Browse 299 Variant level CWE entries. Platform, language, or technology-specific weaknesses that are variants of base weaknesses.
The product compares classes by name, which can cause it to use the wrong class when multiple classes can have the same name.
The product uses the chroot() system call to create a jail, but does not change the working directory afterward. This does not prevent access to files outside of the jail.
The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.
The product calls free() twice on the same memory address.
Using an empty string as a password is insecure.
If too few arguments are sent to a function, the function will still pop the expected number of arguments from the stack. Potentially, a variable number of arguments could be exhausted in a function as well.
A heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
The product constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.
The product does not neutralize or incorrectly neutralizes web scripting syntax in HTTP headers that can be used by web browser components that can process raw headers, such as Flash.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index references a valid position within the array.
The product communicates with a host that provides a certificate, but the product does not properly ensure that the certificate is actually associated with that host.
An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.
The product uses a protection mechanism that relies on the existence or values of a cookie, but it does not properly ensure that the cookie is valid for the associated user.
The product allows a file to be uploaded, but it relies on the file name or extension of the file to determine the appropriate behaviors. This could be used by attackers to cause the file to be misclassified and processed in a dangerous fashion.
The product uses an IP address for authentication.
The code contains a class with sensitive data, but the class does not explicitly deny serialization. The data can be accessed by serializing the class through another class.
A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This might allow attackers to bypass intended access restrictions and conduct resource modification and deletion attacks, since some applications allow GET to modify state.
The product performs an operation on a number that causes it to be sign extended when it is transformed into a larger data type. When the original number is negative, this can produce unexpected values that lead to resultant weaknesses.
The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
The product uses a hard-coded, unchangeable cryptographic key.
The product contains a hard-coded password, which it uses for its own inbound authentication or for outbound communication to external components.
The product defines policy namespaces and makes authorization decisions based on the assumption that a URL is canonical. This can allow a non-canonical URL to bypass the authorization.
The code uses a variable that has not been initialized, leading to unpredictable or unintended results.
The code calls sizeof() on a pointer type, which can be an incorrect calculation if the programmer intended to determine the size of the data that is being pointed to.
The referer field in HTTP requests can be easily modified and, as such, is not a valid means of message integrity checking.
The code contains a class with sensitive data, but the class is cloneable. The data can then be accessed by cloning the class.
The product generates and uses a predictable initialization Vector (IV) with Cipher Block Chaining (CBC) Mode, which causes algorithms to be susceptible to dictionary attacks when they are encrypted under the same key.
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
The lack of entropy available for, or used by, a Pseudo-Random Number Generator (PRNG) can be a stability and security threat.
Integer coercion refers to a set of flaws pertaining to the type casting, extension, or truncation of primitive data types.
The product does not check the revocation status of a certificate after its initial revocation check, which can cause the product to perform privileged actions even after the certificate is revoked at a later time.
The product does not sufficiently track and release allocated memory after it has been used, making the memory unavailable for reallocation and reuse.
The product uses a regular expression to perform neutralization, but the regular expression is not anchored and may allow malicious or malformed data to slip through.
The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.
The SameSite attribute for sensitive cookies is not set, or an insecure value is used.
The product uses an unsigned primitive and performs a cast to a signed primitive, which can produce an unexpected value if the value of the unsigned primitive can not be represented using a signed primitive.
Inner classes are translated into classes that are accessible at package scope and may expose code that the programmer intended to keep private to attackers.
The product uses the RSA algorithm but does not incorporate Optimal Asymmetric Encryption Padding (OAEP), which might weaken the encryption.
The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site from modifying security-critical properties of the window.opener object, such as the location property.
The product allocates file descriptors or handles on behalf of an actor without imposing any restrictions on how many descriptors can be allocated, in violation of the intended security policy for that actor.
The code uses an operator for assignment when the intention was to perform a comparison.
The code uses an operator for comparison when the intention was to perform an assignment.
Duplicate keys in associative lists can lead to non-unique keys being mistaken for an error.
True random number generators (TRNG) generally have a limited source of entropy and therefore can fail or block.
A certificate expiration is not validated or is incorrectly validated.
The product contains a conditional statement with multiple logical expressions in which one of the non-leading expressions may produce side effects. This may lead to an unexpected state in the program after the execution of the conditional, because short-circuiting logic may prevent the side effects from occurring.
The product attempts to return a memory resource to the system, but it calls a release function that is not compatible with the function that was originally used to allocate that resource.
