---
type: "mapping-set"
title: "CWE weaknesses → #2 Exploiting Server"
description: "411 CWE weaknesses entries mapped to TLCTC #2 Exploiting Server."
resource: "tlctc:mapping:cwe:cluster-2"
tags:
  - "mapping"
  - "cwe"
  - "cluster-2"
---
# CWE weaknesses → #2 Exploiting Server

> Source: MITRE CWE → TLCTC mapping (`mappings/mitre-cwe/`). AI-generated, human-reviewed; experimental.

Mapped entries: **411**. Cluster: [#2 Exploiting Server](/clusters/cluster-2.md).

| CWE | Name | TLCTC | Verdict | Rationale |
|---|---|---|---|---|
| CWE-14 | Compiler Removal of Code to Clear Buffers | #2 \| #3 | Allowed | Compiler removes a memset/explicit-buffer-clear because it considers the buffer dead after the clear, leaving sensitive data in memory. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-21 | Pathname Traversal and Equivalence Errors | #2 \| #3 | Discouraged | Parent class for path-traversal and path-equivalence errors. Specific cases classify at child CWEs (CWE-22 onward). Decision tree Q2 -> #2 \| #3 per R-ROLE. |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | #2 \| #3 | Allowed | Generic path traversal — code implementation flaw in file-handling that fails to constrain user input to the intended directory. Decision tree Q2 -> server-role #2 (HTTP request reaches arbitrary file) or client-role #3 (e.g., archive extractors writing outside the target dir, 'Zip Slip') per R-ROLE. |
| CWE-23 | Relative Path Traversal | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-24 | Path Traversal: '../filedir' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-25 | Path Traversal: '/../filedir' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-26 | Path Traversal: '/dir/../filename' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-27 | Path Traversal: 'dir/../../filename' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-28 | Path Traversal: '..\filedir' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-29 | Path Traversal: '\..\filename' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-30 | Path Traversal: '\dir\..\filename' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-31 | Path Traversal: 'dir\..\..\filename' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-32 | Path Traversal: '...' (Triple Dot) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-33 | Path Traversal: '....' (Multiple Dot) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-34 | Path Traversal: '....//' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-35 | Path Traversal: '.../...//' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-36 | Absolute Path Traversal | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-37 | Path Traversal: '/absolute/pathname/here' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-38 | Path Traversal: '\absolute\pathname\here' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-39 | Path Traversal: 'C:dirname' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-40 | Path Traversal: '\\UNC\share\name\' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-41 | Improper Resolution of Path Equivalence | #2 \| #3 | Allowed | Path-equivalence canonicalization flaw — file-handling code resolves variant forms (./, %2e%2e, trailing dots, alternate slashes) to the same path inconsistently between security check and access. Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-42 | Path Equivalence: 'filename.' (Trailing Dot) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-43 | Path Equivalence: 'filename....' (Multiple Trailing Dot) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-44 | Path Equivalence: 'file.name' (Internal Dot) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-45 | Path Equivalence: 'file...name' (Multiple Internal Dot) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-46 | Path Equivalence: 'filename ' (Trailing Space) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-47 | Path Equivalence: ' filename' (Leading Space) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-48 | Path Equivalence: 'file name' (Internal Whitespace) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-49 | Path Equivalence: 'filename/' (Trailing Slash) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-50 | Path Equivalence: '//multiple/leading/slash' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-51 | Path Equivalence: '/multiple//internal/slash' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-52 | Path Equivalence: '/multiple/trailing/slash//' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-53 | Path Equivalence: '\multiple\\internal\backslash' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-54 | Path Equivalence: 'filedir\' (Trailing Backslash) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-55 | Path Equivalence: '/./' (Single Dot Directory) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-56 | Path Equivalence: 'filedir*' (Wildcard) | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-57 | Path Equivalence: 'fakedir/../realdir/filename' | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-58 | Path Equivalence: Windows 8.3 Filename | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | #2 \| #3 | Allowed | Symlink/hardlink-following flaw — file-handling code follows the link without verifying its target, often combined with TOCTOU races. Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-61 | UNIX Symbolic Link (Symlink) Following | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-62 | UNIX Hard Link | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-65 | Windows Hard Link | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-66 | Improper Handling of File Names that Identify Virtual Resources | #2 \| #3 | Allowed | Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-67 | Improper Handling of Windows Device Names | #2 \| #3 | Allowed | Windows reserved device names (CON, PRN, AUX, NUL) handled as ordinary files — implementation flaw in path validation. Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-69 | Improper Handling of Windows ::DATA Alternate Data Stream | #2 \| #3 | Allowed | Windows ::DATA alternate-data-stream suffix bypasses extension-based filters. Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-72 | Improper Handling of Apple HFS+ Alternate Data Stream Path | #2 \| #3 | Allowed | Apple HFS+ alternate data stream suffix bypasses extension-based filters. Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | #2 \| #3 | Allowed | Implementation flaw in sanitization logic. Maps to #2 or #3. |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | #2 → #7 | Allowed | Server-side sanitization flaw allowing attacker data to be interpreted as commands (#2). Per R-EXEC, command execution moves the attacker's foreign code into the target's execution context — append → #7. |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | #2 → #7 | Allowed | Server-side sanitization flaw causing data→code transition into the OS shell (#2). Per R-EXEC, OS command execution executes attacker-controlled foreign code — append → #7. |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | #2 → #7 \| #3 | Allowed | Reflected/Stored XSS exploits a server-side coding flaw (#2) to deliver a script that the browser executes (#7). DOM-based XSS exploits a client-side coding flaw (#3). |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | #2 → #7 \| #3 | Allowed | XSS variant. #2->#7 if server-side injection, #3 if client-side DOM. |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page | #2 → #7 | Allowed | Reflected XSS via error page. Server flaw (#2) delivers script (#7). |
| CWE-82 | Improper Neutralization of Script in Attributes of IMG Tags in a Web Page | #2 → #7 \| #3 | Allowed | XSS variant — script payload in IMG attribute (e.g., onerror). Mapping inherited from CWE-79 parent: server-role injection delivering script for browser execution (#2 -> #7) or client-role DOM manipulation (#3) per R-ROLE. |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | #2 → #7 \| #3 | Allowed | XSS variant — script in arbitrary tag attributes (onclick, onmouseover, etc.). Mapping inherited from CWE-79 parent: server-role injection delivering script for browser execution (#2 -> #7) or client-role DOM manipulation (#3) per R-ROLE. |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page | #2 → #7 \| #3 | Allowed | XSS variant — encoded URI scheme bypass (e.g., javascript: URI in href). Mapping inherited from CWE-79 parent: server-role injection delivering script for browser execution (#2 -> #7) or client-role DOM manipulation (#3) per R-ROLE. |
| CWE-85 | Doubled Character XSS Manipulations | #2 → #7 \| #3 | Allowed | XSS variant — doubled-character bypass (e.g., '<<script' becoming '<script' after partial filtering). Mapping inherited from CWE-79 parent: server-role injection delivering script for browser execution (#2 -> #7) or client-role DOM manipulation (#3) per R-ROLE. |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | #2 → #7 \| #3 | Allowed | XSS variant — invalid characters in script tag identifier (e.g., '<scrIpt>'). Mapping inherited from CWE-79 parent: server-role injection delivering script for browser execution (#2 -> #7) or client-role DOM manipulation (#3) per R-ROLE. |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | #2 → #7 \| #3 | Allowed | XSS variant — alternate XSS syntax (event handlers, data: URIs, malformed markup). Mapping inherited from CWE-79 parent: server-role injection delivering script for browser execution (#2 -> #7) or client-role DOM manipulation (#3) per R-ROLE. |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | #2 | Allowed | Server-side coding flaw allowing data->code transition in DB query (SQL is code). Explicitly #2 in Whitepaper. |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | #2 | Allowed | Server-side LDAP query construction with attacker-controlled input — LDAP injection (sibling of CWE-89 SQLi). Decision tree Q2 -> #2. |
| CWE-91 | XML Injection (aka Blind XPath Injection) | #2 \| #3 | Allowed | XML/XPath injection — implementation flaw where attacker input modifies the structure of an XML document or XPath expression interpreted server- or client-side. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | #2 \| #3 | Allowed | CRLF injection — unsanitized newline in output enables HTTP response splitting (server #2) or log injection (client/server #3). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | #2 → #7 \| #3 → #7 | Allowed | Implementation flaw enabling direct data→code transition (unsafe code generation/evaluation). Server-role (#2) or client-role (#3) per R-ROLE. Per R-EXEC, code injection definitionally executes foreign code — append → #7 in both branches. |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | #2 → #7 \| #3 → #7 | Allowed | Implementation flaw passing untrusted input to a code-evaluation primitive (eval/exec). Server-role (#2) or client-role (#3) per R-ROLE. Per R-EXEC, eval of attacker-controlled input executes foreign code — append → #7. |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | #2 → #7 \| #3 → #7 | Allowed | Implementation flaw where attacker data is persisted into an interpreted code file (e.g., .php, .jsp). Server-role (#2) or client-role (#3) per R-ROLE. Per R-EXEC, the persisted code executes when the file is later loaded — append → #7. |
