• CodeQL query help documentation »

CodeQL CWE coverage

An overview of the coverage of MITRE’s Common Weakness Enumeration (CWE) for the latest release of CodeQL.

About CWEs

The CWE categorization contains several types of entity, collectively known as CWEs. The CWEs that we consider in this report are only those of the types:

• Weakness Class
• Weakness Base
• Weakness Variant
• Compound Element

Other types of CWE do not correspond directly to weaknesses, so are omitted.

The CWE categorization includes relationships between entities, in particular a parent-child relationship. These relationships are associated with Views (another kind of CWE entity). For the purposes of coverage claims, we use the “Research View.”

Every security query is associated with one or more CWEs, which are the most precise CWEs that are covered by that query. Overall coverage is claimed for the most-precise CWEs, as well as for any of their ancestors in the View.

Overview

CWE	Language	Query id	Query name
CWE‑11	C#	cs/web/debug-binary	Creating an ASP.NET debug binary may reveal sensitive information
CWE‑12	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑13	C#	cs/password-in-configuration	Password in configuration file
CWE‑14	C++	cpp/memset-may-be-deleted	Call to memset may be deleted
CWE‑20	Java	java/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑20	Java	java/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑20	Java	java/improper-validation-of-array-construction	Improper validation of user-provided size used for array construction
CWE‑20	Java	java/improper-validation-of-array-construction-code-specified	Improper validation of code-specified size used for array construction
CWE‑20	Java	java/improper-validation-of-array-construction-local	Improper validation of local user-provided size used for array construction
CWE‑20	Java	java/improper-validation-of-array-index	Improper validation of user-provided array index
CWE‑20	Java	java/improper-validation-of-array-index-code-specified	Improper validation of code-specified array index
CWE‑20	Java	java/improper-validation-of-array-index-local	Improper validation of local user-provided array index
CWE‑20	C++	cpp/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑20	C++	cpp/count-untrusted-data-external-api-ir	Frequency counts for external APIs that are used with untrusted data
CWE‑20	C++	cpp/untrusted-data-to-external-api-ir	Untrusted data passed to external API
CWE‑20	C++	cpp/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑20	C++	cpp/uncontrolled-process-operation	Uncontrolled process operation
CWE‑20	C++	cpp/unclear-array-index-validation	Unclear validation of array index
CWE‑20	C++	cpp/late-check-of-function-argument	Late Check Of Function Argument
CWE‑20	C#	csharp/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑20	C#	cs/serialization-check-bypass	Serialization check bypass
CWE‑20	C#	csharp/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑20	C#	cs/xml/missing-validation	Missing XML validation
CWE‑20	C#	cs/assembly-path-injection	Assembly path injection
CWE‑20	Python	py/incomplete-hostname-regexp	Incomplete regular expression for hostnames
CWE‑20	Python	py/incomplete-url-substring-sanitization	Incomplete URL substring sanitization
CWE‑20	Python	python/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑20	Python	python/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑20	JavaScript	js/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑20	JavaScript	js/incomplete-hostname-regexp	Incomplete regular expression for hostnames
CWE‑20	JavaScript	js/incomplete-url-scheme-check	Incomplete URL scheme check
CWE‑20	JavaScript	js/incomplete-url-substring-sanitization	Incomplete URL substring sanitization
CWE‑20	JavaScript	js/incorrect-suffix-check	Incorrect suffix check
CWE‑20	JavaScript	js/regex/missing-regexp-anchor	Missing regular expression anchor
CWE‑20	JavaScript	js/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑20	JavaScript	js/useless-regexp-character-escape	Useless regular-expression character escape
CWE‑20	JavaScript	js/double-escaping	Double escaping or unescaping
CWE‑20	JavaScript	js/incomplete-html-attribute-sanitization	Incomplete HTML attribute sanitization
CWE‑20	JavaScript	js/incomplete-multi-character-sanitization	Incomplete multi-character sanitization
CWE‑20	JavaScript	js/incomplete-sanitization	Incomplete string escaping or encoding
CWE‑20	JavaScript	js/missing-postmessageorigin-verification	Missing MessageEvent.origin verification in postMessage handlers
CWE‑20	Go	go/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑20	Go	go/incomplete-hostname-regexp	Incomplete regular expression for hostnames
CWE‑20	Go	go/incomplete-url-scheme-check	Incomplete URL scheme check
CWE‑20	Go	go/regex/missing-regexp-anchor	Missing regular expression anchor
CWE‑20	Go	go/suspicious-character-in-regex	Suspicious characters in a regular expression
CWE‑20	Go	go/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑20	Go	go/untrusted-data-to-unknown-external-api	Untrusted data passed to unknown external API
CWE‑22	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑22	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑22	Java	java/zipslip	Arbitrary file write during archive extraction ("Zip Slip")
CWE‑22	Java	java/openstream-called-on-tainted-url	openStream called on URLs created from remote source
CWE‑22	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑22	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑22	C#	cs/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑22	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑22	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑22	Python	py/tarslip	Arbitrary file write during tarfile extraction
CWE‑22	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑22	JavaScript	js/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑22	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑22	Go	go/unsafe-unzip-symlink	Arbitrary file write extracting an archive containing symbolic links
CWE‑22	Go	go/zipslip	Arbitrary file write during zip extraction ("zip slip")
CWE‑23	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑23	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑23	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑23	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑23	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑23	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑23	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑23	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑36	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑36	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑36	Java	java/openstream-called-on-tainted-url	openStream called on URLs created from remote source
CWE‑36	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑36	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑36	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑36	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑36	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑36	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑73	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑73	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑73	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑73	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑73	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑73	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑73	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑73	JavaScript	js/template-object-injection	Template Object Injection
CWE‑73	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑74	Java	java/relative-path-command	Executing a command with a relative path
CWE‑74	Java	java/command-line-injection	Uncontrolled command line
CWE‑74	Java	java/command-line-injection-local	Local-user-controlled command line
CWE‑74	Java	java/concatenated-command-line	Building a command line with string concatenation
CWE‑74	Java	java/xss	Cross-site scripting
CWE‑74	Java	java/xss-local	Cross-site scripting from local source
CWE‑74	Java	java/sql-injection	Query built from user-controlled sources
CWE‑74	Java	java/sql-injection-local	Query built from local-user-controlled sources
CWE‑74	Java	java/concatenated-sql-query	Query built without neutralizing special characters
CWE‑74	Java	java/ldap-injection	LDAP query built from user-controlled sources
CWE‑74	Java	java/insecure-bean-validation	Insecure Bean Validation
CWE‑74	Java	java/netty-http-response-splitting	Disabled Netty HTTP header validation
CWE‑74	Java	java/http-response-splitting	HTTP response splitting
CWE‑74	Java	java/http-response-splitting-local	HTTP response splitting from local source
CWE‑74	Java	java/tainted-format-string	Use of externally-controlled format string
CWE‑74	Java	java/tainted-format-string-local	Use of externally-controlled format string from local source
CWE‑74	Java	java/xml/xpath-injection	XPath injection
CWE‑74	Java	java/jndi-injection	JNDI lookup with user-controlled name
CWE‑74	Java	java/xslt-injection	XSLT transformation with user-controlled stylesheet
CWE‑74	Java	java/command-line-injection	Uncontrolled command line
CWE‑74	Java	java/groovy-injection	Groovy Language injection
CWE‑74	Java	java/android-insecure-dex-loading	Insecure loading of an Android Dex File
CWE‑74	Java	java/javaee-expression-injection	Jakarta Expression Language injection
CWE‑74	Java	java/jexl-expression-injection	Expression language injection (JEXL)
CWE‑74	Java	java/mvel-expression-injection	Expression language injection (MVEL)
CWE‑74	Java	java/unsafe-eval	ScriptEngine evaluation
CWE‑74	Java	java/spel-expression-injection	Expression language injection (Spring)
