization of Untrusted Data
	Major	Observed_Examples, Potential_Mitigations, References
	Minor	None
506	Embedded Malicious Code
	Major	Detection_Factors, References
	Minor	None
510	Trapdoor
	Major	Detection_Factors, References
	Minor	None
514	Covert Channel
	Major	Detection_Factors, References
	Minor	None
521	Weak Password Requirements
	Major	Potential_Mitigations, References
	Minor	None
543	Use of Singleton Pattern Without Synchronization in a Multithreaded Context
	Major	References
	Minor	None
561	Dead Code
	Major	Detection_Factors, References
	Minor	None
562	Return of Stack Variable Address
	Major	Affected_Resources, Functional_Areas
	Minor	None
587	Assignment of a Fixed Address to a Pointer
	Major	Affected_Resources, Functional_Areas
	Minor	None
590	Free of Memory not on the Heap
	Major	Functional_Areas, References
	Minor	None
595	Comparison of Object References Instead of Object Contents
	Major	References
	Minor	None
601	URL Redirection to Untrusted Site ('Open Redirect')
	Major	Alternate_Terms, Common_Consequences, Detection_Factors, Potential_Mitigations, References
	Minor	None
606	Unchecked Input for Loop Condition
	Major	Demonstrative_Examples
	Minor	None
611	Improper Restriction of XML External Entity Reference
	Major	References
	Minor	None
614	Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
	Major	Common_Consequences, Description, Diagram, Potential_Mitigations
	Minor	None
626	Null Byte Interaction Error (Poison Null Byte)
	Major	References
	Minor	None
635	Weaknesses Originally Used by NVD from 2008 to 2016
	Major	References
	Minor	None
642	External Control of Critical State Data
	Major	Potential_Mitigations, References
	Minor	None
653	Improper Isolation or Compartmentalization
	Major	References
	Minor	None
656	Reliance on Security Through Obscurity
	Major	Demonstrative_Examples, References
	Minor	None
657	Violation of Secure Design Principles
	Major	Demonstrative_Examples, References
	Minor	None
664	Improper Control of a Resource Through its Lifetime
	Major	Observed_Examples
	Minor	None
665	Improper Initialization
	Major	References, Relationships
	Minor	None
676	Use of Potentially Dangerous Function
	Major	Detection_Factors, References
	Minor	None
680	Integer Overflow to Buffer Overflow
	Major	Affected_Resources, Functional_Areas
	Minor	None
682	Incorrect Calculation
	Major	References
	Minor	None
684	Incorrect Provision of Specified Functionality
	Major	Relationships
	Minor	None
691	Insufficient Control Flow Management
	Major	Relationships
	Minor	None
698	Execution After Redirect (EAR)
	Major	References
	Minor	None
703	Improper Check or Handling of Exceptional Conditions
	Major	Detection_Factors, References
	Minor	None
712	OWASP Top Ten 2007 Category A1 - Cross Site Scripting (XSS)
	Major	References
	Minor	None
715	OWASP Top Ten 2007 Category A4 - Insecure Direct Object Reference
	Major	References
	Minor	None
716	OWASP Top Ten 2007 Category A5 - Cross Site Request Forgery (CSRF)
	Major	References
	Minor	None
717	OWASP Top Ten 2007 Category A6 - Information Leakage and Improper Error Handling
	Major	References
	Minor	None
718	OWASP Top Ten 2007 Category A7 - Broken Authentication and Session Management
	Major	References
	Minor	None
719	OWASP Top Ten 2007 Category A8 - Insecure Cryptographic Storage
	Major	References
	Minor	None
720	OWASP Top Ten 2007 Category A9 - Insecure Communications
	Major	References
	Minor	None
721	OWASP Top Ten 2007 Category A10 - Failure to Restrict URL Access
	Major	References
	Minor	None
722	OWASP Top Ten 2004 Category A1 - Unvalidated Input
	Major	References
	Minor	None
723	OWASP Top Ten 2004 Category A2 - Broken Access Control
	Major	References
	Minor	None
724	OWASP Top Ten 2004 Category A3 - Broken Authentication and Session Management
	Major	References
	Minor	None
725	OWASP Top Ten 2004 Category A4 - Cross-Site Scripting (XSS) Flaws
	Major	References
	Minor	None
726	OWASP Top Ten 2004 Category A5 - Buffer Overflows
	Major	References
	Minor	None
727	OWASP Top Ten 2004 Category A6 - Injection Flaws
	Major	References
	Minor	None
728	OWASP Top Ten 2004 Category A7 - Improper Error Handling
	Major	References
	Minor	None
729	OWASP Top Ten 2004 Category A8 - Insecure Storage
	Major	References
	Minor	None
730	OWASP Top Ten 2004 Category A9 - Denial of Service
	Major	References
	Minor	None
731	OWASP Top Ten 2004 Category A10 - Insecure Configuration Management
	Major	References