| CWE-97 | Improper Neutralization of Server-Side Includes (SSI) Within a Web Page | #2 → #7 | Allowed | Server-side sanitization flaw allowing attacker input to be evaluated as SSI directives. Per R-EXEC, SSI directives execute arbitrary commands on the server — append → #7. |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | #2 → #7 | Allowed | Server-side implementation flaw passing attacker-controlled paths to include/require, which loads and executes the referenced PHP. Per R-EXEC, RFI is foreign code execution by definition — append → #7. |
| CWE-102 | Struts: Duplicate Validation Forms | #2 | Allowed | Implementation flaw in server-side framework configuration leading to potential logic bypass. |
| CWE-103 | Struts: Incomplete validate() Method Definition | #2 | Allowed | Struts validate() method incomplete — server-side validation logic does not cover all fields. Decision tree Q2 -> #2 (server-role validation flaw). |
| CWE-104 | Struts: Form Bean Does Not Extend Validation Class | #2 | Allowed | Struts form bean does not extend the validation framework class — validation never runs on its inputs. Decision tree Q2 -> #2. |
| CWE-105 | Struts: Form Field Without Validator | #2 | Allowed | Struts form field has no validator declared — server-side validation is silently skipped for that field. Decision tree Q2 -> #2. |
| CWE-108 | Struts: Unvalidated Action Form | #2 | Allowed | Struts ActionForm not validated — server-side request inputs reach business logic without sanitization. Decision tree Q2 -> #2. |
| CWE-109 | Struts: Validator Turned Off | #2 | Allowed | Struts validation framework explicitly disabled in configuration — server-side input checks bypassed by design. Decision tree Q2 -> #2. |
| CWE-111 | Direct Use of Unsafe JNI | #2 | Allowed | Direct use of unsafe JNI calls — Java code invokes native libraries that bypass the JVM's memory-safety guarantees, opening the door to native-code memory corruption. Decision tree Q2 -> #2. |
| CWE-112 | Missing XML Validation | #2 \| #3 | Allowed | Missing XML schema/DTD validation — implementation flaw in the parser-consumer handoff. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | #2 | Allowed | Implementation flaw. While the flaw is on the server (#2), the consequence is often Client-side XSS or Cache Poisoning (#3). |
| CWE-115 | Misinterpretation of Input | #2 \| #3 | Allowed | Misinterpretation of input — same input parsed differently in different contexts (similar to CWE-436 interpretation conflict). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-116 | Improper Encoding or Escaping of Output | #2 \| #3 | Allowed-with-Review | Parent class for output-encoding flaws (XSS, log injection, command injection downstream of unencoded output). Specific cases classify at child CWEs. Per R-EXEC, where the flaw enables execution append → #7 (e.g., CWE-79, CWE-77). |
| CWE-117 | Improper Output Neutralization for Logs | #2 | Allowed | Server-side log injection — unsanitized newline/control characters in log output let an attacker forge log entries or inject terminal-escape sequences for log-viewer exploitation. Decision tree Q2 -> #2. |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | #2 \| #3 | Discouraged | Parent class for indexable-resource access errors (out-of-bounds read/write/index). Specific cases at child CWEs (CWE-119, 125, 787, 129). Memory-safety code flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | #2 \| #3 | Discouraged | Parent class for buffer-bounds violations. Specific cases classify at child CWEs (CWE-120, 121, 122, 124-127). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | #2 \| #3 | Allowed | Classic stack/heap buffer overflow from missing size checks. Decision tree Q2 (code implementation flaw) - server-role #2 or client-role #3 per R-ROLE. |
| CWE-121 | Stack-based Buffer Overflow | #2 \| #3 | Allowed | Stack-based buffer overflow — write past the end of a stack buffer overwrites adjacent stack frames (return address, saved registers). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-122 | Heap-based Buffer Overflow | #2 \| #3 | Allowed | Heap-based buffer overflow — write past the end of a heap allocation corrupts adjacent allocator metadata or neighboring objects. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-123 | Write-what-where Condition | #2 \| #3 | Allowed | Write-what-where primitive — attacker controls both the value and the destination of a write. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-124 | Buffer Underwrite ('Buffer Underflow') | #2 \| #3 | Allowed | Buffer underwrite — write to memory before the start of an allocation. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-125 | Out-of-bounds Read | #2 \| #3 | Allowed | Out-of-bounds read — reads memory past allocation boundary, often leaking adjacent secrets (cf. Heartbleed). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-126 | Buffer Over-read | #2 \| #3 | Allowed | Buffer over-read — reads past the end of an allocation. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-127 | Buffer Under-read | #2 \| #3 | Allowed | Buffer under-read — reads memory before the start of an allocation. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-128 | Wrap-around Error | #2 \| #3 | Allowed | Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-129 | Improper Validation of Array Index | #2 \| #3 | Allowed | Improper validation of array index — out-of-bounds access via attacker-controlled index. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | #2 \| #3 | Allowed | Length-parameter inconsistency — declared length disagrees with actual buffer size, driving over-read or over-write. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-131 | Incorrect Calculation of Buffer Size | #2 \| #3 | Allowed | Buffer-size calculation error (off-by-one, integer overflow in size math) leads to under-allocated buffers. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-134 | Use of Externally-Controlled Format String | #2 \| #3 | Allowed | Format-string vulnerability — attacker-controlled format string is passed to printf-family, enabling memory read/write via %n and friends. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-135 | Incorrect Calculation of Multi-Byte String Length | #2 \| #3 | Allowed | Multi-byte string length miscalculation (UTF-8 byte count vs. code-point count) leads to incorrect buffer sizing. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-138 | Improper Neutralization of Special Elements | #2 \| #3 | Discouraged | Parent class for neutralization failures. Depending on the context (SQL vs DOM), this leads to #2 (Server) or #3 (Client). |
| CWE-140 | Improper Neutralization of Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize generic delimiter characters in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize parameter/argument delimiters in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-142 | Improper Neutralization of Value Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize value delimiters (e.g., '=' in key/value pairs) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-143 | Improper Neutralization of Record Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize record delimiters (e.g., newlines in CSV) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-144 | Improper Neutralization of Line Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize line delimiters (CR/LF) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-145 | Improper Neutralization of Section Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize section delimiters (e.g., header/body separators) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize expression/command delimiters in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-147 | Improper Neutralization of Input Terminators | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize input terminators (e.g., null, EOF) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-148 | Improper Neutralization of Input Leaders | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize input leaders (prefix characters) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-149 | Improper Neutralization of Quoting Syntax | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize quoting syntax (single/double quotes, backticks) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | #2 \| #3 | Allowed | Sanitization fails to neutralize escape/meta/control sequences (log injection, terminal escape sequence injection, CSV formula injection). Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-151 | Improper Neutralization of Comment Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize comment delimiters in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-152 | Improper Neutralization of Macro Symbols | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize macro symbols (e.g., $, %) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-153 | Improper Neutralization of Substitution Characters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize substitution characters (e.g., $, ${...}) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-154 | Improper Neutralization of Variable Name Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize variable name delimiters in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize wildcards or matching symbols (?, *, [...]) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-156 | Improper Neutralization of Whitespace | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize whitespace (used as delimiter or to split tokens) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-157 | Failure to Sanitize Paired Delimiters | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize paired delimiters (matched brackets/quotes) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize null bytes / NUL characters (truncation in C-string consumers) in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | #2 \| #3 | Allowed | Parent of multiple injection-style flaws (markup, command, special-char). Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-160 | Improper Neutralization of Leading Special Elements | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize leading special elements in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-161 | Improper Neutralization of Multiple Leading Special Elements | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize multiple leading special elements in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-162 | Improper Neutralization of Trailing Special Elements | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize trailing special elements in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-163 | Improper Neutralization of Multiple Trailing Special Elements | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize multiple trailing special elements in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-164 | Improper Neutralization of Internal Special Elements | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize internal special elements in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-165 | Improper Neutralization of Multiple Internal Special Elements | #2 | Allowed | Server-side sanitization-failure variant — failure to neutralize multiple internal special elements in input that flows into a downstream interpreter (shell, SQL, log, query, parser). Decision tree Q2 -> #2. See CWE-138 (Improper Neutralization of Special Elements) parent for the umbrella discussion. |
