CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-1106
Insufficient Use of Symbolic Constants
CWE-1107
Insufficient Isolation of Symbolic Constant Definitions
CWE-1108
Excessive Reliance on Global Variables
CWE-1109
Use of Same Variable for Multiple Purposes
CWE-1110
Incomplete Design Documentation
CWE-1111
Incomplete I/O Documentation
CWE-1112
Incomplete Documentation of Program Execution
CWE-1113
Inappropriate Comment Style
CWE-1114
Inappropriate Whitespace Style
CWE-1115
Source Code Element without Standard Prologue
CWE-1116
Inaccurate Comments
CWE-1117
Callable with Insufficient Behavioral Summary
CWE-1118
Insufficient Documentation of Error Handling Techniques
CWE-1119
Excessive Use of Unconditional Branching
CWE-1120
Excessive Code Complexity
CWE-1121
Excessive McCabe Cyclomatic Complexity
CWE-1122
Excessive Halstead Complexity
CWE-1123
Excessive Use of Self-Modifying Code
CWE-1124
Excessively Deep Nesting
CWE-1125
Excessive Attack Surface
CWE-1126
Declaration of Variable with Unnecessarily Wide Scope
CWE-1127
Compilation with Insufficient Warnings or Errors
CWE-1164
Irrelevant Code
CWE-1173
Improper Use of Validation Framework
CWE-1174
ASP.NET Misconfiguration: Improper Model Validation
CWE-1176
Inefficient CPU Computation
CWE-1177
Use of Prohibited Code
CWE-1187
DEPRECATED: Use of Uninitialized Resource
CWE-1188
Initialization of a Resource with an Insecure Default
CWE-1189
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
CWE-1190
DMA Device Enabled Too Early in Boot Phase
CWE-1191
On-Chip Debug and Test Interface With Improper Access Control
CWE-1192
System-on-Chip (SoC) Using Components without Unique, Immutable Identifiers
CWE-1193
Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
CWE-1204
Generation of Weak Initialization Vector (IV)
CWE-1209
Failure to Disable Reserved Bits
CWE-1220
Insufficient Granularity of Access Control
CWE-1221
Incorrect Register Defaults or Module Parameters
CWE-1222
Insufficient Granularity of Address Regions Protected by Register Locks
CWE-1223
Race Condition for Write-Once Attributes
CWE-1224
Improper Restriction of Write-Once Bit Fields
CWE-1229
Creation of Emergent Resource
CWE-1230
Exposure of Sensitive Information Through Metadata
CWE-1231
Improper Prevention of Lock Bit Modification
CWE-1232
Improper Lock Behavior After Power State Transition
CWE-1233
Security-Sensitive Hardware Controls with Missing Lock Bit Protection
CWE-1234
Hardware Internal or Debug Modes Allow Override of Locks
CWE-1235
Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
CWE-1236
Improper Neutralization of Formula Elements in a CSV File