	Minor	None
732	Incorrect Permission Assignment for Critical Resource
	Major	Detection_Factors, References
	Minor	None
755	Improper Handling of Exceptional Conditions
	Major	References
	Minor	None
759	Use of a One-Way Hash without a Salt
	Major	Detection_Factors, References
	Minor	None
760	Use of a One-Way Hash with a Predictable Salt
	Major	References
	Minor	None
761	Free of Pointer not at Start of Buffer
	Major	Functional_Areas, References
	Minor	None
762	Mismatched Memory Management Routines
	Major	Functional_Areas, References
	Minor	None
763	Release of Invalid Pointer or Reference
	Major	Functional_Areas, References
	Minor	None
770	Allocation of Resources Without Limits or Throttling
	Major	Common_Consequences, Description, Diagram, Observed_Examples, Potential_Mitigations, References
	Minor	None
772	Missing Release of Resource after Effective Lifetime
	Major	Common_Consequences, Description, Diagram
	Minor	None
780	Use of RSA Algorithm without OAEP
	Major	References
	Minor	None
786	Access of Memory Location Before Start of Buffer
	Major	Affected_Resources, Functional_Areas
	Minor	None
787	Out-of-bounds Write
	Major	Affected_Resources, Functional_Areas, References
	Minor	None
788	Access of Memory Location After End of Buffer
	Major	Affected_Resources, Demonstrative_Examples, Functional_Areas
	Minor	None
789	Memory Allocation with Excessive Size Value
	Major	Affected_Resources, Functional_Areas, Observed_Examples
	Minor	None
798	Use of Hard-coded Credentials
	Major	Detection_Factors, References
	Minor	None
805	Buffer Access with Incorrect Length Value
	Major	Functional_Areas
	Minor	None
806	Buffer Access Using Size of Source Buffer
	Major	Functional_Areas
	Minor	None
807	Reliance on Untrusted Inputs in a Security Decision
	Major	Detection_Factors, References
	Minor	None
809	Weaknesses in OWASP Top Ten (2010)
	Major	References
	Minor	None
810	OWASP Top Ten 2010 Category A1 - Injection
	Major	References
	Minor	None
811	OWASP Top Ten 2010 Category A2 - Cross-Site Scripting (XSS)
	Major	References
	Minor	None
812	OWASP Top Ten 2010 Category A3 - Broken Authentication and Session Management
	Major	References
	Minor	None
813	OWASP Top Ten 2010 Category A4 - Insecure Direct Object References
	Major	References
	Minor	None
814	OWASP Top Ten 2010 Category A5 - Cross-Site Request Forgery(CSRF)
	Major	References
	Minor	None
815	OWASP Top Ten 2010 Category A6 - Security Misconfiguration
	Major	References
	Minor	None
816	OWASP Top Ten 2010 Category A7 - Insecure Cryptographic Storage
	Major	References
	Minor	None
817	OWASP Top Ten 2010 Category A8 - Failure to Restrict URL Access
	Major	References
	Minor	None
818	OWASP Top Ten 2010 Category A9 - Insufficient Transport Layer Protection
	Major	References
	Minor	None
819	OWASP Top Ten 2010 Category A10 - Unvalidated Redirects and Forwards
	Major	References
	Minor	None
822	Untrusted Pointer Dereference
	Major	Affected_Resources, Functional_Areas
	Minor	None
823	Use of Out-of-range Pointer Offset
	Major	Affected_Resources, Functional_Areas
	Minor	None
824	Access of Uninitialized Pointer
	Major	Affected_Resources, Functional_Areas
	Minor	None
825	Expired Pointer Dereference
	Major	Affected_Resources, Functional_Areas
	Minor	None
829	Inclusion of Functionality from Untrusted Control Sphere
	Major	Detection_Factors, Potential_Mitigations, References
	Minor	None
834	Excessive Iteration
	Major	Detection_Factors, References
	Minor	None
838	Inappropriate Encoding for Output Context
	Major	References
	Minor	None
839	Numeric Range Comparison Without Minimum Check
	Major	Demonstrative_Examples
	Minor	None
862	Missing Authorization
	Major	Applicable_Platforms, Detection_Factors, Observed_Examples, References
	Minor	None
863	Incorrect Authorization
	Major	Detection_Factors, Observed_Examples, References
	Minor	None
888	Software Fault Pattern (SFP) Clusters
	Major	References
	Minor	None
908	Use of Uninitialized Resource
	Major	References
	Minor	None
916	Use of Password Hash With Insufficient Computational Effort
	Major	Detection_Factors, References
	Minor	None
918	Server-Side Request Forgery (SSRF)
	Major	Applicable_Platforms, Observed_Examples, References
	Minor	None
928	Weaknesses in OWASP Top Ten (2013)
	Major	References
	Minor	None
929	OWASP Top Ten 2013 Category A1 - Injection
	Major	References
	Minor	None
930	OWASP Top Ten 2013 Category A2 - Broken Authentication and Session Management