CWE‑74	Java	java/spring-view-manipulation-implicit	Spring Implicit View Manipulation
CWE‑74	Java	java/spring-view-manipulation	Spring View Manipulation
CWE‑74	Java	java/xquery-injection	XQuery query built from user-controlled sources
CWE‑74	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑74	Java	java/ognl-injection	OGNL Expression Language statement with user-controlled input
CWE‑74	C++	cpp/non-constant-format	Non-constant format string
CWE‑74	C++	cpp/command-line-injection	Uncontrolled data used in OS command
CWE‑74	C++	cpp/cgi-xss	CGI script vulnerable to cross-site scripting
CWE‑74	C++	cpp/sql-injection	Uncontrolled data in SQL query
CWE‑74	C++	cpp/tainted-format-string	Uncontrolled format string
CWE‑74	C++	cpp/tainted-format-string-through-global	Uncontrolled format string (through global variable)
CWE‑74	C#	cs/web/disabled-header-checking	Header checking disabled
CWE‑74	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑74	C#	cs/command-line-injection	Uncontrolled command line
CWE‑74	C#	cs/stored-command-line-injection	Uncontrolled command line from stored user input
CWE‑74	C#	cs/web/stored-xss	Stored cross-site scripting
CWE‑74	C#	cs/web/xss	Cross-site scripting
CWE‑74	C#	cs/second-order-sql-injection	SQL query built from stored user-controlled sources
CWE‑74	C#	cs/sql-injection	SQL query built from user-controlled sources
CWE‑74	C#	cs/ldap-injection	LDAP query built from user-controlled sources
CWE‑74	C#	cs/stored-ldap-injection	LDAP query built from stored user-controlled sources
CWE‑74	C#	cs/xml-injection	XML injection
CWE‑74	C#	cs/code-injection	Improper control of generation of code
CWE‑74	C#	cs/resource-injection	Resource injection
CWE‑74	C#	cs/uncontrolled-format-string	Uncontrolled format string
CWE‑74	C#	cs/xml/stored-xpath-injection	Stored XPath injection
CWE‑74	C#	cs/xml/xpath-injection	XPath injection
CWE‑74	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑74	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑74	Python	py/command-line-injection	Uncontrolled command line
CWE‑74	Python	py/jinja2/autoescape-false	Jinja2 templating with autoescape=False
CWE‑74	Python	py/reflective-xss	Reflected server-side cross-site scripting
CWE‑74	Python	py/sql-injection	SQL query built from user-controlled sources
CWE‑74	Python	py/code-injection	Code injection
CWE‑74	Python	py/template-injection	Server Side Template Injection
CWE‑74	Python	py/xslt-injection	XSLT query built from user-controlled sources
CWE‑74	Python	py/xpath-injection	XPath query built from user-controlled sources
CWE‑74	JavaScript	js/enabling-electron-renderer-node-integration	Enabling Node.js integration for Electron web content renderers
CWE‑74	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑74	JavaScript	js/template-object-injection	Template Object Injection
CWE‑74	JavaScript	js/command-line-injection	Uncontrolled command line
CWE‑74	JavaScript	js/indirect-command-line-injection	Indirect uncontrolled command line
CWE‑74	JavaScript	js/shell-command-injection-from-environment	Shell command built from environment values
CWE‑74	JavaScript	js/shell-command-constructed-from-input	Unsafe shell command constructed from library input
CWE‑74	JavaScript	js/xss-through-exception	Exception text reinterpreted as HTML
CWE‑74	JavaScript	js/reflected-xss	Reflected cross-site scripting
CWE‑74	JavaScript	js/stored-xss	Stored cross-site scripting
CWE‑74	JavaScript	js/html-constructed-from-input	Unsafe HTML constructed from library input
CWE‑74	JavaScript	js/unsafe-jquery-plugin	Unsafe jQuery plugin
CWE‑74	JavaScript	js/xss	Client-side cross-site scripting
CWE‑74	JavaScript	js/xss-through-dom	DOM text reinterpreted as HTML
CWE‑74	JavaScript	js/sql-injection	Database query built from user-controlled sources
CWE‑74	JavaScript	js/code-injection	Code injection
CWE‑74	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑74	JavaScript	js/unsafe-dynamic-method-access	Unsafe dynamic method access
CWE‑74	JavaScript	js/incomplete-html-attribute-sanitization	Incomplete HTML attribute sanitization
CWE‑74	JavaScript	js/unsafe-html-expansion	Unsafe expansion of self-closing HTML tag
CWE‑74	JavaScript	js/tainted-format-string	Use of externally-controlled format string
CWE‑74	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑74	JavaScript	js/xpath-injection	XPath injection
CWE‑74	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑74	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑74	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑74	JavaScript	javascript/ldap-injection	LDAP query built from user-controlled sources
CWE‑74	JavaScript	js/actions/injection	Expression injection in Actions
CWE‑74	JavaScript	js/actions/pull-request-target	Checkout of untrusted code in trusted context
CWE‑74	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑74	Go	go/command-injection	Command built from user-controlled sources
CWE‑74	Go	go/stored-command	Command built from stored data
CWE‑74	Go	go/reflected-xss	Reflected cross-site scripting
CWE‑74	Go	go/stored-xss	Stored cross-site scripting
CWE‑74	Go	go/sql-injection	Database query built from user-controlled sources
CWE‑74	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑74	Go	go/xml/xpath-injection	XPath injection
CWE‑74	Go	go/html-template-escaping-passthrough	HTML template escaping passthrough
CWE‑77	Java	java/relative-path-command	Executing a command with a relative path
CWE‑77	Java	java/command-line-injection	Uncontrolled command line
CWE‑77	Java	java/command-line-injection-local	Local-user-controlled command line
CWE‑77	Java	java/concatenated-command-line	Building a command line with string concatenation
CWE‑77	Java	java/command-line-injection	Uncontrolled command line
CWE‑77	Java	java/ognl-injection	OGNL Expression Language statement with user-controlled input
CWE‑77	C++	cpp/command-line-injection	Uncontrolled data used in OS command
CWE‑77	C#	cs/command-line-injection	Uncontrolled command line
CWE‑77	C#	cs/stored-command-line-injection	Uncontrolled command line from stored user input
CWE‑77	Python	py/command-line-injection	Uncontrolled command line
CWE‑77	JavaScript	js/command-line-injection	Uncontrolled command line
CWE‑77	JavaScript	js/indirect-command-line-injection	Indirect uncontrolled command line
CWE‑77	JavaScript	js/shell-command-injection-from-environment	Shell command built from environment values
CWE‑77	JavaScript	js/shell-command-constructed-from-input	Unsafe shell command constructed from library input
CWE‑77	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑77	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑77	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑77	Go	go/command-injection	Command built from user-controlled sources
CWE‑77	Go	go/stored-command	Command built from stored data
CWE‑77	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑78	Java	java/relative-path-command	Executing a command with a relative path
CWE‑78	Java	java/command-line-injection	Uncontrolled command line
CWE‑78	Java	java/command-line-injection-local	Local-user-controlled command line
CWE‑78	Java	java/concatenated-command-line	Building a command line with string concatenation
CWE‑78	Java	java/command-line-injection	Uncontrolled command line
CWE‑78	C++	cpp/command-line-injection	Uncontrolled data used in OS command
CWE‑78	C#	cs/command-line-injection	Uncontrolled command line
CWE‑78	C#	cs/stored-command-line-injection	Uncontrolled command line from stored user input
CWE‑78	Python	py/command-line-injection	Uncontrolled command line
CWE‑78	JavaScript	js/command-line-injection	Uncontrolled command line
CWE‑78	JavaScript	js/indirect-command-line-injection	Indirect uncontrolled command line
CWE‑78	JavaScript	js/shell-command-injection-from-environment	Shell command built from environment values
CWE‑78	JavaScript	js/shell-command-constructed-from-input	Unsafe shell command constructed from library input
CWE‑78	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑78	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑78	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑78	Go	go/command-injection	Command built from user-controlled sources
CWE‑78	Go	go/stored-command	Command built from stored data
CWE‑78	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑79	Java	java/xss	Cross-site scripting
CWE‑79	Java	java/xss-local	Cross-site scripting from local source
CWE‑79	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑79	C++	cpp/cgi-xss	CGI script vulnerable to cross-site scripting
CWE‑79	C#	cs/web/stored-xss	Stored cross-site scripting
CWE‑79	C#	cs/web/xss	Cross-site scripting
CWE‑79	Python	py/jinja2/autoescape-false	Jinja2 templating with autoescape=False
CWE‑79	Python	py/reflective-xss	Reflected server-side cross-site scripting
CWE‑79	JavaScript	js/xss-through-exception	Exception text reinterpreted as HTML
CWE‑79	JavaScript	js/reflected-xss	Reflected cross-site scripting
CWE‑79	JavaScript	js/stored-xss	Stored cross-site scripting
CWE‑79	JavaScript	js/html-constructed-from-input	Unsafe HTML constructed from library input
CWE‑79	JavaScript	js/unsafe-jquery-plugin	Unsafe jQuery plugin
CWE‑79	JavaScript	js/xss	Client-side cross-site scripting
CWE‑79	JavaScript	js/xss-through-dom	DOM text reinterpreted as HTML
CWE‑79	JavaScript	js/code-injection	Code injection
CWE‑79	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑79	JavaScript	js/incomplete-html-attribute-sanitization	Incomplete HTML attribute sanitization
CWE‑79	JavaScript	js/unsafe-html-expansion	Unsafe expansion of self-closing HTML tag
CWE‑79	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑79	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑79	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑79	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑79	Go	go/reflected-xss	Reflected cross-site scripting