| CWE-166 | Improper Handling of Missing Special Element | #2 | Allowed | Server-side parser flaw — missing required special element (e.g., absent close-tag, missing terminator) puts the parser in unintended state. Decision tree Q2 -> #2. |
| CWE-167 | Improper Handling of Additional Special Element | #2 | Allowed | Server-side parser flaw — additional/unexpected special element parsed where none was expected. Decision tree Q2 -> #2. |
| CWE-168 | Improper Handling of Inconsistent Special Elements | #2 | Allowed | Server-side parser flaw — inconsistent special elements (mismatched delimiters, conflicting markers). Decision tree Q2 -> #2. |
| CWE-170 | Improper Null Termination | #2 \| #3 | Allowed | Improper null-termination of C strings — string operations read or write past intended boundary. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-172 | Encoding Error | #2 \| #3 | Allowed | Encoding-handling bugs (charset confusion, UTF-7/UTF-8 normalization) cause sanitizer/parser bypass. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-173 | Improper Handling of Alternate Encoding | #2 | Allowed | Server-side parser flaw — alternate input encoding (UTF-7, IDN, percent-encoded) bypasses sanitization that operated on the canonical form. Decision tree Q2 -> #2. |
| CWE-174 | Double Decoding of the Same Data | #2 | Allowed | Double-decoding bug — input decoded twice (e.g., URL-decoded then HTML-decoded) reintroduces special characters that were neutralized in the first pass. Decision tree Q2 -> #2. |
| CWE-175 | Improper Handling of Mixed Encoding | #2 | Allowed | Server-side parser flaw — mixed encodings in a single input stream (UTF-8 + Windows-1252 fragments) cause sanitizer/consumer to interpret bytes differently. Decision tree Q2 -> #2. |
| CWE-176 | Improper Handling of Unicode Encoding | #2 | Allowed | Improper Unicode handling — surrogate pairs, normalization forms, or homoglyphs bypass sanitizers that operated on a different normalization. Decision tree Q2 -> #2. |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | #2 | Allowed | URL/percent-encoding handling flaw — case variation, double-encoding, or partial decoding lets attacker payloads slip past validators. Decision tree Q2 -> #2. |
| CWE-179 | Incorrect Behavior Order: Early Validation | #2 | Allowed | Validation runs at the wrong stage of input processing (e.g., before canonicalization), so post-canonicalization the value is no longer what was validated. Decision tree Q2 -> #2 (server-role validation logic flaw). |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | #2 | Allowed | Validation precedes canonicalization — validator sees the raw form while the consumer sees the canonical form. Decision tree Q2 -> #2. |
| CWE-181 | Incorrect Behavior Order: Validate Before Filter | #2 | Allowed | Validation precedes filtering — filter modifies the value after validation already approved it. Decision tree Q2 -> #2. |
| CWE-182 | Collapse of Data into Unsafe Value | #2 | Allowed | Sanitization step collapses multi-character sequences into a single character, allowing inputs that pass validation to expand into payloads downstream. Decision tree Q2 -> #2. |
| CWE-183 | Permissive List of Allowed Inputs | #2 \| #3 | Allowed-with-Review | Allowlist that admits unsafe inputs becomes the validation flaw enabling injection-style exploits in server-role (#2) or client-role (#3) code per R-ROLE. |
| CWE-184 | Incomplete List of Disallowed Inputs | #2 \| #3 | Allowed-with-Review | Incomplete denylist leaves residual unsafe inputs that drive injection/exploit attempts in server-role (#2) or client-role (#3) code per R-ROLE. |
| CWE-185 | Incorrect Regular Expression | #2 \| #3 | Allowed | Implementation flaw. Regular expressions are used heavily in both Server (#2) and Client (#3) logic. |
| CWE-188 | Reliance on Data/Memory Layout | #2 \| #3 | Allowed | Reliance on data/memory layout (struct alignment, register packing) — when assumptions break, memory corruption follows. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-191 | Integer Underflow (Wrap or Wraparound) | #2 \| #3 | Allowed | Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-192 | Integer Coercion Error | #2 \| #3 | Allowed | Integer-coercion error (implicit conversion changes value across types). Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-193 | Off-by-one Error | #2 \| #3 | Allowed | Off-by-one in loop bounds, buffer sizing, or index arithmetic. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-194 | Unexpected Sign Extension | #2 \| #3 | Allowed | Unexpected sign extension (signed-to-larger-unsigned promotion sign-extends, producing a huge positive). Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-195 | Signed to Unsigned Conversion Error | #2 \| #3 | Allowed | Signed-to-unsigned conversion error — negative becomes a very large positive, often used as size. Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-196 | Unsigned to Signed Conversion Error | #2 \| #3 | Allowed | Unsigned-to-signed conversion error — large positive becomes negative, breaking sign-dependent logic. Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-197 | Numeric Truncation Error | #2 \| #3 | Allowed | Numeric truncation error (assigning into a smaller integer type drops the high bits). Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-198 | Use of Incorrect Byte Ordering | #2 \| #3 | Allowed | Use of incorrect byte ordering (host vs. network endianness mishandled) yields wrong values in protocol/file parsing. Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | #2 \| #3 | Allowed | Sensitive information inserted into sent data (response body, telemetry, error reply). Implementation flaw in the data-emission function. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-203 | Observable Discrepancy | #2 \| #3 | Allowed | Observable discrepancy (timing, error-message difference, behavior change) leaks information through side channel. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-204 | Observable Response Discrepancy | #2 \| #3 | Allowed | Observable side-channel discrepancy — code implementation flaw that leaks information through a measurable difference. Server-role (#2, e.g., timing-attack on auth) or client-role (#3, e.g., cache-timing in browser) per R-ROLE. |
| CWE-205 | Observable Behavioral Discrepancy | #2 \| #3 | Allowed | Observable side-channel discrepancy — code implementation flaw that leaks information through a measurable difference. Server-role (#2, e.g., timing-attack on auth) or client-role (#3, e.g., cache-timing in browser) per R-ROLE. |
| CWE-206 | Observable Internal Behavioral Discrepancy | #2 \| #3 | Allowed | Observable side-channel discrepancy — code implementation flaw that leaks information through a measurable difference. Server-role (#2, e.g., timing-attack on auth) or client-role (#3, e.g., cache-timing in browser) per R-ROLE. |
| CWE-207 | Observable Behavioral Discrepancy With Equivalent Products | #2 \| #3 | Allowed | Observable behavioral discrepancy with equivalent products — version-fingerprinting via differential responses. Observable side-channel discrepancy — code implementation flaw that leaks information through a measurable difference. Server-role (#2, e.g., timing-attack on auth) or client-role (#3, e.g., cache-timing in browser) per R-ROLE. |
| CWE-208 | Observable Timing Discrepancy | #2 \| #3 | Allowed | Observable timing discrepancy (timing oracle) — used for credential brute-force, padding-oracle, side-channel decryption. Observable side-channel discrepancy — code implementation flaw that leaks information through a measurable difference. Server-role (#2, e.g., timing-attack on auth) or client-role (#3, e.g., cache-timing in browser) per R-ROLE. |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | #2 \| #3 | Allowed | Improper removal of sensitive information before storage/transfer (e.g., not stripping metadata, leaving redaction reversible). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | #2 \| #3 | Allowed | Process invocation that exposes sensitive arguments via process listing (ps, /proc/*/cmdline). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-222 | Truncation of Security-relevant Information | #2 | Allowed | Truncation of security-relevant information (logs, identifiers, hashes) drops bytes the consumer needs for correct security decisions. Decision tree Q2 -> #2. |
| CWE-223 | Omission of Security-relevant Information | #2 | Allowed | Omission of security-relevant information (event fields, audit attributes) leaves downstream checks operating on incomplete data. Decision tree Q2 -> #2. |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | #2 \| #3 | Allowed | Sensitive information left in a resource (memory, file, buffer) before that resource is released and reused. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | #2 \| #3 | Allowed | Parser logic flaw. Client-side parsers (e.g., XML/JSON in browsers/apps) are equally vulnerable (#3). |
| CWE-229 | Improper Handling of Values | #2 | Allowed | Improper handling of values — server-side function does not correctly process the input value (range, format, encoding). Decision tree Q2 -> #2. |
| CWE-230 | Improper Handling of Missing Values | #2 | Allowed | Improper handling of missing values — server-side function does not gracefully handle absent fields, defaulting to insecure state. Decision tree Q2 -> #2. |
