CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-862
Missing Authorization
CWE-863
Incorrect Authorization
CWE-908
Use of Uninitialized Resource
CWE-909
Missing Initialization of Resource
CWE-910
Use of Expired File Descriptor
CWE-911
Improper Update of Reference Count
CWE-912
Hidden Functionality
CWE-913
Improper Control of Dynamically-Managed Code Resources
CWE-914
Improper Control of Dynamically-Identified Variables
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
CWE-916
Use of Password Hash With Insufficient Computational Effort
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
CWE-918
Server-Side Request Forgery (SSRF)
CWE-920
Improper Restriction of Power Consumption
CWE-921
Storage of Sensitive Data in a Mechanism without Access Control
CWE-922
Insecure Storage of Sensitive Information
CWE-923
Improper Restriction of Communication Channel to Intended Endpoints
CWE-924
Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-925
Improper Verification of Intent by Broadcast Receiver
CWE-926
Improper Export of Android Application Components
CWE-927
Use of Implicit Intent for Sensitive Communication
CWE-939
Improper Authorization in Handler for Custom URL Scheme
CWE-940
Improper Verification of Source of a Communication Channel
CWE-941
Incorrectly Specified Destination in a Communication Channel
CWE-942
Permissive Cross-domain Policy with Untrusted Domains
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
CWE-1004
Sensitive Cookie Without 'HttpOnly' Flag
CWE-1007
Insufficient Visual Distinction of Homoglyphs Presented to User
CWE-1021
Improper Restriction of Rendered UI Layers or Frames
CWE-1022
Use of Web Link to Untrusted Target with window.opener Access
CWE-1023
Incomplete Comparison with Missing Factors
CWE-1024
Comparison of Incompatible Types
CWE-1025
Comparison Using Wrong Factors
CWE-1037
Processor Optimization Removal or Modification of Security-critical Code
CWE-1038
Insecure Automated Optimizations
CWE-1039
Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
CWE-1041
Use of Redundant Code
CWE-1042
Static Member Data Element outside of a Singleton Class Element
CWE-1043
Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
CWE-1044
Architecture with Number of Horizontal Layers Outside of Expected Range
CWE-1045
Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
CWE-1046
Creation of Immutable Text Using String Concatenation
CWE-1047
Modules with Circular Dependencies
CWE-1048
Invokable Control Element with Large Number of Outward Calls
CWE-1049
Excessive Data Query Operations in a Large Data Table
CWE-1050
Excessive Platform Resource Consumption within a Loop
CWE-1051
Initialization with Hard-Coded Network Resource Configuration Data
CWE-1052
Excessive Use of Hard-Coded Literals in Initialization
CWE-1053
Missing Documentation for Design
CWE-1054
Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