CWE‑79	Go	go/stored-xss	Stored cross-site scripting
CWE‑79	Go	go/html-template-escaping-passthrough	HTML template escaping passthrough
CWE‑88	Java	java/relative-path-command	Executing a command with a relative path
CWE‑88	Java	java/command-line-injection	Uncontrolled command line
CWE‑88	Java	java/command-line-injection-local	Local-user-controlled command line
CWE‑88	Java	java/concatenated-command-line	Building a command line with string concatenation
CWE‑88	Java	java/command-line-injection	Uncontrolled command line
CWE‑88	C++	cpp/command-line-injection	Uncontrolled data used in OS command
CWE‑88	C#	cs/command-line-injection	Uncontrolled command line
CWE‑88	C#	cs/stored-command-line-injection	Uncontrolled command line from stored user input
CWE‑88	Python	py/command-line-injection	Uncontrolled command line
CWE‑88	JavaScript	js/command-line-injection	Uncontrolled command line
CWE‑88	JavaScript	js/indirect-command-line-injection	Indirect uncontrolled command line
CWE‑88	JavaScript	js/shell-command-injection-from-environment	Shell command built from environment values
CWE‑88	JavaScript	js/shell-command-constructed-from-input	Unsafe shell command constructed from library input
CWE‑89	Java	java/sql-injection	Query built from user-controlled sources
CWE‑89	Java	java/sql-injection-local	Query built from local-user-controlled sources
CWE‑89	Java	java/concatenated-sql-query	Query built without neutralizing special characters
CWE‑89	C++	cpp/sql-injection	Uncontrolled data in SQL query
CWE‑89	C#	cs/second-order-sql-injection	SQL query built from stored user-controlled sources
CWE‑89	C#	cs/sql-injection	SQL query built from user-controlled sources
CWE‑89	Python	py/sql-injection	SQL query built from user-controlled sources
CWE‑89	JavaScript	js/sql-injection	Database query built from user-controlled sources
CWE‑89	Go	go/sql-injection	Database query built from user-controlled sources
CWE‑89	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑90	Java	java/ldap-injection	LDAP query built from user-controlled sources
CWE‑90	C#	cs/ldap-injection	LDAP query built from user-controlled sources
CWE‑90	C#	cs/stored-ldap-injection	LDAP query built from stored user-controlled sources
CWE‑90	JavaScript	javascript/ldap-injection	LDAP query built from user-controlled sources
CWE‑91	Java	java/xml/xpath-injection	XPath injection
CWE‑91	Java	java/xquery-injection	XQuery query built from user-controlled sources
CWE‑91	C#	cs/xml-injection	XML injection
CWE‑91	C#	cs/xml/stored-xpath-injection	Stored XPath injection
CWE‑91	C#	cs/xml/xpath-injection	XPath injection
CWE‑91	Python	py/xslt-injection	XSLT query built from user-controlled sources
CWE‑91	Python	py/xpath-injection	XPath query built from user-controlled sources
CWE‑91	JavaScript	js/xpath-injection	XPath injection
CWE‑91	Go	go/xml/xpath-injection	XPath injection
CWE‑93	Java	java/netty-http-response-splitting	Disabled Netty HTTP header validation
CWE‑93	Java	java/http-response-splitting	HTTP response splitting
CWE‑93	Java	java/http-response-splitting-local	HTTP response splitting from local source
CWE‑93	C#	cs/web/disabled-header-checking	Header checking disabled
CWE‑94	Java	java/insecure-bean-validation	Insecure Bean Validation
CWE‑94	Java	java/groovy-injection	Groovy Language injection
CWE‑94	Java	java/android-insecure-dex-loading	Insecure loading of an Android Dex File
CWE‑94	Java	java/javaee-expression-injection	Jakarta Expression Language injection
CWE‑94	Java	java/jexl-expression-injection	Expression language injection (JEXL)
CWE‑94	Java	java/mvel-expression-injection	Expression language injection (MVEL)
CWE‑94	Java	java/unsafe-eval	ScriptEngine evaluation
CWE‑94	Java	java/spel-expression-injection	Expression language injection (Spring)
CWE‑94	Java	java/spring-view-manipulation-implicit	Spring Implicit View Manipulation
CWE‑94	Java	java/spring-view-manipulation	Spring View Manipulation
CWE‑94	C#	cs/code-injection	Improper control of generation of code
CWE‑94	Python	py/code-injection	Code injection
CWE‑94	JavaScript	js/enabling-electron-renderer-node-integration	Enabling Node.js integration for Electron web content renderers
CWE‑94	JavaScript	js/template-object-injection	Template Object Injection
CWE‑94	JavaScript	js/code-injection	Code injection
CWE‑94	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑94	JavaScript	js/unsafe-dynamic-method-access	Unsafe dynamic method access
CWE‑94	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑94	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑94	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑94	JavaScript	js/actions/injection	Expression injection in Actions
CWE‑94	JavaScript	js/actions/pull-request-target	Checkout of untrusted code in trusted context
CWE‑94	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑95	C#	cs/code-injection	Improper control of generation of code
CWE‑95	Python	py/code-injection	Code injection
CWE‑96	C#	cs/code-injection	Improper control of generation of code
CWE‑99	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑99	C#	cs/resource-injection	Resource injection
CWE‑99	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑99	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑99	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑99	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑112	C#	cs/xml/missing-validation	Missing XML validation
CWE‑113	Java	java/netty-http-response-splitting	Disabled Netty HTTP header validation
CWE‑113	Java	java/http-response-splitting	HTTP response splitting
CWE‑113	Java	java/http-response-splitting-local	HTTP response splitting from local source
CWE‑113	C#	cs/web/disabled-header-checking	Header checking disabled
CWE‑114	C++	cpp/uncontrolled-process-operation	Uncontrolled process operation
CWE‑114	C#	cs/assembly-path-injection	Assembly path injection
CWE‑116	Java	java/log-injection	Log Injection
CWE‑116	C#	cs/web/stored-xss	Stored cross-site scripting
CWE‑116	C#	cs/web/xss	Cross-site scripting
CWE‑116	C#	cs/log-forging	Log entries created from user input
CWE‑116	C#	cs/inappropriate-encoding	Inappropriate encoding
CWE‑116	Python	py/reflective-xss	Reflected server-side cross-site scripting
CWE‑116	Python	py/code-injection	Code injection
CWE‑116	JavaScript	js/identity-replacement	Replacement of a substring with itself
CWE‑116	JavaScript	js/xss-through-exception	Exception text reinterpreted as HTML
CWE‑116	JavaScript	js/reflected-xss	Reflected cross-site scripting
CWE‑116	JavaScript	js/stored-xss	Stored cross-site scripting
CWE‑116	JavaScript	js/html-constructed-from-input	Unsafe HTML constructed from library input
CWE‑116	JavaScript	js/unsafe-jquery-plugin	Unsafe jQuery plugin
CWE‑116	JavaScript	js/xss	Client-side cross-site scripting
CWE‑116	JavaScript	js/xss-through-dom	DOM text reinterpreted as HTML
CWE‑116	JavaScript	js/code-injection	Code injection
CWE‑116	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑116	JavaScript	js/double-escaping	Double escaping or unescaping
CWE‑116	JavaScript	js/incomplete-html-attribute-sanitization	Incomplete HTML attribute sanitization
CWE‑116	JavaScript	js/incomplete-multi-character-sanitization	Incomplete multi-character sanitization
CWE‑116	JavaScript	js/incomplete-sanitization	Incomplete string escaping or encoding
CWE‑116	JavaScript	js/unsafe-html-expansion	Unsafe expansion of self-closing HTML tag
CWE‑116	JavaScript	js/log-injection	Log injection
CWE‑116	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑116	Go	go/reflected-xss	Reflected cross-site scripting
CWE‑116	Go	go/stored-xss	Stored cross-site scripting
CWE‑117	Java	java/log-injection	Log Injection
CWE‑117	C#	cs/log-forging	Log entries created from user input
CWE‑117	JavaScript	js/log-injection	Log injection
CWE‑118	C++	cpp/offset-use-before-range-check	Array offset used before range check
CWE‑118	C++	cpp/late-negative-test	Pointer offset used before it is checked
CWE‑118	C++	cpp/missing-negativity-test	Unchecked return value used as offset
CWE‑118	C++	cpp/overflow-calculated	Buffer not sufficient for string
CWE‑118	C++	cpp/overflow-destination	Copy function using source size
CWE‑118	C++	cpp/static-buffer-overflow	Static array access may cause overflow
CWE‑118	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑118	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑118	C++	cpp/use-after-free	Potential use after free
CWE‑118	C++	cpp/upcast-array-pointer-arithmetic	Upcast array used in pointer arithmetic
CWE‑118	C++	cpp/return-stack-allocated-memory	Returning stack-allocated memory
CWE‑118	C++	cpp/bad-strncpy-size	Possibly wrong buffer size in string copy
CWE‑118	C++	cpp/unsafe-strncat	Potentially unsafe call to strncat
CWE‑118	C++	cpp/unsafe-strcat	Potentially unsafe use of strcat
CWE‑118	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑118	C++	cpp/badly-bounded-write	Badly bounded write
CWE‑118	C++	cpp/overrunning-write	Potentially overrunning write
CWE‑118	C++	cpp/overrunning-write-with-float	Potentially overrunning write with float to string conversion
CWE‑118	C++	cpp/unbounded-write	Unbounded write
CWE‑118	C++	cpp/unterminated-variadic-call	Unterminated variadic call
CWE‑118	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑118	C++	cpp/openssl-heartbleed	Use of a version of OpenSSL with Heartbleed
CWE‑118	C++	cpp/memory-unsafe-function-scan	Scanf function without a specified length
CWE‑118	C++	cpp/access-memory-location-after-end-buffer-strlen	Access Of Memory Location After End Of Buffer
CWE‑118	C++	cpp/access-memory-location-after-end-buffer-strncat	Access Of Memory Location After The End Of A Buffer Using Strncat
CWE‑118	C#	cs/unvalidated-local-pointer-arithmetic	Unvalidated local pointer arithmetic