| CWE-231 | Improper Handling of Extra Values | #2 | Allowed | Improper handling of extra values — server-side function does not reject unexpected additional inputs (e.g., extra form fields, JSON properties). Decision tree Q2 -> #2. |
| CWE-232 | Improper Handling of Undefined Values | #2 | Allowed | Improper handling of undefined values — server-side function does not reject inputs with no valid mapping. Decision tree Q2 -> #2. |
| CWE-233 | Improper Handling of Parameters | #2 | Allowed | Improper handling of parameters in HTTP/function calls — wrong arity or coupling between parameters. Decision tree Q2 -> #2. |
| CWE-234 | Failure to Handle Missing Parameter | #2 | Discouraged | Parent of missing-parameter handling flaws — child CWEs cover specific cases. Decision tree Q2 -> #2 (server-role default). |
| CWE-235 | Improper Handling of Extra Parameters | #2 | Allowed | Improper handling of extra parameters — server accepts and processes parameters beyond what was specified. Decision tree Q2 -> #2. |
| CWE-236 | Improper Handling of Undefined Parameters | #2 | Allowed | Improper handling of undefined parameters — server processes parameters with no defined behavior, often producing undefined state. Decision tree Q2 -> #2. |
| CWE-237 | Improper Handling of Structural Elements | #2 \| #3 | Allowed | Improper handling of structural elements (unexpected XML/JSON nesting, nested arrays). Parser logic flaw. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-238 | Improper Handling of Incomplete Structural Elements | #2 \| #3 | Allowed | Improper handling of incomplete structural elements (truncated TLV, half-closed XML). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-239 | Failure to Handle Incomplete Element | #2 \| #3 | Allowed | Failure to handle incomplete elements in input streams. Parser logic flaw. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-240 | Improper Handling of Inconsistent Structural Elements | #2 \| #3 | Allowed | Improper handling of inconsistent structural elements (conflicting length headers, contradictory metadata). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-241 | Improper Handling of Unexpected Data Type | #2 \| #3 | Allowed | Type confusion via unexpected data type — sibling of CWE-704. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-242 | Use of Inherently Dangerous Function | #2 \| #3 | Allowed | Use of inherently dangerous functions (strcpy, gets, sprintf without bounds) — applicable to any C/C++ component. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-243 | Creation of chroot Jail Without Changing Working Directory | #2 | Allowed | chroot jail created without changing working directory — the calling process retains access to its original FS root, defeating the jail. Decision tree Q2 -> #2. |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | #2 \| #3 | Allowed | Heap memory not cleared before release leaves sensitive data harvestable from later allocations. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-248 | Uncaught Exception | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-252 | Unchecked Return Value | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-253 | Incorrect Check of Function Return Value | #2 \| #3 | Allowed | Incorrect check of function return value (treating partial-success as success, ignoring -1 from system calls). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-274 | Improper Handling of Insufficient Privileges | #2 | Discouraged | Parent class for insufficient-privilege error-handling flaws. Specific cases classify at child CWEs. Decision tree Q2 -> #2. |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | #2 \| #3 | Allowed | Memory exposure. A critical issue for Client apps (#3) where physical/local access is more likely. |
| CWE-351 | Insufficient Type Distinction | #2 \| #3 | Allowed | Insufficient type distinction lets attacker substitute one object type for another, causing the consumer to misinterpret content (type confusion). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-353 | Missing Support for Integrity Check | #2 \| #3 | Allowed | Code implementation flaw (#2/#3) where integrity checking (HMAC, signatures, checksums) was not implemented in the software. The coding omission enables tampering. |
| CWE-354 | Improper Validation of Integrity Check Value | #2 \| #3 | Allowed | Code implementation flaw (#2/#3) in the logic that validates integrity values (HMAC, checksums, signatures). The validation code itself contains bugs. |
| CWE-358 | Improperly Implemented Security Check for Standard | #2 \| #3 | Allowed | Improperly implemented security check for a published standard (TLS, OAuth, JWT). Code implementation flaw in protocol handling. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | #2 \| #3 | Allowed | Race condition (TOCTOU, concurrent state mutation) in shared-resource handling. Code implementation flaw - server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-363 | Race Condition Enabling Link Following | #2 \| #3 | Allowed | Race condition that enables symlink-following — TOCTOU between path check and file open. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-364 | Signal Handler Race Condition | #2 \| #3 | Allowed | Signal handler races against the main control flow, executing in undefined intermediate state. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-366 | Race Condition within a Thread | #2 \| #3 | Allowed | Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | #2 \| #3 | Allowed | TOCTOU — security check on a property reads a value that changes before the action consuming it. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-368 | Context Switching Race Condition | #2 \| #3 | Allowed | Context-switching race — privilege/identity context changes between check and use. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-369 | Divide By Zero | #2 \| #3 | Allowed | Divide by zero — arithmetic exception causing process termination (DoS). Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-372 | Incomplete Internal State Distinction | #2 \| #3 | Discouraged | Incomplete distinction between internal program states leads to logic errors where the consumer treats different states as equivalent. Code implementation flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-374 | Passing Mutable Objects to an Untrusted Method | #2 \| #3 | Allowed | Mutable object passed to untrusted method — callee can mutate caller's state. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-375 | Returning a Mutable Object to an Untrusted Caller | #2 \| #3 | Allowed | Mutable object returned to untrusted caller — caller can mutate internal state. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-377 | Insecure Temporary File | #2 \| #3 | Allowed | Predictable/insecure temporary-file handling enables symlink races and content substitution. Code implementation flaw - server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-386 | Symbolic Name not Mapping to Correct Object | #2 \| #3 | Allowed | Symbolic name resolves to wrong object (e.g., DNS rebinding, symlink). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-390 | Detection of Error Condition Without Action | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-391 | Unchecked Error Condition | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-393 | Return of Wrong Status Code | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-394 | Unexpected Status Code or Return Value | #2 \| #3 | Allowed | Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | #2 \| #3 | Allowed | Resource (file handle, socket, child-process inheritance) crosses to a less-trusted sphere where it should not be reachable. Implementation flaw in resource handoff - server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') | #2 \| #3 | Allowed | File descriptor / handle leaked to unintended sphere (Android Binder, exec'd child process). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-407 | Inefficient Algorithmic Complexity | #2 \| #3 | Allowed | Algorithmic complexity is explicitly called out in R-FLOOD as #2/#3 |
| CWE-413 | Improper Resource Locking | #2 \| #3 | Allowed | Improper resource locking. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-414 | Missing Lock Check | #2 \| #3 | Allowed | Missing lock check — code proceeds without verifying the lock was acquired. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-415 | Double Free | #2 \| #3 | Allowed | Double free — same pointer freed twice, corrupting allocator state. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-416 | Use After Free | #2 \| #3 | Allowed | Use after free — pointer dereferenced after the underlying allocation has been freed. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-421 | Race Condition During Access to Alternate Channel | #2 \| #3 | Allowed | Race during access to an alternate channel. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-432 | Dangerous Signal Handler not Disabled During Sensitive Operations | #2 \| #3 | Allowed | Dangerous signal handler not disabled during sensitive ops — handler races into the critical section. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-436 | Interpretation Conflict | #2 | Allowed | Implementation flaw in parsing logic leading to bypass (e.g., HTTP smuggling). |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | #2 | Allowed | HTTP request smuggling — front-end (CDN, load balancer) and back-end (origin server) interpret request boundaries differently (CL.TE, TE.CL, TE.TE), letting an attacker hide a smuggled request inside a legitimate one. Server-role parsing flaw -> #2. |
| CWE-453 | Insecure Default Variable Initialization | #2 | Allowed | Insecure default initialization of variables in server frameworks (default 'true', open mode). Decision tree Q2 -> #2. |
| CWE-454 | External Initialization of Trusted Variables or Data Stores | #2 \| #3 | Allowed | External initialization of trusted variables (CGI environment, shared memory) — attacker controls 'trusted' state. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-455 | Non-exit on Failed Initialization | #2 | Allowed | Initialization failure does not abort — server proceeds with partially-initialized state. Decision tree Q2 -> #2. |
| CWE-456 | Missing Initialization of a Variable | #2 | Allowed | Server-side variable not initialized — undefined values flow into security-relevant decisions. Decision tree Q2 -> #2. |
