CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-393
Return of Wrong Status Code
CWE-394
Unexpected Status Code or Return Value
CWE-395
Use of NullPointerException Catch to Detect NULL Pointer Dereference
CWE-396
Declaration of Catch for Generic Exception
CWE-397
Declaration of Throws for Generic Exception
CWE-400
Uncontrolled Resource Consumption
CWE-401
Missing Release of Memory after Effective Lifetime
CWE-402
Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-403
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
CWE-404
Improper Resource Shutdown or Release
CWE-405
Asymmetric Resource Consumption (Amplification)
CWE-406
Insufficient Control of Network Message Volume (Network Amplification)
CWE-407
Inefficient Algorithmic Complexity
CWE-408
Incorrect Behavior Order: Early Amplification
CWE-409
Improper Handling of Highly Compressed Data (Data Amplification)
CWE-410
Insufficient Resource Pool
CWE-412
Unrestricted Externally Accessible Lock
CWE-413
Improper Resource Locking
CWE-414
Missing Lock Check
CWE-415
Double Free
CWE-416
Use After Free
CWE-419
Unprotected Primary Channel
CWE-420
Unprotected Alternate Channel
CWE-421
Race Condition During Access to Alternate Channel
CWE-422
Unprotected Windows Messaging Channel ('Shatter')
CWE-423
DEPRECATED: Proxied Trusted Channel
CWE-424
Improper Protection of Alternate Path
CWE-425
Direct Request ('Forced Browsing')
CWE-426
Untrusted Search Path
CWE-427
Uncontrolled Search Path Element
CWE-428
Unquoted Search Path or Element
CWE-430
Deployment of Wrong Handler
CWE-431
Missing Handler
CWE-432
Dangerous Signal Handler not Disabled During Sensitive Operations
CWE-433
Unparsed Raw Web Content Delivery
CWE-434
Unrestricted Upload of File with Dangerous Type
CWE-435
Improper Interaction Between Multiple Correctly-Behaving Entities
CWE-436
Interpretation Conflict
CWE-437
Incomplete Model of Endpoint Features
CWE-439
Behavioral Change in New Version or Environment
CWE-440
Expected Behavior Violation
CWE-441
Unintended Proxy or Intermediary ('Confused Deputy')
CWE-443
DEPRECATED: HTTP response splitting
CWE-444
Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
CWE-446
UI Discrepancy for Security Feature
CWE-447
Unimplemented or Unsupported Feature in UI
CWE-448
Obsolete Feature in UI
CWE-449
The UI Performs the Wrong Action
CWE-450
Multiple Interpretations of UI Input
CWE-451
User Interface (UI) Misrepresentation of Critical Information