CWE‑118	Go	go/wrong-usage-of-unsafe	Wrong usage of package unsafe
CWE‑119	C++	cpp/offset-use-before-range-check	Array offset used before range check
CWE‑119	C++	cpp/late-negative-test	Pointer offset used before it is checked
CWE‑119	C++	cpp/missing-negativity-test	Unchecked return value used as offset
CWE‑119	C++	cpp/overflow-calculated	Buffer not sufficient for string
CWE‑119	C++	cpp/overflow-destination	Copy function using source size
CWE‑119	C++	cpp/static-buffer-overflow	Static array access may cause overflow
CWE‑119	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑119	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑119	C++	cpp/use-after-free	Potential use after free
CWE‑119	C++	cpp/upcast-array-pointer-arithmetic	Upcast array used in pointer arithmetic
CWE‑119	C++	cpp/return-stack-allocated-memory	Returning stack-allocated memory
CWE‑119	C++	cpp/bad-strncpy-size	Possibly wrong buffer size in string copy
CWE‑119	C++	cpp/unsafe-strncat	Potentially unsafe call to strncat
CWE‑119	C++	cpp/unsafe-strcat	Potentially unsafe use of strcat
CWE‑119	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑119	C++	cpp/badly-bounded-write	Badly bounded write
CWE‑119	C++	cpp/overrunning-write	Potentially overrunning write
CWE‑119	C++	cpp/overrunning-write-with-float	Potentially overrunning write with float to string conversion
CWE‑119	C++	cpp/unbounded-write	Unbounded write
CWE‑119	C++	cpp/unterminated-variadic-call	Unterminated variadic call
CWE‑119	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑119	C++	cpp/openssl-heartbleed	Use of a version of OpenSSL with Heartbleed
CWE‑119	C++	cpp/memory-unsafe-function-scan	Scanf function without a specified length
CWE‑119	C++	cpp/access-memory-location-after-end-buffer-strlen	Access Of Memory Location After End Of Buffer
CWE‑119	C++	cpp/access-memory-location-after-end-buffer-strncat	Access Of Memory Location After The End Of A Buffer Using Strncat
CWE‑119	C#	cs/unvalidated-local-pointer-arithmetic	Unvalidated local pointer arithmetic
CWE‑119	Go	go/wrong-usage-of-unsafe	Wrong usage of package unsafe
CWE‑120	C++	cpp/offset-use-before-range-check	Array offset used before range check
CWE‑120	C++	cpp/overflow-calculated	Buffer not sufficient for string
CWE‑120	C++	cpp/unsafe-strcat	Potentially unsafe use of strcat
CWE‑120	C++	cpp/badly-bounded-write	Badly bounded write
CWE‑120	C++	cpp/overrunning-write	Potentially overrunning write
CWE‑120	C++	cpp/overrunning-write-with-float	Potentially overrunning write with float to string conversion
CWE‑120	C++	cpp/unbounded-write	Unbounded write
CWE‑120	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑120	C++	cpp/memory-unsafe-function-scan	Scanf function without a specified length
CWE‑120	C#	cs/unvalidated-local-pointer-arithmetic	Unvalidated local pointer arithmetic
CWE‑121	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑121	C++	cpp/unterminated-variadic-call	Unterminated variadic call
CWE‑122	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑122	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑122	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑122	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑122	C#	cs/unvalidated-local-pointer-arithmetic	Unvalidated local pointer arithmetic
CWE‑125	C++	cpp/offset-use-before-range-check	Array offset used before range check
CWE‑125	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑125	Go	go/wrong-usage-of-unsafe	Wrong usage of package unsafe
CWE‑126	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑126	Go	go/wrong-usage-of-unsafe	Wrong usage of package unsafe
CWE‑128	C++	cpp/signed-overflow-check	Signed overflow check
CWE‑128	C++	cpp/multiplication-overflow-in-alloc	Multiplication result may overflow and be used in allocation
CWE‑129	Java	java/improper-validation-of-array-construction	Improper validation of user-provided size used for array construction
CWE‑129	Java	java/improper-validation-of-array-construction-code-specified	Improper validation of code-specified size used for array construction
CWE‑129	Java	java/improper-validation-of-array-construction-local	Improper validation of local user-provided size used for array construction
CWE‑129	Java	java/improper-validation-of-array-index	Improper validation of user-provided array index
CWE‑129	Java	java/improper-validation-of-array-index-code-specified	Improper validation of code-specified array index
CWE‑129	Java	java/improper-validation-of-array-index-local	Improper validation of local user-provided array index
CWE‑129	C++	cpp/unclear-array-index-validation	Unclear validation of array index
CWE‑131	C++	cpp/overflow-calculated	Buffer not sufficient for string
CWE‑131	C++	cpp/overflow-destination	Copy function using source size
CWE‑131	C++	cpp/static-buffer-overflow	Static array access may cause overflow
CWE‑131	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑131	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑131	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑134	Java	java/tainted-format-string	Use of externally-controlled format string
CWE‑134	Java	java/tainted-format-string-local	Use of externally-controlled format string from local source
CWE‑134	C++	cpp/non-constant-format	Non-constant format string
CWE‑134	C++	cpp/tainted-format-string	Uncontrolled format string
CWE‑134	C++	cpp/tainted-format-string-through-global	Uncontrolled format string (through global variable)
CWE‑134	C#	cs/uncontrolled-format-string	Uncontrolled format string
CWE‑134	JavaScript	js/tainted-format-string	Use of externally-controlled format string
CWE‑170	C++	cpp/improper-null-termination	Potential improper null termination
CWE‑170	C++	cpp/user-controlled-null-termination-tainted	User-controlled data may not be null terminated
CWE‑183	JavaScript	js/angular/insecure-url-whitelist	Insecure URL whitelist
CWE‑185	JavaScript	js/angular/insecure-url-whitelist	Insecure URL whitelist
CWE‑190	Java	java/implicit-cast-in-compound-assignment	Implicit narrowing conversion in compound assignment
CWE‑190	Java	java/integer-multiplication-cast-to-long	Result of multiplication cast to wider type
CWE‑190	Java	java/tainted-arithmetic	User-controlled data in arithmetic expression
CWE‑190	Java	java/tainted-arithmetic-local	Local-user-controlled data in arithmetic expression
CWE‑190	Java	java/uncontrolled-arithmetic	Uncontrolled data in arithmetic expression
CWE‑190	Java	java/extreme-value-arithmetic	Use of extreme values in arithmetic expression
CWE‑190	Java	java/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑190	C++	cpp/ambiguously-signed-bit-field	Ambiguously signed bit-field member
CWE‑190	C++	cpp/bad-addition-overflow-check	Bad check for overflow of integer addition
CWE‑190	C++	cpp/integer-multiplication-cast-to-long	Multiplication result converted to larger type
CWE‑190	C++	cpp/signed-overflow-check	Signed overflow check
CWE‑190	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑190	C++	cpp/tainted-arithmetic	User-controlled data in arithmetic expression
CWE‑190	C++	cpp/uncontrolled-arithmetic	Uncontrolled data in arithmetic expression
CWE‑190	C++	cpp/arithmetic-with-extreme-values	Use of extreme values in arithmetic expression
CWE‑190	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑190	C++	cpp/integer-overflow-tainted	Potential integer arithmetic overflow
CWE‑190	C++	cpp/uncontrolled-allocation-size	Overflow in uncontrolled allocation size
CWE‑190	C++	cpp/multiplication-overflow-in-alloc	Multiplication result may overflow and be used in allocation
CWE‑190	C++	cpp/signed-bit-field	Possible signed bit-field member
CWE‑190	C#	cs/loss-of-precision	Possible loss of precision
CWE‑190	Go	go/allocation-size-overflow	Size computation for allocation may overflow
CWE‑190	Go	go/incorrect-integer-conversion	Incorrect conversion between integer types
CWE‑191	Java	java/tainted-arithmetic	User-controlled data in arithmetic expression
CWE‑191	Java	java/tainted-arithmetic-local	Local-user-controlled data in arithmetic expression
CWE‑191	Java	java/uncontrolled-arithmetic	Uncontrolled data in arithmetic expression
CWE‑191	Java	java/extreme-value-arithmetic	Use of extreme values in arithmetic expression
CWE‑191	C++	cpp/tainted-arithmetic	User-controlled data in arithmetic expression
CWE‑191	C++	cpp/uncontrolled-arithmetic	Uncontrolled data in arithmetic expression
CWE‑191	C++	cpp/arithmetic-with-extreme-values	Use of extreme values in arithmetic expression
CWE‑191	C++	cpp/unsigned-difference-expression-compared-zero	Unsigned difference expression compared to zero
CWE‑193	Java	java/index-out-of-bounds	Array index out of bounds
CWE‑193	C#	cs/index-out-of-bounds	Off-by-one comparison against container length
CWE‑193	JavaScript	js/index-out-of-bounds	Off-by-one comparison against length
CWE‑193	Go	go/index-out-of-bounds	Off-by-one comparison against length
CWE‑197	Java	java/implicit-cast-in-compound-assignment	Implicit narrowing conversion in compound assignment
CWE‑197	Java	java/integer-multiplication-cast-to-long	Result of multiplication cast to wider type
CWE‑197	Java	java/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑197	Java	java/tainted-numeric-cast	User-controlled data in numeric cast
CWE‑197	Java	java/tainted-numeric-cast-local	Local-user-controlled data in numeric cast
CWE‑197	C++	cpp/integer-multiplication-cast-to-long	Multiplication result converted to larger type
CWE‑197	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑197	C++	cpp/integer-overflow-tainted	Potential integer arithmetic overflow
CWE‑197	C#	cs/loss-of-precision	Possible loss of precision
CWE‑197	JavaScript	js/shift-out-of-range	Shift out of range
CWE‑197	Go	go/shift-out-of-range	Shift out of range
