CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-618
Exposed Unsafe ActiveX Method
CWE-619
Dangling Database Cursor ('Cursor Injection')
CWE-620
Unverified Password Change
CWE-621
Variable Extraction Error
CWE-622
Improper Validation of Function Hook Arguments
CWE-623
Unsafe ActiveX Control Marked Safe For Scripting
CWE-624
Executable Regular Expression Error
CWE-625
Permissive Regular Expression
CWE-626
Null Byte Interaction Error (Poison Null Byte)
CWE-627
Dynamic Variable Evaluation
CWE-628
Function Call with Incorrectly Specified Arguments
CWE-636
Not Failing Securely ('Failing Open')
CWE-637
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
CWE-638
Not Using Complete Mediation
CWE-639
Authorization Bypass Through User-Controlled Key
CWE-640
Weak Password Recovery Mechanism for Forgotten Password
CWE-641
Improper Restriction of Names for Files and Other Resources
CWE-642
External Control of Critical State Data
CWE-643
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
CWE-644
Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-645
Overly Restrictive Account Lockout Mechanism
CWE-646
Reliance on File Name or Extension of Externally-Supplied File
CWE-647
Use of Non-Canonical URL Paths for Authorization Decisions
CWE-648
Incorrect Use of Privileged APIs
CWE-649
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
CWE-650
Trusting HTTP Permission Methods on the Server Side
CWE-651
Exposure of WSDL File Containing Sensitive Information
CWE-652
Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
CWE-653
Improper Isolation or Compartmentalization
CWE-654
Reliance on a Single Factor in a Security Decision
CWE-655
Insufficient Psychological Acceptability
CWE-656
Reliance on Security Through Obscurity
CWE-657
Violation of Secure Design Principles
CWE-662
Improper Synchronization
CWE-663
Use of a Non-reentrant Function in a Concurrent Context
CWE-664
Improper Control of a Resource Through its Lifetime
CWE-665
Improper Initialization
CWE-666
Operation on Resource in Wrong Phase of Lifetime
CWE-667
Improper Locking
CWE-668
Exposure of Resource to Wrong Sphere
CWE-669
Incorrect Resource Transfer Between Spheres
CWE-670
Always-Incorrect Control Flow Implementation
CWE-671
Lack of Administrator Control over Security
CWE-672
Operation on a Resource after Expiration or Release
CWE-673
External Influence of Sphere Definition
CWE-674
Uncontrolled Recursion
CWE-675
Multiple Operations on Resource in Single-Operation Context