	Major	References
	Minor	None
931	OWASP Top Ten 2013 Category A3 - Cross-Site Scripting (XSS)
	Major	References
	Minor	None
932	OWASP Top Ten 2013 Category A4 - Insecure Direct Object References
	Major	References
	Minor	None
933	OWASP Top Ten 2013 Category A5 - Security Misconfiguration
	Major	References
	Minor	None
934	OWASP Top Ten 2013 Category A6 - Sensitive Data Exposure
	Major	References
	Minor	None
936	OWASP Top Ten 2013 Category A8 - Cross-Site Request Forgery (CSRF)
	Major	References
	Minor	None
937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
	Major	References
	Minor	None
938	OWASP Top Ten 2013 Category A10 - Unvalidated Redirects and Forwards
	Major	References
	Minor	None
941	Incorrectly Specified Destination in a Communication Channel
	Major	References
	Minor	None
942	Permissive Cross-domain Security Policy with Untrusted Domains
	Major	Background_Details, Common_Consequences, Description, Name, Potential_Mitigations, References
	Minor	None
1003	Weaknesses for Simplified Mapping of Published Vulnerabilities
	Major	References
	Minor	None
1007	Insufficient Visual Distinction of Homoglyphs Presented to User
	Major	References
	Minor	None
1026	Weaknesses in OWASP Top Ten (2017)
	Major	References
	Minor	None
1027	OWASP Top Ten 2017 Category A1 - Injection
	Major	References
	Minor	None
1028	OWASP Top Ten 2017 Category A2 - Broken Authentication
	Major	References
	Minor	None
1029	OWASP Top Ten 2017 Category A3 - Sensitive Data Exposure
	Major	References
	Minor	None
1030	OWASP Top Ten 2017 Category A4 - XML External Entities (XXE)
	Major	References
	Minor	None
1031	OWASP Top Ten 2017 Category A5 - Broken Access Control
	Major	References
	Minor	None
1032	OWASP Top Ten 2017 Category A6 - Security Misconfiguration
	Major	References
	Minor	None
1033	OWASP Top Ten 2017 Category A7 - Cross-Site Scripting (XSS)
	Major	References
	Minor	None
1034	OWASP Top Ten 2017 Category A8 - Insecure Deserialization
	Major	References
	Minor	None
1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
	Major	References
	Minor	None
1036	OWASP Top Ten 2017 Category A10 - Insufficient Logging & Monitoring
	Major	References
	Minor	None
1039	Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
	Major	References
	Minor	None
1059	Insufficient Technical Documentation
	Major	References
	Minor	None
1128	CISQ Quality Measures (2016)
	Major	References
	Minor	None
1129	CISQ Quality Measures (2016) - Reliability
	Major	References
	Minor	None
1130	CISQ Quality Measures (2016) - Maintainability
	Major	References
	Minor	None
1131	CISQ Quality Measures (2016) - Security
	Major	References
	Minor	None
1132	CISQ Quality Measures (2016) - Performance Efficiency
	Major	References
	Minor	None
1189	Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
	Major	Relationships
	Minor	None
1191	On-Chip Debug and Test Interface With Improper Access Control
	Major	References, Relationships
	Minor	None
1231	Improper Prevention of Lock Bit Modification
	Major	Relationships
	Minor	None
1233	Security-Sensitive Hardware Controls with Missing Lock Bit Protection
	Major	Relationships
	Minor	None
1234	Hardware Internal or Debug Modes Allow Override of Locks
	Major	Relationships
	Minor	None
1236	Improper Neutralization of Formula Elements in a CSV File
	Major	References
	Minor	None
1239	Improper Zeroization of Hardware Register
	Major	References
	Minor	None
1240	Use of a Cryptographic Primitive with a Risky Implementation
	Major	References
	Minor	Potential_Mitigations
1244	Internal Asset Exposed to Unsafe Debug Access Level or State
	Major	References, Relationships
	Minor	None
1246	Improper Write Handling in Limited-write Non-Volatile Memories
	Major	References
	Minor	None
1247	Improper Protection Against Voltage and Clock Glitches
	Major	Relationships
	Minor	None
1256	Improper Restriction of Software Interfaces to Hardware Features
	Major	Relationships
	Minor	None
1260	Improper Handling of Overlap Between Protected Memory Ranges
	Major	Relationships
	Minor	None
1262	Improper Access Control for Register Interface
	Major	Relationships
	Minor	None
1272	Sensitive Information Uncleared Before Debug/Power State Transition
	Major	References, Relationships
	Minor	None
1275	Sensitive Cookie with Improper SameSite Attribute
	Major	References
	Minor	None
1284	Improper Validation of Specified Quantity in Input
	Major	Observed_Examples
	Minor	None