CWE‑200	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑200	C++	cpp/system-data-exposure	Exposure of system data to an unauthorized control sphere
CWE‑200	C++	cpp/private-cleartext-write	Exposure of private information
CWE‑200	C#	cs/web/persistent-cookie	Cookie security: persistent cookie
CWE‑200	C#	cs/web/debug-binary	Creating an ASP.NET debug binary may reveal sensitive information
CWE‑200	C#	cs/sensitive-data-transmission	Information exposure through transmitted data
CWE‑200	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑200	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑200	C#	cs/exposure-of-sensitive-information	Exposure of private information
CWE‑200	C#	cs/web/directory-browse-enabled	ASP.NET config file enables directory browsing
CWE‑200	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑200	Python	py/flask-debug	Flask app is run in debug mode
CWE‑200	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑200	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑200	JavaScript	js/unsafe-external-link	Potentially unsafe external link
CWE‑200	JavaScript	js/file-access-to-http	File data in outbound network request
CWE‑200	JavaScript	js/exposure-of-private-files	Exposure of private files
CWE‑200	JavaScript	js/cross-window-information-leak	Cross-window communication with unrestricted target origin
CWE‑200	JavaScript	js/stack-trace-exposure	Information exposure through a stack trace
CWE‑200	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑200	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑200	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑200	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑200	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑201	C#	cs/sensitive-data-transmission	Information exposure through transmitted data
CWE‑201	JavaScript	js/cross-window-information-leak	Cross-window communication with unrestricted target origin
CWE‑209	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑209	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑209	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑209	JavaScript	js/stack-trace-exposure	Information exposure through a stack trace
CWE‑209	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑215	C#	cs/web/debug-binary	Creating an ASP.NET debug binary may reveal sensitive information
CWE‑215	Python	py/flask-debug	Flask app is run in debug mode
CWE‑221	Java	java/overly-general-catch	Overly-general catch clause
CWE‑221	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑221	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑221	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑221	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑227	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑227	Java	java/ejb/file-io	EJB uses file input/output
CWE‑227	Java	java/ejb/graphics	EJB uses graphics
CWE‑227	Java	java/ejb/native-code	EJB uses native code
CWE‑227	Java	java/ejb/reflection	EJB uses reflection
CWE‑227	Java	java/ejb/security-configuration-access	EJB accesses security configuration
CWE‑227	Java	java/ejb/substitution-in-serialization	EJB uses substitution in serialization
CWE‑227	Java	java/ejb/socket-or-stream-handler-factory	EJB sets socket factory or URL stream handler factory
CWE‑227	Java	java/ejb/server-socket	EJB uses server socket
CWE‑227	Java	java/ejb/non-final-static-field	EJB uses non-final static field
CWE‑227	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑227	Java	java/ejb/this	EJB uses 'this' as argument or result
CWE‑227	Java	java/ejb/threads	EJB uses threads
CWE‑227	Java	java/missing-call-to-super-clone	Missing super clone
CWE‑227	Java	java/inconsistent-equals-and-hashcode	Inconsistent equals and hashCode
CWE‑227	Java	java/unreleased-lock	Unreleased lock
CWE‑227	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑227	Java	java/missing-format-argument	Missing format argument
CWE‑227	Java	java/unused-format-argument	Unused format argument
CWE‑227	Java	java/empty-finalizer	Empty body of finalizer
CWE‑227	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑227	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑227	C++	cpp/wrong-type-format-argument	Wrong type of arguments to formatting function
CWE‑227	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑227	C++	cpp/ignore-return-value-sal	SAL requires inspecting return value
CWE‑227	C++	cpp/hresult-boolean-conversion	Cast between HRESULT and a Boolean type
CWE‑227	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑227	C++	cpp/twice-locked	Mutex locked twice
CWE‑227	C++	cpp/unreleased-lock	Lock may not be released
CWE‑227	C#	cs/inconsistent-equals-and-gethashcode	Inconsistent Equals(object) and GetHashCode()
CWE‑227	C#	cs/invalid-dynamic-call	Bad dynamic call
CWE‑227	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑227	Python	py/equals-hash-mismatch	Inconsistent equality and hashing
CWE‑227	Python	py/call/wrong-named-class-argument	Wrong name for an argument in a class instantiation
CWE‑227	Python	py/call/wrong-number-class-arguments	Wrong number of arguments in a class instantiation
CWE‑227	Python	py/super-not-enclosing-class	First argument to super() is not enclosing class
CWE‑227	Python	py/call/wrong-named-argument	Wrong name for an argument in a call
CWE‑227	Python	py/percent-format/wrong-arguments	Wrong number of arguments for format
CWE‑227	Python	py/call/wrong-arguments	Wrong number of arguments in a call
CWE‑227	JavaScript	js/superfluous-trailing-arguments	Superfluous trailing arguments
CWE‑227	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑228	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑228	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑233	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑233	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑234	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑234	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑242	C++	cpp/dangerous-function-overflow	Use of dangerous function
CWE‑247	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑247	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑248	Java	java/uncaught-number-format-exception	Missing catch of NumberFormatException
CWE‑248	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑250	JavaScript	js/remote-property-injection	Remote property injection
CWE‑252	Java	java/inconsistent-call-on-result	Inconsistent operation on return value
CWE‑252	Java	java/return-value-ignored	Method result ignored
CWE‑252	C++	cpp/return-value-ignored	Return value of a function is ignored
CWE‑252	C++	cpp/inconsistent-call-on-result	Inconsistent operation on return value
CWE‑252	C++	cpp/ignore-return-value-sal	SAL requires inspecting return value
CWE‑252	C#	cs/unchecked-return-value	Unchecked return value
CWE‑252	Python	py/ignored-return-value	Ignored return value
CWE‑253	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑253	C++	cpp/hresult-boolean-conversion	Cast between HRESULT and a Boolean type
CWE‑256	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑256	Java	java/password-in-configuration	Password in configuration file
CWE‑256	C#	cs/password-in-configuration	Password in configuration file
CWE‑256	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑258	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑259	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑259	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑259	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑259	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑259	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑260	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑260	Java	java/password-in-configuration	Password in configuration file
CWE‑260	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑260	C#	cs/password-in-configuration	Password in configuration file
CWE‑260	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑269	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑269	JavaScript	js/remote-property-injection	Remote property injection
CWE‑271	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑273	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑284	Java	java/unsafe-hostname-verification	Unsafe hostname verification
CWE‑284	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑284	Java	java/world-writable-file-read	Reading from a world writable file
CWE‑284	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑284	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑284	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑284	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑284	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑284	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑284	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑284	Java	java/unvalidated-cors-origin-set	CORS is derived from untrusted input
CWE‑284	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑284	Java	java/password-in-configuration	Password in configuration file
CWE‑284	C++	cpp/user-controlled-bypass	Authentication bypass by spoofing
CWE‑284	C++	cpp/world-writable-file-creation	File created without restricting permissions
CWE‑284	C++	cpp/unsafe-dacl-security-descriptor	Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑284	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑284	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑284	C#	cs/password-in-configuration	Password in configuration file
CWE‑284	C#	cs/web/broad-cookie-domain	Cookie security: overly broad domain
CWE‑284	C#	cs/web/broad-cookie-path	Cookie security: overly broad path
CWE‑284	C#	cs/session-reuse	Failure to abandon session