| CWE-457 | Use of Uninitialized Variable | #2 \| #3 | Allowed | Use of uninitialized variable — undefined value flows into security-relevant logic. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-459 | Incomplete Cleanup | #2 \| #3 | Allowed | Incomplete cleanup leaves sensitive data in resources (caches, buffers) for later attackers. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-460 | Improper Cleanup on Thrown Exception | #2 \| #3 | Allowed | Improper cleanup on thrown exception leaves resources in inconsistent state. Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-462 | Duplicate Key in Associative List (Alist) | #2 | Allowed | Duplicate key in associative list — lookup returns one of two values nondeterministically, sometimes exploitable. Decision tree Q2 -> #2. |
| CWE-463 | Deletion of Data Structure Sentinel | #2 | Allowed | Sentinel deleted from data structure — iteration walks past expected boundary. Decision tree Q2 -> #2. |
| CWE-464 | Addition of Data Structure Sentinel | #2 | Allowed | Sentinel value spuriously added — iteration terminates early, skipping valid entries. Decision tree Q2 -> #2. |
| CWE-466 | Return of Pointer Value Outside of Expected Range | #2 \| #3 | Allowed | Pointer returned from a function points outside the expected range, propagating into UAF/OOB defects. Pointer-manipulation code implementation flaw (memory-safety adjacent). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-467 | Use of sizeof() on a Pointer Type | #2 \| #3 | Allowed | sizeof() applied to a pointer (returns pointer size) where buffer size was intended — under-allocation. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-468 | Incorrect Pointer Scaling | #2 \| #3 | Allowed | Pointer scaling (pointer arithmetic) computed with wrong type granularity, producing OOB access. Pointer-manipulation code implementation flaw (memory-safety adjacent). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-469 | Use of Pointer Subtraction to Determine Size | #2 \| #3 | Allowed | Pointer-subtraction-as-size assumes contiguity; if pointers are from different allocations the result is undefined. Pointer-manipulation code implementation flaw (memory-safety adjacent). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | #2 → #7 \| #3 → #7 | Allowed | Implementation flaw allowing attacker-chosen class/method instantiation via reflection. Common in Java servers (#2) and Android clients (#3). Per R-EXEC, reflective instantiation of attacker-selected code executes foreign code — append → #7. |
| CWE-473 | PHP External Variable Modification | #2 | Allowed | PHP register_globals-style external variable modification — attacker query string parameters silently set internal variables. Decision tree Q2 -> #2. |
| CWE-474 | Use of Function with Inconsistent Implementations | #2 | Allowed | Use of a function with multiple inconsistent implementations across platforms/versions. Decision tree Q2 -> #2. |
| CWE-475 | Undefined Behavior for Input to API | #2 | Allowed | Undefined behavior for input to API — caller passes values the API did not specify, producing implementation-defined results. Decision tree Q2 -> #2. |
| CWE-476 | NULL Pointer Dereference | #2 \| #3 | Allowed | Null-pointer dereference — uncaught null check causes crash (DoS). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-479 | Signal Handler Use of a Non-reentrant Function | #2 | Allowed | Signal handler invokes a non-reentrant function (e.g., printf, malloc) — racing with main flow corrupts state. Decision tree Q2 -> #2 (server-role concurrency flaw). |
| CWE-480 | Use of Incorrect Operator | #2 | Allowed | Wrong operator used in expression (& vs &&, \| vs \|\|) — silent semantic change. Decision tree Q2 -> #2. |
| CWE-481 | Assigning instead of Comparing | #2 \| #3 | Allowed | Coding-level typo (= used where == intended) creates an unintended assignment in a conditional, often collapsing security checks. Decision tree Q2 (code implementation flaw) -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-482 | Comparing instead of Assigning | #2 \| #3 | Allowed | Coding-level typo (== used where = intended) leaves intended assignment unperformed. Decision tree Q2 (code implementation flaw) -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-483 | Incorrect Block Delimitation | #2 \| #3 | Allowed | Block-delimitation mistake causing statements to fall outside their intended scope (e.g., Apple's goto-fail TLS bug skipping certificate validation). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-484 | Omitted Break Statement in Switch | #2 \| #3 | Allowed | Missing break in a switch causes unintended fall-through into adjacent cases. Decision tree Q2 (code implementation flaw) -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-486 | Comparison of Classes by Name | #2 \| #3 | Allowed | Comparing classes by string name allows attacker-controlled namespaces/class-loaders to spoof the expected class identity. Code implementation flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | #2 | Allowed | Server discloses sensitive system information (paths, version, internal state) to unauthorized callers. Decision tree Q2 -> #2 (server-role implementation flaw in the disclosing function). |
| CWE-502 | Deserialization of Untrusted Data | #2 → #7 \| #3 → #7 | Allowed | Implementation flaw deserializing attacker-controlled bytes into language objects, triggering gadget-chain code execution (e.g., Java/Python pickle). Server-role (#2) or client-role (#3) per R-ROLE. Per R-EXEC, append → #7. |
| CWE-524 | Use of Cache Containing Sensitive Information | #2 \| #3 | Allowed | Cache containing sensitive information accessible to other principals (proxy cache, browser cache, shared memory). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via environment variables exposed in process listings or core dumps. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-528 | Exposure of Core Dump File to an Unauthorized Control Sphere | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via core dump file accessible to unauthorized parties. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-531 | Inclusion of Sensitive Information in Test Code | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via test code shipped in production with hardcoded values, debug endpoints, or sensitive sample data. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-532 | Insertion of Sensitive Information into Log File | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via application log files containing credentials, tokens, PII, or query parameters. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-535 | Exposure of Information Through Shell Error Message | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via shell error messages bubbled up to the user. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-536 | Servlet Runtime Error Message Containing Sensitive Information | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via servlet runtime error messages containing internal context. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-537 | Java Runtime Error Message Containing Sensitive Information | #2 \| #3 | Allowed | Java runtime error message contains sensitive information (stack traces, class names, paths). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | #2 \| #3 | Allowed | Sensitive information stored in externally-accessible location (world-readable file, public S3 bucket, Android external storage). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-540 | Inclusion of Sensitive Information in Source Code | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via source code shipped in deployment artifacts. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-541 | Inclusion of Sensitive Information in an Include File | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via include files (e.g., config.inc.php) accessible via the web server. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context | #2 \| #3 | Allowed | Singleton pattern without synchronization in multi-threaded context. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-546 | Suspicious Comment | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via suspicious comments in shipped source code (TODO, password, API key). Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-550 | Server-generated Error Message Containing Sensitive Information | #2 | Allowed | Server-side information-leak variant — sensitive data exposed via server-generated error pages with stack traces or configuration. Per Axiom III the leak is the consequence; the cause is the implementation flaw in the emitting function. Decision tree Q2 -> #2. |
| CWE-554 | ASP.NET Misconfiguration: Not Using Input Validation Framework | #2 \| #3 | Allowed-with-Review | Skipping the validation framework leaves request inputs unfiltered, enabling server-role (#2) or client-role (#3) injection/exploit per R-ROLE. |
| CWE-558 | Use of getlogin() in Multithreaded Application | #2 | Allowed | Use of getlogin() in a multi-threaded application — getlogin returns the login of the controlling terminal, which is shared and racy. Decision tree Q2 -> #2. |
| CWE-560 | Use of umask() with chmod-style Argument | #2 | Allowed | Use of umask() with chmod-style argument — developer passes 0644 thinking it sets that mode, but umask interprets it as the mask, producing 0133 (the inverse). Decision tree Q2 -> #2. |
| CWE-562 | Return of Stack Variable Address | #2 \| #3 | Allowed | Returning the address of a stack variable — caller dereferences a stale stack frame. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-564 | SQL Injection: Hibernate | #2 | Allowed | Server-side SQL injection in Hibernate/HQL — attacker payload alters the HQL query semantics. Decision tree Q2 -> #2. |
| CWE-567 | Unsynchronized Access to Shared Data in a Multithreaded Context | #2 \| #3 | Allowed | Unsynchronized access to shared data in multi-threaded context. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-587 | Assignment of a Fixed Address to a Pointer | #2 \| #3 | Allowed | Assigning a fixed (often null or magic) address to a pointer — dereference accesses a controlled location. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-588 | Attempt to Access Child of a Non-structure Pointer | #2 \| #3 | Allowed | Access of a child member through a non-structure pointer (e.g., dereferencing a void* as a struct) — type-confusion-class memory error. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-590 | Free of Memory not on the Heap | #2 \| #3 | Allowed | Free of memory not on the heap (stack address, static address, mid-allocation pointer) corrupts allocator state. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | #2 \| #3 | Allowed | Implementation flaw. Vital for Client apps (#3) to prevent sensitive data from swapping to disk. |