1293	Missing Source Correlation of Multiple Independent Data
	Major	References
	Minor	None
1295	Debug Messages Revealing Unnecessary Information
	Major	References
	Minor	None
1300	Improper Protection of Physical Side Channels
	Major	References, Relationships
	Minor	None
1321	Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
	Major	Common_Consequences, Description, Diagram, Modes_of_Introduction
	Minor	None
1327	Binding to an Unrestricted IP Address
	Major	References
	Minor	None
1340	CISQ Data Protection Measures
	Major	References
	Minor	None
1343	Weaknesses in the 2021 CWE Most Important Hardware Weaknesses List
	Major	References
	Minor	None
1357	Reliance on Insufficiently Trustworthy Component
	Major	References
	Minor	None
1358	Weaknesses in SEI ETF Categories of Security Vulnerabilities in ICS
	Major	References
	Minor	None
1359	ICS Communications
	Major	References
	Minor	None
1360	ICS Dependencies (& Architecture)
	Major	References
	Minor	None
1361	ICS Supply Chain
	Major	References
	Minor	None
1362	ICS Engineering (Constructions/Deployment)
	Major	References
	Minor	None
1363	ICS Operations (& Maintenance)
	Major	References
	Minor	None
1364	ICS Communications: Zone Boundary Failures
	Major	References
	Minor	None
1365	ICS Communications: Unreliability
	Major	References
	Minor	None
1366	ICS Communications: Frail Security in Protocols
	Major	References
	Minor	None
1367	ICS Dependencies (& Architecture): External Physical Systems
	Major	References
	Minor	None
1368	ICS Dependencies (& Architecture): External Digital Systems
	Major	References
	Minor	None
1369	ICS Supply Chain: IT/OT Convergence/Expansion
	Major	References
	Minor	None
1370	ICS Supply Chain: Common Mode Frailties
	Major	References
	Minor	None
1371	ICS Supply Chain: Poorly Documented or Undocumented Features
	Major	References
	Minor	None
1372	ICS Supply Chain: OT Counterfeit and Malicious Corruption
	Major	References
	Minor	None
1373	ICS Engineering (Construction/Deployment): Trust Model Problems
	Major	References
	Minor	None
1374	ICS Engineering (Construction/Deployment): Maker Breaker Blindness
	Major	References
	Minor	None
1375	ICS Engineering (Construction/Deployment): Gaps in Details/Data
	Major	References
	Minor	None
1376	ICS Engineering (Construction/Deployment): Security Gaps in Commissioning
	Major	References
	Minor	None
1377	ICS Engineering (Construction/Deployment): Inherent Predictability in Design
	Major	References
	Minor	None
1378	ICS Operations (& Maintenance): Gaps in obligations and training
	Major	References
	Minor	None
1379	ICS Operations (& Maintenance): Human factors in ICS environments
	Major	References
	Minor	None
1380	ICS Operations (& Maintenance): Post-analysis changes
	Major	References
	Minor	None
1381	ICS Operations (& Maintenance): Exploitable Standard Operational Procedures
	Major	References
	Minor	None
1382	ICS Operations (& Maintenance): Emerging Energy Technologies
	Major	References
	Minor	None
1383	ICS Operations (& Maintenance): Compliance/Conformance with Regulatory Requirements
	Major	References
	Minor	None
1384	Improper Handling of Physical or Environmental Conditions
	Major	References
	Minor	None
1385	Missing Origin Validation in WebSockets
	Major	References
	Minor	None
1391	Use of Weak Credentials
	Major	References
	Minor	None
1393	Use of Default Password
	Major	References
	Minor	None
1395	Dependency on Vulnerable Third-Party Component
	Major	References
	Minor	None
1412	Comprehensive Categorization: Poor Coding Practices
	Major	Relationships
	Minor	None
1420	Exposure of Sensitive Information during Transient Execution
	Major	References
	Minor	None
1421	Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
	Major	References, Relationships
	Minor	None
1423	Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
	Major	Relationships
	Minor	None
1427	Improper Neutralization of Input Used for LLM Prompting
	Major	References
	Minor	None
1428	Reliance on HTTP instead of HTTPS
	Major	References
	Minor	None
1430	Weaknesses in the 2024 CWE Top 25 Most Dangerous Software Weaknesses
	Major	None
	Minor	References
1431	Driving Intermediate Cryptographic State/Results to Hardware Module Outputs
	Major	Relationships
	Minor	None

Page Last Updated: September 09, 2025


	Site Map \| Terms of Use \| Manage Cookies \| Cookie Notice \| Privacy Policy \| Contact Us \| Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.

Common Weakness Enumeration