CWE‑284	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑284	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑284	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑284	Python	py/overly-permissive-file	Overly permissive file permissions
CWE‑284	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑284	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑284	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑284	JavaScript	js/remote-property-injection	Remote property injection
CWE‑284	JavaScript	js/host-header-forgery-in-email-generation	Host header poisoning in email generation
CWE‑284	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑284	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑284	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑284	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑284	Go	go/email-injection	Email content injection
CWE‑284	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑284	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑285	Java	java/world-writable-file-read	Reading from a world writable file
CWE‑285	C++	cpp/world-writable-file-creation	File created without restricting permissions
CWE‑285	C++	cpp/unsafe-dacl-security-descriptor	Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑285	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑285	Python	py/overly-permissive-file	Overly permissive file permissions
CWE‑285	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑287	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑287	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑287	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑287	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑287	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑287	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑287	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑287	Java	java/password-in-configuration	Password in configuration file
CWE‑287	C++	cpp/user-controlled-bypass	Authentication bypass by spoofing
CWE‑287	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑287	C#	cs/password-in-configuration	Password in configuration file
CWE‑287	C#	cs/web/broad-cookie-domain	Cookie security: overly broad domain
CWE‑287	C#	cs/web/broad-cookie-path	Cookie security: overly broad path
CWE‑287	C#	cs/session-reuse	Failure to abandon session
CWE‑287	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑287	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑287	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑287	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑287	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑287	JavaScript	js/host-header-forgery-in-email-generation	Host header poisoning in email generation
CWE‑287	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑287	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑287	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑287	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑287	Go	go/email-injection	Email content injection
CWE‑287	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑287	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑290	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑290	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑290	C++	cpp/user-controlled-bypass	Authentication bypass by spoofing
CWE‑290	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑290	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑290	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑290	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑295	Java	java/unsafe-hostname-verification	Unsafe hostname verification
CWE‑295	Java	java/jxbrowser/disabled-certificate-validation	JxBrowser with disabled certificate validation
CWE‑295	Java	java/disabled-certificate-revocation-checking	Disabled ceritificate revocation checking
CWE‑295	Python	py/paramiko-missing-host-key-validation	Accepting unknown SSH host keys when using Paramiko
CWE‑295	Python	py/request-without-cert-validation	Request without certificate validation
CWE‑295	Go	go/disabled-certificate-check	Disabled TLS certificate check
CWE‑297	Java	java/unsafe-hostname-verification	Unsafe hostname verification
CWE‑299	Java	java/disabled-certificate-revocation-checking	Disabled ceritificate revocation checking
CWE‑300	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑307	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑311	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑311	Java	java/cleartext-storage-in-cookie	Cleartext storage of sensitive information in cookie
CWE‑311	Java	java/cleartext-storage-in-properties	Cleartext storage of sensitive information using 'Properties' class
CWE‑311	Java	java/non-https-url	Failure to use HTTPS URLs
CWE‑311	Java	java/non-ssl-connection	Failure to use SSL
CWE‑311	Java	java/non-ssl-socket-factory	Failure to use SSL socket factories
CWE‑311	Java	java/insecure-cookie	Failure to use secure cookies
CWE‑311	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑311	Java	java/android/cleartext-storage-shared-prefs	Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑311	C++	cpp/cleartext-storage-buffer	Cleartext storage of sensitive information in buffer
CWE‑311	C++	cpp/cleartext-storage-file	Cleartext storage of sensitive information in file
CWE‑311	C++	cpp/cleartext-storage-database	Cleartext storage of sensitive information in an SQLite database
CWE‑311	C#	cs/password-in-configuration	Password in configuration file
CWE‑311	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑311	C#	cs/web/requiressl-not-set	'requireSSL' attribute is not set to true
CWE‑311	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑311	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑311	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑311	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑311	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑311	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑311	JavaScript	js/insecure-cookie	Failure to set secure cookies
CWE‑311	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑312	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑312	Java	java/cleartext-storage-in-cookie	Cleartext storage of sensitive information in cookie
CWE‑312	Java	java/cleartext-storage-in-properties	Cleartext storage of sensitive information using 'Properties' class
CWE‑312	Java	java/android/cleartext-storage-shared-prefs	Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑312	C++	cpp/cleartext-storage-buffer	Cleartext storage of sensitive information in buffer
CWE‑312	C++	cpp/cleartext-storage-file	Cleartext storage of sensitive information in file
CWE‑312	C++	cpp/cleartext-storage-database	Cleartext storage of sensitive information in an SQLite database
CWE‑312	C#	cs/password-in-configuration	Password in configuration file
CWE‑312	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑312	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑312	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑312	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑312	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑312	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑312	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑312	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑313	Java	java/cleartext-storage-in-properties	Cleartext storage of sensitive information using 'Properties' class
CWE‑313	C++	cpp/cleartext-storage-file	Cleartext storage of sensitive information in file
CWE‑313	C++	cpp/cleartext-storage-database	Cleartext storage of sensitive information in an SQLite database
CWE‑313	C#	cs/password-in-configuration	Password in configuration file
CWE‑313	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑315	Java	java/cleartext-storage-in-cookie	Cleartext storage of sensitive information in cookie
CWE‑315	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑315	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑315	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑315	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑315	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑315	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑315	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑319	Java	java/non-https-url	Failure to use HTTPS URLs
CWE‑319	Java	java/non-ssl-connection	Failure to use SSL
CWE‑319	Java	java/non-ssl-socket-factory	Failure to use SSL socket factories
CWE‑319	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑319	C#	cs/web/requiressl-not-set	'requireSSL' attribute is not set to true
CWE‑321	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑321	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑321	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑321	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑321	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑326	Java	java/insufficient-key-size	Weak encryption: Insufficient key size
CWE‑326	Python	py/weak-crypto-key	Use of weak cryptographic key
CWE‑327	Java	java/weak-cryptographic-algorithm	Use of a broken or risky cryptographic algorithm
CWE‑327	Java	java/potentially-weak-cryptographic-algorithm	Use of a potentially broken or risky cryptographic algorithm
CWE‑327	Java	java/unsafe-tls-version	Unsafe TLS version
CWE‑327	C++	cpp/weak-cryptographic-algorithm	Use of a broken or risky cryptographic algorithm
CWE‑327	C++	cpp/openssl-heartbleed	Use of a version of OpenSSL with Heartbleed
CWE‑327	C#	cs/ecb-encryption	Encryption using ECB
CWE‑327	C#	cs/inadequate-rsa-padding	Weak encryption: inadequate RSA padding
CWE‑327	C#	cs/insufficient-key-size	Weak encryption: Insufficient key size
CWE‑327	C#	cs/weak-encryption	Weak encryption
CWE‑327	C#	cs/adding-cert-to-root-store	Do not add certificates to the system root store.