| CWE-593 | Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created | #2 \| #3 | Allowed | OpenSSL CTX object modified after SSL_set_fd / SSL_new — context changes silently ignored. Code implementation flaw in API usage. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-594 | J2EE Framework: Saving Unserializable Objects to Disk | #2 | Allowed | J2EE framework saves unserializable objects to disk/session — runtime fails when restoring, causing DoS. Decision tree Q2 -> #2. |
| CWE-595 | Comparison of Object References Instead of Object Contents | #2 \| #3 | Allowed | Comparing object references instead of object content lets logically-equal-but-differently-allocated objects fail equality and bypass intended logic. Code implementation flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-597 | Use of Wrong Operator in String Comparison | #2 \| #3 | Allowed | Use of == instead of .equals() in string comparison (Java) compares interned references, not content; auth tokens or secret values can compare unequal even when content matches expectations, or vice versa. Code implementation flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-598 | Use of GET Request Method With Sensitive Query Strings | #2 | Allowed | Sensitive data in URL query string sent via GET — query strings persist in browser history, server logs, referers, intermediaries. Server-role implementation flaw -> #2. |
| CWE-599 | Missing Validation of OpenSSL Certificate | #2 \| #3 | Allowed | Missing OpenSSL certificate validation — TLS connection accepts any certificate. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-600 | Uncaught Exception in Servlet | #2 | Allowed | Uncaught exception in servlet bubbles to the container, often producing a default error page that leaks stack traces. Decision tree Q2 -> #2. |
| CWE-605 | Multiple Binds to the Same Port | #2 | Allowed | Multiple binds to the same port — the second bind may take over message routing if the first crashes, enabling port hijacking. Decision tree Q2 -> #2. |
| CWE-609 | Double-Checked Locking | #2 \| #3 | Allowed | Double-checked locking pattern is broken on memory models without proper barriers. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-611 | Improper Restriction of XML External Entity Reference | #2 | Allowed | Server-side XML External Entity (XXE) — parser resolves DOCTYPE-declared external entities, fetching attacker-controlled URLs (file://, http://). Decision tree Q2 -> #2. |
| CWE-615 | Inclusion of Sensitive Information in Source Code Comments | #2 | Allowed | Sensitive information in source code comments shipped to clients (HTML/JS comments) or visible after deployment. Decision tree Q2 -> #2. |
| CWE-616 | Incomplete Identification of Uploaded File Variables (PHP) | #2 | Allowed | Incomplete identification of uploaded file variables — server-side file-upload handler does not consistently identify which inputs are files vs. metadata, enabling variable injection. Decision tree Q2 -> #2. |
| CWE-617 | Reachable Assertion | #2 \| #3 | Allowed | Reachable assertion on attacker input — assert() triggers process termination, causing DoS. Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-619 | Dangling Database Cursor ('Cursor Injection') | #2 | Allowed | Dangling database cursor (cursor injection) — server reuses cursors across user contexts, letting one user observe another's data. Decision tree Q2 -> #2. |
| CWE-621 | Variable Extraction Error | #2 | Allowed | Variable extraction error — server-side use of extract()/import_request_variables() lets attacker query string set internal variables. Decision tree Q2 -> #2. |
| CWE-622 | Improper Validation of Function Hook Arguments | #2 | Allowed | Function-hook arguments not validated — hook callback receives attacker-controllable parameters that bypass higher-level checks. Decision tree Q2 -> #2. |
| CWE-624 | Executable Regular Expression Error | #2 | Allowed | Executable regex (e.g., /e modifier in PHP preg_replace) — the replacement is evaluated as code, enabling code injection. Decision tree Q2 -> #2 (server-side); see CWE-94 / CWE-95 for the R-EXEC chain. |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) | #2 \| #3 | Allowed | Null-byte interaction error (poison null byte) — language/API mismatch in null-terminator handling. Affects PHP/C boundaries (#2) and Java/JNI (#2 or #3). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-627 | Dynamic Variable Evaluation | #2 | Allowed | Dynamic variable evaluation (PHP $$var, register_globals) — attacker query parameter sets a variable name the program then dereferences. Decision tree Q2 -> #2. |
| CWE-628 | Function Call with Incorrectly Specified Arguments | #2 | Allowed | Function call with incorrectly specified arguments — wrong literal, wrong constant, wrong flag passed at the call site. Decision tree Q2 -> #2. |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | #2 | Allowed | Server-side filename / resource-name validation flaw — names with traversal sequences or special characters bypass the restriction. Decision tree Q2 -> #2. |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | #2 | Allowed | Server-side XPath injection — attacker payload modifies the XPath query semantics, exfiltrating XML store contents. Decision tree Q2 -> #2. |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | #2 | Allowed | Server-side HTTP header injection — unsanitized newlines in response headers enable header smuggling and response splitting. Decision tree Q2 -> #2. |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | #2 | Allowed | Server-side file-upload check that trusts the externally-supplied filename or extension instead of inspecting content. Decision tree Q2 -> #2. |
| CWE-651 | Exposure of WSDL File Containing Sensitive Information | #2 | Allowed | WSDL file exposes sensitive endpoint/parameter information that aids reconnaissance and exploitation. Decision tree Q2 -> #2. |
| CWE-652 | Improper Neutralization of Data within XQuery Expressions ('XQuery Injection') | #2 | Allowed | Server-side XQuery injection — attacker payload modifies XQuery semantics, exfiltrating XML store contents. Decision tree Q2 -> #2. |
| CWE-662 | Improper Synchronization | #2 | Discouraged | Parent class for synchronization flaws (race conditions, lock errors). Specific cases at child CWEs. Decision tree Q2 -> #2 (server-role default). |
| CWE-663 | Use of a Non-reentrant Function in a Concurrent Context | #2 \| #3 | Allowed | Use of a non-reentrant function in a concurrent context (e.g., gmtime() in multi-threaded code). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-664 | Improper Control of a Resource Through its Lifetime | #2 | Discouraged | Parent class for resource-lifetime flaws. Specific cases at child CWEs (CWE-401, 415, 416, 825). Decision tree Q2 -> #2 (server-role default). |
| CWE-665 | Improper Initialization | #2 | Discouraged | Parent class for initialization flaws. Specific cases at child CWEs. Decision tree Q2 -> #2 (server-role default). |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime | #2 | Discouraged | Parent class for resource-lifetime-phase flaws. Specific cases at child CWEs. Decision tree Q2 -> #2 (server-role default). |
| CWE-667 | Improper Locking | #2 | Allowed | Missing/incorrect locking around shared state allows concurrent corruption (race-window exploitation). Server-role concurrency flaw -> #2. |
| CWE-670 | Always-Incorrect Control Flow Implementation | #2 | Allowed | Control-flow logic that always takes a wrong branch (e.g., security check unreachable). Server-role implementation flaw -> #2. |
| CWE-672 | Operation on a Resource after Expiration or Release | #2 \| #3 | Allowed | Use-after-free / use-after-release of a freed object. Memory-safety code flaw - server-role (#2, e.g., HTTP daemon) or client-role (#3, e.g., browser engine) per R-ROLE. |
| CWE-674 | Uncontrolled Recursion | #2 \| #3 | Allowed | Uncontrolled recursion — input drives recursion depth, causing stack exhaustion. Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-675 | Multiple Operations on Resource in Single-Operation Context | #2 | Allowed | Multiple operations performed where the API contract assumes one (double free, double init), corrupting state. Server-role implementation flaw -> #2. |
| CWE-676 | Use of Potentially Dangerous Function | #2 \| #3 | Allowed | Use of potentially-dangerous functions (strcpy, gets, atoi without overflow check). Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-680 | Integer Overflow to Buffer Overflow | #2 \| #3 | Discouraged | Arithmetic implementation flaw. A primary vector for Client-side exploitation (#3) (e.g., media parsing). |
| CWE-681 | Incorrect Conversion between Numeric Types | #2 \| #3 | Allowed | Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-682 | Incorrect Calculation | #2 \| #3 | Discouraged | Arithmetic implementation flaw. Calculation errors affect logic and safety in both Server (#2) and Client (#3) applications. |
| CWE-683 | Function Call With Incorrect Order of Arguments | #2 \| #3 | Allowed | Function call with arguments in wrong order — silent semantic change. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-685 | Function Call With Incorrect Number of Arguments | #2 \| #3 | Allowed | Function call with incorrect number of arguments. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-686 | Function Call With Incorrect Argument Type | #2 \| #3 | Allowed | Function call with incorrect argument type — coerced/lossy conversion at the call site. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-687 | Function Call With Incorrectly Specified Argument Value | #2 \| #3 | Allowed | Function call with incorrectly specified argument value (literal vs. variable, wrong constant). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-688 | Function Call With Incorrect Variable or Reference as Argument | #2 \| #3 | Allowed | Function call with incorrect variable or reference (wrong argument bound to the parameter slot). Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-689 | Permission Race Condition During Resource Copy | #2 \| #3 | Allowed | Race between a permission check and a resource copy — privileged operation completes against the post-race state. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-690 | Unchecked Return Value to NULL Pointer Dereference | #2 \| #3 | Discouraged | Implementation flaw. Null pointer dereferences cause crashes (DoS) in Client applications (#3) as well as Servers. |
| CWE-691 | Insufficient Control Flow Management | #2 | Discouraged | Parent class for control-flow management flaws. Specific cases at child CWEs. Decision tree Q2 -> #2 (server-role default). |
