CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-453
Insecure Default Variable Initialization
CWE-454
External Initialization of Trusted Variables or Data Stores
CWE-455
Non-exit on Failed Initialization
CWE-456
Missing Initialization of a Variable
CWE-457
Use of Uninitialized Variable
CWE-458
DEPRECATED: Incorrect Initialization
CWE-459
Incomplete Cleanup
CWE-460
Improper Cleanup on Thrown Exception
CWE-462
Duplicate Key in Associative List (Alist)
CWE-463
Deletion of Data Structure Sentinel
CWE-464
Addition of Data Structure Sentinel
CWE-466
Return of Pointer Value Outside of Expected Range
CWE-467
Use of sizeof() on a Pointer Type
CWE-468
Incorrect Pointer Scaling
CWE-469
Use of Pointer Subtraction to Determine Size
CWE-470
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-471
Modification of Assumed-Immutable Data (MAID)
CWE-472
External Control of Assumed-Immutable Web Parameter
CWE-473
PHP External Variable Modification
CWE-474
Use of Function with Inconsistent Implementations
CWE-475
Undefined Behavior for Input to API
CWE-476
NULL Pointer Dereference
CWE-477
Use of Obsolete Function
CWE-478
Missing Default Case in Multiple Condition Expression
CWE-479
Signal Handler Use of a Non-reentrant Function
CWE-480
Use of Incorrect Operator
CWE-481
Assigning instead of Comparing
CWE-482
Comparing instead of Assigning
CWE-483
Incorrect Block Delimitation
CWE-484
Omitted Break Statement in Switch
CWE-486
Comparison of Classes by Name
CWE-487
Reliance on Package-level Scope
CWE-488
Exposure of Data Element to Wrong Session
CWE-489
Active Debug Code
CWE-491
Public cloneable() Method Without Final ('Object Hijack')
CWE-492
Use of Inner Class Containing Sensitive Data
CWE-493
Critical Public Variable Without Final Modifier
CWE-494
Download of Code Without Integrity Check
CWE-495
Private Data Structure Returned From A Public Method
CWE-496
Public Data Assigned to Private Array-Typed Field
CWE-497
Exposure of Sensitive System Information to an Unauthorized Control Sphere