CWE‑327	C#	cs/insecure-sql-connection	Insecure SQL connection
CWE‑327	Python	py/weak-cryptographic-algorithm	Use of a broken or weak cryptographic algorithm
CWE‑327	Python	py/insecure-default-protocol	Default version of SSL/TLS may be insecure
CWE‑327	Python	py/insecure-protocol	Use of insecure SSL/TLS version
CWE‑327	JavaScript	js/biased-cryptographic-random	Creating biased random numbers from a cryptographically secure source.
CWE‑327	JavaScript	js/weak-cryptographic-algorithm	Use of a broken or weak cryptographic algorithm
CWE‑327	JavaScript	js/insufficient-password-hash	Use of password hash with insufficient computational effort
CWE‑327	Go	go/insecure-tls	Insecure TLS configuration
CWE‑327	Go	go/weak-crypto-algorithm	Use of a weak cryptographic algorithm
CWE‑330	Java	java/random-used-once	Random used only once
CWE‑330	Java	java/jhipster-prng	Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑330	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑330	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑330	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑330	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑330	C#	cs/random-used-once	Random used only once
CWE‑330	C#	cs/insecure-randomness	Insecure randomness
CWE‑330	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑330	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑330	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑330	JavaScript	js/insecure-randomness	Insecure randomness
CWE‑330	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑330	Go	go/insecure-randomness	Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑330	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑335	Java	java/random-used-once	Random used only once
CWE‑335	C#	cs/random-used-once	Random used only once
CWE‑338	Java	java/jhipster-prng	Detect JHipster Generator Vulnerability CVE-2019-16303
CWE‑338	C#	cs/insecure-randomness	Insecure randomness
CWE‑338	JavaScript	js/insecure-randomness	Insecure randomness
CWE‑338	Go	go/insecure-randomness	Use of insufficient randomness as the key of a cryptographic algorithm
CWE‑344	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑344	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑344	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑344	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑344	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑344	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑344	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑344	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑344	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑345	Java	java/spring-disabled-csrf-protection	Disabled Spring CSRF protection
CWE‑345	Java	java/unvalidated-cors-origin-set	CORS is derived from untrusted input
CWE‑345	Java	java/missing-jwt-signature-check	Missing JWT signature check
CWE‑345	Java	java/ip-address-spoofing	IP address spoofing
CWE‑345	Java	java/jsonp-injection	JSONP Injection
CWE‑345	C#	cs/web/missing-token-validation	Missing cross-site request forgery token validation
CWE‑345	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑345	JavaScript	js/missing-token-validation	Missing CSRF middleware
CWE‑345	JavaScript	js/jwt-missing-verification	JWT missing secret or public key verification
CWE‑345	Go	go/constant-oauth2-state	Use of constant state value in OAuth 2.0 URL
CWE‑346	Java	java/unvalidated-cors-origin-set	CORS is derived from untrusted input
CWE‑346	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑347	Java	java/missing-jwt-signature-check	Missing JWT signature check
CWE‑347	JavaScript	js/jwt-missing-verification	JWT missing secret or public key verification
CWE‑348	Java	java/ip-address-spoofing	IP address spoofing
CWE‑350	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑350	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑352	Java	java/spring-disabled-csrf-protection	Disabled Spring CSRF protection
CWE‑352	Java	java/jsonp-injection	JSONP Injection
CWE‑352	C#	cs/web/missing-token-validation	Missing cross-site request forgery token validation
CWE‑352	JavaScript	js/missing-token-validation	Missing CSRF middleware
CWE‑352	Go	go/constant-oauth2-state	Use of constant state value in OAuth 2.0 URL
CWE‑359	C++	cpp/private-cleartext-write	Exposure of private information
CWE‑359	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑359	C#	cs/exposure-of-sensitive-information	Exposure of private information
CWE‑359	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑359	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑359	JavaScript	js/cross-window-information-leak	Cross-window communication with unrestricted target origin
CWE‑359	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑359	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑359	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑359	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑362	Java	java/toctou-race-condition	Time-of-check time-of-use race condition
CWE‑362	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑362	C++	cpp/toctou-race-condition	Time-of-check time-of-use filesystem race condition
CWE‑362	C#	cs/unsafe-sync-on-field	Futile synchronization on field
CWE‑362	C#	cs/unsynchronized-static-access	Unsynchronized access to static collection member in non-static context
CWE‑362	C#	cs/thread-unsafe-icryptotransform-field-in-class	Thread-unsafe use of a static ICryptoTransform field
CWE‑362	C#	cs/thread-unsafe-icryptotransform-captured-in-lambda	Thread-unsafe capturing of an ICryptoTransform object
CWE‑366	C#	cs/unsafe-sync-on-field	Futile synchronization on field
CWE‑367	Java	java/toctou-race-condition	Time-of-check time-of-use race condition
CWE‑367	C++	cpp/toctou-race-condition	Time-of-check time-of-use filesystem race condition
CWE‑369	Go	go/divide-by-zero	Divide by zero
CWE‑377	Python	py/insecure-temporary-file	Insecure temporary file
CWE‑382	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑382	Java	java/jvm-exit	Forcible JVM termination
CWE‑383	Java	java/ejb/threads	EJB uses threads
CWE‑384	C#	cs/session-reuse	Failure to abandon session
CWE‑390	C#	cs/empty-catch-block	Poor error handling: empty catch block
CWE‑390	Python	py/empty-except	Empty except
CWE‑391	Java	java/discarded-exception	Discarded exception
CWE‑391	Java	java/ignored-error-status-of-call	Ignored error status of call
CWE‑391	C#	cs/empty-catch-block	Poor error handling: empty catch block
CWE‑395	C#	cs/catch-nullreferenceexception	Poor error handling: catch of NullReferenceException
CWE‑396	Java	java/overly-general-catch	Overly-general catch clause
CWE‑396	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑396	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑398	Java	java/deprecated-call	Deprecated method or constructor invocation
CWE‑398	Java	java/dead-class	Dead class
CWE‑398	Java	java/dead-enum-constant	Dead enum constant
CWE‑398	Java	java/dead-field	Dead field
CWE‑398	Java	java/dead-function	Dead method
CWE‑398	Java	java/lines-of-dead-code	Lines of dead code in files
CWE‑398	Java	java/unused-parameter	Useless parameter
CWE‑398	Java	java/useless-null-check	Useless null check
CWE‑398	Java	java/useless-type-test	Useless type test
CWE‑398	Java	java/useless-upcast	Useless upcast
CWE‑398	Java	java/empty-container	Container contents are never initialized
CWE‑398	Java	java/unused-container	Container contents are never accessed
CWE‑398	Java	java/constant-comparison	Useless comparison test
CWE‑398	Java	java/dereferenced-value-is-always-null	Dereferenced variable is always null
CWE‑398	Java	java/dereferenced-expr-may-be-null	Dereferenced expression may be null
CWE‑398	Java	java/dereferenced-value-may-be-null	Dereferenced variable may be null
CWE‑398	Java	java/empty-synchronized-block	Empty synchronized block
CWE‑398	Java	java/unreachable-catch-clause	Unreachable catch clause
CWE‑398	Java	java/potentially-dangerous-function	Use of a potentially dangerous function