| CWE-692 | Incomplete Denylist to Cross-Site Scripting | #2 \| #3 | Discouraged | XSS-specific incomplete denylist — denylist of dangerous patterns is incomplete, letting variant payloads through. Sibling of CWE-184 but XSS-scoped. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-695 | Use of Low-Level Functionality | #2 | Allowed | Use of low-level functionality (raw memory ops, direct hardware access) where higher-level abstractions would be safer. Decision tree Q2 -> #2. |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | #2 \| #3 | Discouraged | Implementation flaw. Poor error handling leads to insecure states in any software context (#2 or #3). |
| CWE-704 | Incorrect Type Conversion or Cast | #2 \| #3 | Allowed | Incorrect type conversion / type confusion — wrong type interpretation propagates to memory access or logic. Common in JIT engines and dynamic languages. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-705 | Incorrect Control Flow Scoping | #2 | Allowed | Control-flow scoping mistakes (missing/extra return, fall-through) skip security checks. Server-role implementation flaw -> #2. |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | #2 | Allowed | A name/reference resolves to an unintended target (path resolution, namespace collision). Server-role implementation flaw -> #2. |
| CWE-733 | Compiler Optimization Removal or Modification of Security-critical Code | #2 \| #3 | Allowed | Compiler optimization removes/modifies security-relevant code (sibling of CWE-1037 — explicit memset of sensitive buffer optimized away because the buffer is dead). Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | #2 \| #3 | Allowed | Improper check for unusual/exceptional conditions — fail-open code path. Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-755 | Improper Handling of Exceptional Conditions | #2 \| #3 | Discouraged | Implementation flaw. Failing to handle exceptions correctly affects Client (#3) stability/security. |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | #2 \| #3 | Allowed | Reliance on undefined / unspecified / implementation-defined behavior — security-relevant decisions depend on non-deterministic outcomes. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-761 | Free of Pointer not at Start of Buffer | #2 \| #3 | Allowed | Free of pointer not at start of buffer corrupts allocator metadata. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-762 | Mismatched Memory Management Routines | #2 \| #3 | Allowed | Mismatched memory-management routines (free() on new[]'d memory, malloc + delete) corrupts allocator state. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-763 | Release of Invalid Pointer or Reference | #2 \| #3 | Allowed | Release of invalid pointer or reference (already-freed, mid-allocation, stack address). Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-764 | Multiple Locks of a Critical Resource | #2 \| #3 | Allowed | Multiple locks of a critical resource (e.g., mutex acquired twice) — leads to deadlock and DoS. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-765 | Multiple Unlocks of a Critical Resource | #2 \| #3 | Allowed | Multiple unlocks of a critical resource — undefined-behavior in pthreads, deadlock or corruption in others. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-768 | Incorrect Short Circuit Evaluation | #2 \| #3 | Allowed | Incorrect short-circuit evaluation (e.g., && precedence vs. function call ordering) yields unintended logic. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-781 | Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code | #2 \| #3 | Allowed | Kernel/driver IOCTL with METHOD_NEITHER fails to validate user-supplied addresses, enabling kernel memory access. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-783 | Operator Precedence Logic Error | #2 \| #3 | Allowed | Operator-precedence error — expression evaluates differently than the developer intended, often inverting a security check. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-785 | Use of Path Manipulation Function without Maximum-sized Buffer | #2 \| #3 | Allowed | Use of path-manipulation functions without maximum-sized destination buffer leads to overflow when source path is longer than expected. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-786 | Access of Memory Location Before Start of Buffer | #2 \| #3 | Discouraged | Memory access before the start of the buffer — pointer arithmetic produces an address below the allocation. Memory-safety code flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-787 | Out-of-bounds Write | #2 \| #3 | Allowed | Out-of-bounds write — write past allocation boundary corrupts adjacent state; primary exploitation vector for browser/PDF/media-parser RCEs. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-788 | Access of Memory Location After End of Buffer | #2 \| #3 | Discouraged | Memory access after the end of the buffer — pointer arithmetic produces an address past the allocation. Memory-safety code flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-790 | Improper Filtering of Special Elements | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-791 | Incomplete Filtering of Special Elements | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-792 | Incomplete Filtering of One or More Instances of Special Elements | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-793 | Only Filtering One Instance of a Special Element | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-794 | Incomplete Filtering of Multiple Instances of Special Elements | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-795 | Only Filtering Special Elements at a Specified Location | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-796 | Only Filtering Special Elements Relative to a Marker | #2 \| #3 | Allowed | Sanitization/filtering bypass — code implementation flaw where the filter fails to neutralize attacker inputs. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-797 | Only Filtering Special Elements at an Absolute Position | #2 | Allowed | Sanitization filter only checks an absolute position (e.g., 'no quote at index 0') instead of all positions — payloads at other positions slip through. Decision tree Q2 -> #2. |
| CWE-805 | Buffer Access with Incorrect Length Value | #2 \| #3 | Allowed | Buffer access uses wrong length (e.g., source size for destination access). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-806 | Buffer Access Using Size of Source Buffer | #2 \| #3 | Allowed | Buffer accessed using size of source buffer rather than destination capacity. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-820 | Missing Synchronization | #2 \| #3 | Allowed | Missing synchronization on shared data. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-821 | Incorrect Synchronization | #2 \| #3 | Allowed | Incorrect synchronization (wrong lock, wrong scope) leaves shared state mutable. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-822 | Untrusted Pointer Dereference | #2 \| #3 | Allowed | Untrusted-pointer dereference — pointer value comes from external input. Pointer-manipulation code implementation flaw (memory-safety adjacent). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-823 | Use of Out-of-range Pointer Offset | #2 \| #3 | Allowed | Out-of-range pointer offset — pointer arithmetic produces address outside the original allocation. Pointer-manipulation code implementation flaw (memory-safety adjacent). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-824 | Access of Uninitialized Pointer | #2 \| #3 | Allowed | Access of uninitialized pointer — wild dereference. Pointer-manipulation code implementation flaw (memory-safety adjacent). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-825 | Expired Pointer Dereference | #2 \| #3 | Allowed | Expired (already-freed) pointer dereferenced — UAF variant. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-826 | Premature Release of Resource During Expected Lifetime | #2 \| #3 | Allowed | Premature release of a resource that other code still references — UAF / dangling-handle precursor. Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-827 | Improper Control of Document Type Definition | #2 | Allowed | Server-side improper control of XML DTD — DOCTYPE declarations are processed without restriction, enabling XXE-style attacks. Decision tree Q2 -> #2. |
| CWE-828 | Signal Handler with Functionality that is not Asynchronous-Safe | #2 \| #3 | Allowed | Signal handler invokes async-signal-unsafe functions, causing reentrance into non-reentrant code. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-831 | Signal Handler Function Associated with Multiple Signals | #2 \| #3 | Allowed | One signal-handler function registered for multiple signals leaves it unable to disambiguate context. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-832 | Unlock of a Resource that is not Locked | #2 \| #3 | Allowed | Unlock of a resource that was not locked — undefined behavior in pthreads, exception in many lock APIs. Code implementation flaw — server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-833 | Deadlock | #2 \| #3 | Allowed | Deadlock — threads wait on each other indefinitely. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | #2 \| #3 | Allowed | Loop with unreachable exit condition — infinite loop on attacker input causes DoS. Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-838 | Inappropriate Encoding for Output Context | #2 | Allowed | Output emitted with encoding inappropriate for its context (HTML-encoded value placed in JS context, URL-encoded value placed in attribute) — the wrong encoding does not neutralize the right special characters. Decision tree Q2 -> #2. |
| CWE-839 | Numeric Range Comparison Without Minimum Check | #2 \| #3 | Allowed | Numeric-range comparison without minimum check accepts negative values where a positive bound was expected. Arithmetic/numeric code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | #2 \| #3 | Allowed | Type confusion — accessing a resource as the wrong type. Canonical example: V8/SpiderMonkey JIT type-confusion RCEs (#3); also occurs in server-side parsers (#2). Memory-safety code implementation flaw. Server-role (#2) or client-role (#3) per R-ROLE. |
| CWE-908 | Use of Uninitialized Resource | #2 \| #3 | Allowed | Use of uninitialized resource — undefined values propagate into security-relevant decisions. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-909 | Missing Initialization of Resource | #2 \| #3 | Allowed | Missing initialization of a resource — operations on the resource encounter undefined state. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-910 | Use of Expired File Descriptor | #2 \| #3 | Allowed | Use of expired (closed/freed) file descriptor — recycled FD points to a different resource. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-911 | Improper Update of Reference Count | #2 \| #3 | Allowed | Improper reference-count update produces premature free or unbounded leak — UAF or memory exhaustion. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | #2 → #7 \| #3 → #7 | Allowed-with-Review | Implementation flaw allowing attacker influence over dynamically-managed code (eval, reflection, dynamic class loading). Server-role (#2) or client-role (#3) per R-ROLE. Per R-EXEC, dynamic code resources execute attacker-influenced code — append → #7. |