The product defines a signal handler that calls a non-reentrant function.
The product, when opening a file or directory, does not sufficiently handle when the file is a Windows shortcut (.LNK) whose target is outside of the intended control sphere. This could allow an attacker to cause the product to operate on unauthorized files.
Allowing a .NET application to run at potentially escalated levels of access to the underlying operating and file systems can be dangerous and result in various forms of attacks.
Debugging messages help attackers learn about the system and plan a form of attack.
The ASP.NET application does not use, or incorrectly uses, the model validation framework.
An ASP .NET application must enable custom error pages in order to prevent attackers from mining information from the framework's built-in responses.
The ASP.NET application does not use an input validation framework.
Storing a plaintext password in a configuration file allows anyone who can read the file access to the password-protected resource making them an easy target for attackers.
Configuring an ASP.NET application to run with impersonated credentials may give the application unnecessary privileges.
The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.
The product sets a pointer to a specific address other than NULL or 0.
Casting a non-structure type to a structure type and accessing a field can lead to memory access errors or data corruption.
The product modifies the SSL context after connection creation has begun.
The product uses a database table that includes records that should not be accessible to an actor, but it executes a SQL statement with a primary key that can be controlled by that actor.
The product uses the size of a source buffer when reading from or writing to a destination buffer, which may cause it to access memory that is outside of the bounds of the buffer.
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
The product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations prior to the targeted buffer.
The product uses an API function that does not exist on all versions of the target platform. This could cause portability problems or inconsistencies that allow denial of service or other consequences.
The product calls a thread's run() method instead of calling start(), which causes the code to run in the thread of the caller instead of the callee.
The product stores sensitive information in cleartext in a file, or on disk.
The product stores sensitive information in cleartext in the registry.
The product stores sensitive information in cleartext in an executable.
The product stores sensitive information in cleartext within the GUI.
The product stores sensitive information in cleartext in memory.
The product stores sensitive information in cleartext in a cookie.
The product uses an environment variable to store unencrypted sensitive information.
A possible shell file exists in /cgi-bin/ or other accessible directories. This is extremely dangerous and can be used by an attacker to execute commands on the web server.
A device's real time power consumption may be monitored during security token evaluation and the information gleaned may be used to determine the value of the reference token.
The product compares object references instead of the contents of the objects themselves, preventing it from detecting equivalent objects.
Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."
This entry has been deprecated as it represents a specific observed example of a UNIX Hard Link weakness type rather than its own individual weakness type. Please refer to CWE-62.
This entry has been deprecated because its abstraction was too low-level. See CWE-532.
This entry has been deprecated because its abstraction was too low-level. See CWE-532.
This entry has been deprecated because its abstraction was too low-level. See CWE-532.
This entry has been deprecated because of name confusion and an accidental combination of multiple weaknesses. Most of its content has been transferred to CWE-785.
This entry has been deprecated because it was a duplicate of CWE-350. All content has been transferred to CWE-350.
This weakness has been deprecated because it partially overlaps CWE-470, it describes legitimate programmer behavior, and other portions will need to be integrated into other entries.
When a Java application uses the Java Native Interface (JNI) to call code written in another programming language, it can expose the application to weaknesses in that code, even if those weaknesses cannot occur in Java.
The product decodes the same input twice, which can limit the effectiveness of any protection mechanism that occurs in between the decoding operations.
The web application does not filter user-controlled input for executable script disguised using doubling of the involved characters.
In a language where the user can influence the name of a variable at runtime, if the variable names are not controlled, an attacker can read or write to arbitrary variables, or access arbitrary functions.
The product violates the Enterprise JavaBeans (EJB) specification by using AWT/Swing.
The product violates the Enterprise JavaBeans (EJB) specification by using the class loader.
The product violates the Enterprise JavaBeans (EJB) specification by using the java.io package.
The product violates the Enterprise JavaBeans (EJB) specification by using sockets.
The product violates the Enterprise JavaBeans (EJB) specification by using thread synchronization primitives.
An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.
The product contains an empty synchronized block.
The product implements an IOCTL with functionality that should be restricted, but it does not properly enforce access control for the IOCTL.
An ActiveX control is intended for use in a web browser, but it exposes dangerous methods that perform actions that are outside of the browser's security model (e.g. the zone or domain).
Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.
Continue with these related tools
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. All processing happens client-side in your browser — no data is sent to our servers.