| CWE-914 | Improper Control of Dynamically-Identified Variables | #2 | Allowed | Improper control of dynamically-identified variables (PHP variable variables, JS object[name] with attacker-controlled name) — attacker selects which variable is read/written. Decision tree Q2 -> #2. |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | #2 | Allowed | Mass assignment — server-side framework auto-binds request fields to model attributes (Rails, Django, Spring) without an allowlist, letting attackers set fields they should not control. Decision tree Q2 -> #2. |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | #2 → #7 | Allowed | Server-side sanitization flaw allowing attacker input to be evaluated by an expression-language engine (Spring SpEL, Struts OGNL, JSP EL). Per R-EXEC, EL evaluation of attacker-controlled input executes foreign code — append → #7. |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | #2 \| #3 | Allowed | Data-query-language injection (NoSQL, XQuery, OQL, ORM-DSL) — attacker payload modifies the query semantics. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1023 | Incomplete Comparison with Missing Factors | #2 \| #3 | Allowed | Comparison missing necessary factors (e.g., comparing username only when tenant must also match). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1024 | Comparison of Incompatible Types | #2 \| #3 | Allowed | Comparison of incompatible types yields unexpected coerced result. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1025 | Comparison Using Wrong Factors | #2 \| #3 | Allowed | Comparison uses wrong factors (e.g., reference equality when content equality intended). Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1037 | Processor Optimization Removal or Modification of Security-critical Code | #2 \| #3 | Allowed | Compiler/processor optimization removes security-relevant code (e.g., explicit memset of sensitive buffer optimized away because the buffer is dead). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1038 | Insecure Automated Optimizations | #2 | Allowed | Insecure automated optimization introduced by tooling (compiler, transpiler, minifier) silently changes program semantics in security-relevant ways. Decision tree Q2 -> #2. |
| CWE-1058 | Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element | #2 \| #3 | Allowed | Invokable control element used in multi-thread context without thread safety. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1066 | Missing Serialization Control Element | #2 \| #3 | Allowed | Missing serialization control element on a class that should be serializable, leading to deserialization-handling defects in code that round-trips the data. Code implementation flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1077 | Floating Point Comparison with Incorrect Operator | #2 \| #3 | Allowed | Floating-point comparison using == when an epsilon-tolerance is required. Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1079 | Parent Class without Virtual Destructor Method | #2 \| #3 | Allowed | Parent class without virtual destructor — derived class destruction skips parent cleanup, leaking resources or leaving partially-destroyed state. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1087 | Class with Virtual Method without a Virtual Destructor | #2 \| #3 | Allowed | Class with virtual methods but no virtual destructor — same hazard as CWE-1079 in C++. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1088 | Synchronous Access of Remote Resource without Timeout | #2 \| #3 | Allowed | Synchronous remote-resource access without timeout — caller hangs indefinitely on misbehaving server, leading to thread exhaustion and DoS. Error-handling code implementation flaw — failure to detect/propagate the condition leaves the program in an undefined or insecure state. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1091 | Use of Object without Invoking Destructor Method | #2 \| #3 | Allowed | Object used without invoking its destructor — resource leak. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1096 | Singleton Class Instance Creation without Proper Locking or Synchronization | #2 \| #3 | Allowed | Singleton creation without proper locking permits multiple instances or partially-initialized state. Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1097 | Persistent Storable Data Element without Associated Comparison Control Element | #2 \| #3 | Allowed | Persistent storable data lacking the comparison element required for proper change detection / equality. Code implementation flaw -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1098 | Data Element containing Pointer Item without Proper Copy Control Element | #2 \| #3 | Allowed | Pointer-containing data element copied without proper deep-copy — aliasing creates UAF / double-free. Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1173 | Improper Use of Validation Framework | #2 \| #3 | Allowed | Improper use of a validation framework (skipping the framework, configuring it incorrectly) lets unfiltered input reach the consumer. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1174 | ASP.NET Misconfiguration: Improper Model Validation | #2 | Allowed | ASP.NET model-validation framework misconfigured — server-side request inputs reach business logic without validation. Decision tree Q2 -> #2. |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | #2 \| #3 | Allowed | Sensitive information leaked via metadata (EXIF, document properties, version-control metadata embedded in releases). Implementation flaw in the content-generation function. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1252 | CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations | #2 \| #3 | Allowed | Missing W^X/DEP/NX enforcement makes injected shellcode directly executable, amplifying memory-corruption exploits in server-role (#2) or client-role (#3) code per R-ROLE. |
| CWE-1265 | Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls | #2 \| #3 | Allowed | Unintended reentrant invocation of non-reentrant code (e.g., signal handler reentering malloc). Concurrency/race-condition code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1284 | Improper Validation of Specified Quantity in Input | #2 \| #3 | Allowed | Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | #2 \| #3 | Allowed | Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | #2 \| #3 | Allowed | Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1287 | Improper Validation of Specified Type of Input | #2 \| #3 | Allowed | Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1288 | Improper Validation of Consistency within Input | #2 \| #3 | Allowed | Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | #2 \| #3 | Allowed | Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1295 | Debug Messages Revealing Unnecessary Information | #2 \| #3 | Allowed | Debug messages reveal unnecessary information (stack traces, paths, internal state) to users. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | #2 \| #3 | Allowed | Prototype pollution — attacker mutates Object prototype, affecting downstream type checks and access patterns. Code implementation flaw in property-assignment logic. Decision tree Q2 -> server-role #2 (Node.js) or client-role #3 (browser JS) per R-ROLE. |
| CWE-1322 | Use of Blocking Code in Single-threaded, Non-blocking Context | #2 \| #3 | Allowed | Use of blocking code in single-threaded non-blocking context (Node.js, browser main thread) — long synchronous operations stall the event loop, causing DoS. Code implementation flaw -> server-role #2 (Node) or client-role #3 (browser) per R-ROLE. |
| CWE-1333 | Inefficient Regular Expression Complexity | #2 \| #3 | Allowed | Inefficient regex enables ReDoS — one crafted input triggers exponential backtracking. Code defect (the regex pattern) -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1335 | Incorrect Bitwise Shift of Integer | #2 \| #3 | Allowed | Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | #2 → #7 \| #3 → #7 | Allowed | Sanitization flaw allowing attacker input to be evaluated by a template engine. Server-Side Template Injection (#2, e.g., Jinja2/Velocity) or Client-Side Template Injection (#3, e.g., AngularJS) per R-ROLE. Per R-EXEC, template-engine evaluation executes attacker code — append → #7. |
| CWE-1339 | Insufficient Precision or Accuracy of a Real Number | #2 \| #3 | Allowed | Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1341 | Multiple Releases of Same Resource or Handle | #2 \| #3 | Allowed | Multiple releases of the same resource/handle (double free, double close). Memory-safety code implementation flaw. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point | #2 \| #3 | Allowed | Windows junction/mount-point manipulation lets an attacker redirect privileged file access to attacker-chosen locations. Path-traversal/equivalence variant — code implementation flaw in path canonicalization. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. See CWE-22 for the parent class discussion. |
| CWE-1389 | Incorrect Parsing of Numbers with Different Radices | #2 \| #3 | Allowed | Numeric parsing accepts different radices (octal-leading-zero, 0x hex) inconsistently between security check and consumer, producing parsing-discrepancy bypass. Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1419 | Incorrect Initialization of Resource | #2 \| #3 | Allowed | Resource initialized to an incorrect/unsafe value, propagating into security decisions. Input-validation code implementation flaw at the parser/validator boundary. Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1389 | Incorrect Parsing of Numbers with Different Radices | #2 \| #3 | Allowed | Numeric parsing accepts different radices (octal-leading-zero, 0x hex) inconsistently between security check and consumer, producing parsing-discrepancy bypass. Arithmetic/numeric code implementation flaw (overflow, underflow, sign issue, precision). Decision tree Q2 -> server-role #2 or client-role #3 per R-ROLE. |
| CWE-1427 | Improper Neutralization of Input Used for LLM Prompting | #2 | Allowed | Prompt injection — server-side LLM endpoint concatenates attacker input into the prompt, letting the attacker override system instructions. Decision tree Q2 -> #2. |