CWE‑398	Java	java/todo-comment	TODO/FIXME comments
CWE‑398	Java	java/unused-reference-type	Unused classes and interfaces
CWE‑398	Java	java/overwritten-assignment-to-local	Assigned value is overwritten
CWE‑398	Java	java/useless-assignment-to-local	Useless assignment to local variable
CWE‑398	Java	java/unused-initialized-local	Local variable is initialized but not used
CWE‑398	Java	java/local-variable-is-never-read	Unread local variable
CWE‑398	Java	java/unused-field	Unused field
CWE‑398	Java	java/unused-label	Unused label
CWE‑398	Java	java/unused-local-variable	Unused local variable
CWE‑398	Java	java/switch-fall-through	Unterminated switch case
CWE‑398	Java	java/redundant-cast	Unnecessary cast
CWE‑398	Java	java/unused-import	Unnecessary import
CWE‑398	C++	cpp/unused-local-variable	Unused local variable
CWE‑398	C++	cpp/unused-static-function	Unused static function
CWE‑398	C++	cpp/unused-static-variable	Unused static variable
CWE‑398	C++	cpp/dead-code-condition	Branching condition always evaluates to same value
CWE‑398	C++	cpp/dead-code-function	Function is never called
CWE‑398	C++	cpp/dead-code-goto	Dead code due to goto or break statement
CWE‑398	C++	cpp/inconsistent-nullness-testing	Inconsistent null check of pointer
CWE‑398	C++	cpp/missing-null-test	Returned pointer not checked
CWE‑398	C++	cpp/unused-variable	Variable is assigned a value that is never read
CWE‑398	C++	cpp/fixme-comment	FIXME comment
CWE‑398	C++	cpp/todo-comment	TODO comment
CWE‑398	C++	cpp/inconsistent-null-check	Inconsistent nullness check
CWE‑398	C++	cpp/redundant-null-check-simple	Redundant null check due to previous dereference
CWE‑398	C++	cpp/useless-expression	Expression has no effect
CWE‑398	C++	cpp/bad-strncpy-size	Possibly wrong buffer size in string copy
CWE‑398	C++	cpp/suspicious-call-to-memset	Suspicious call to memset
CWE‑398	C++	cpp/unsafe-strncat	Potentially unsafe call to strncat
CWE‑398	C++	cpp/unsafe-strcat	Potentially unsafe use of strcat
CWE‑398	C++	cpp/dangerous-function-overflow	Use of dangerous function
CWE‑398	C++	cpp/dangerous-cin	Dangerous use of 'cin'
CWE‑398	C++	cpp/potentially-dangerous-function	Use of potentially dangerous function
CWE‑398	C++	cpp/redundant-null-check-param	Redundant null check or missing null check of parameter
CWE‑398	C++	cpp/incorrect-allocation-error-handling	Incorrect allocation-error handling
CWE‑398	C#	cs/call-to-obsolete-method	Call to obsolete method
CWE‑398	C#	cs/todo-comment	TODO comment
CWE‑398	C#	cs/dereferenced-value-is-always-null	Dereferenced variable is always null
CWE‑398	C#	cs/dereferenced-value-may-be-null	Dereferenced variable may be null
CWE‑398	C#	cs/unused-reftype	Dead reference types
CWE‑398	C#	cs/useless-assignment-to-local	Useless assignment to local variable
CWE‑398	C#	cs/unused-field	Unused field
CWE‑398	C#	cs/unused-method	Unused method
CWE‑398	C#	cs/useless-cast-to-self	Cast to same type
CWE‑398	C#	cs/useless-is-before-as	Useless 'is' before 'as'
CWE‑398	C#	cs/coalesce-of-identical-expressions	Useless ?? expression
CWE‑398	C#	cs/useless-type-test	Useless type test
CWE‑398	C#	cs/useless-upcast	Useless upcast
CWE‑398	C#	cs/empty-collection	Container contents are never initialized
CWE‑398	C#	cs/unused-collection	Container contents are never accessed
CWE‑398	C#	cs/empty-lock-statement	Empty lock statement
CWE‑398	C#	cs/linq/useless-select	Redundant Select
CWE‑398	Python	py/unreachable-except	Unreachable 'except' block
CWE‑398	Python	py/comparison-of-constants	Comparison of constants
CWE‑398	Python	py/comparison-of-identical-expressions	Comparison of identical values
CWE‑398	Python	py/comparison-missing-self	Maybe missing 'self' in comparison
CWE‑398	Python	py/duplicate-key-dict-literal	Duplicate key in dict literal
CWE‑398	Python	py/redundant-comparison	Redundant comparison
CWE‑398	Python	py/import-deprecated-module	Import of deprecated module
CWE‑398	Python	py/constant-conditional-expression	Constant in conditional expression or statement
CWE‑398	Python	py/redundant-assignment	Redundant assignment
CWE‑398	Python	py/ineffectual-statement	Statement has no effect
CWE‑398	Python	py/unreachable-statement	Unreachable code
CWE‑398	Python	py/multiple-definition	Variable defined multiple times
CWE‑398	Python	py/unused-local-variable	Unused local variable
CWE‑398	Python	py/unused-global-variable	Unused global variable
CWE‑398	JavaScript	js/todo-comment	TODO comment
CWE‑398	JavaScript	js/eval-like-call	Call to eval-like DOM function
CWE‑398	JavaScript	js/variable-initialization-conflict	Conflicting variable initialization
CWE‑398	JavaScript	js/function-declaration-conflict	Conflicting function declarations
CWE‑398	JavaScript	js/useless-assignment-to-global	Useless assignment to global variable
CWE‑398	JavaScript	js/useless-assignment-to-local	Useless assignment to local variable
CWE‑398	JavaScript	js/overwritten-property	Overwritten property
CWE‑398	JavaScript	js/comparison-of-identical-expressions	Comparison of identical values
CWE‑398	JavaScript	js/comparison-with-nan	Comparison with NaN
CWE‑398	JavaScript	js/duplicate-condition	Duplicate 'if' condition
CWE‑398	JavaScript	js/duplicate-property	Duplicate property
CWE‑398	JavaScript	js/duplicate-switch-case	Duplicate switch case
CWE‑398	JavaScript	js/useless-expression	Expression has no effect
CWE‑398	JavaScript	js/comparison-between-incompatible-types	Comparison between inconvertible types
CWE‑398	JavaScript	js/redundant-operation	Identical operands
CWE‑398	JavaScript	js/redundant-assignment	Self assignment
CWE‑398	JavaScript	js/call-to-non-callable	Invocation of non-function
CWE‑398	JavaScript	js/property-access-on-non-object	Property access on null or undefined
CWE‑398	JavaScript	js/unneeded-defensive-code	Unneeded defensive code
CWE‑398	JavaScript	js/useless-type-test	Useless type test
CWE‑398	JavaScript	js/eval-call	Use of eval
CWE‑398	JavaScript	js/node/assignment-to-exports-variable	Assignment to exports variable
CWE‑398	JavaScript	js/regex/unmatchable-caret	Unmatchable caret in regular expression
CWE‑398	JavaScript	js/regex/unmatchable-dollar	Unmatchable dollar in regular expression
CWE‑398	JavaScript	js/useless-assignment-in-return	Return statement assigns local variable
CWE‑398	JavaScript	js/unreachable-statement	Unreachable statement
CWE‑398	JavaScript	js/trivial-conditional	Useless conditional
CWE‑398	Go	go/comparison-of-identical-expressions	Comparison of identical values
CWE‑398	Go	go/useless-assignment-to-field	Useless assignment to field
CWE‑398	Go	go/useless-assignment-to-local	Useless assignment to local variable
CWE‑398	Go	go/duplicate-branches	Duplicate 'if' branches
CWE‑398	Go	go/duplicate-condition	Duplicate 'if' condition
CWE‑398	Go	go/duplicate-switch-case	Duplicate switch case
CWE‑398	Go	go/useless-expression	Expression has no effect
CWE‑398	Go	go/redundant-operation	Identical operands
CWE‑398	Go	go/redundant-assignment	Self assignment
CWE‑398	Go	go/unreachable-statement	Unreachable statement
CWE‑400	Java	java/input-resource-leak	Potential input resource leak
CWE‑400	Java	java/database-resource-leak	Potential database resource leak
CWE‑400	Java	java/output-resource-leak	Potential output resource leak
CWE‑400	C++	cpp/catch-missing-free	Leaky catch
CWE‑400	C++	cpp/descriptor-may-not-be-closed	Open descriptor may not be closed
CWE‑400	C++	cpp/descriptor-never-closed	Open descriptor never closed
CWE‑400	C++	cpp/file-may-not-be-closed	Open file may not be closed
CWE‑400	C++	cpp/file-never-closed	Open file is not closed
CWE‑400	C++	cpp/memory-may-not-be-freed	Memory may not be freed
CWE‑400	C++	cpp/memory-never-freed	Memory is never freed
CWE‑400	C++	cpp/new-free-mismatch	Mismatching new/free or malloc/delete
CWE‑400	C++	cpp/alloca-in-loop	Call to alloca in a loop
CWE‑400	C++	cpp/memory-leak-on-failed-call-to-realloc	Memory leak on failed call to realloc
CWE‑400	C#	cs/redos	Denial of Service from comparison of user input against expensive regex
CWE‑400	C#	cs/regex-injection	Regular expression injection
CWE‑400	Python	py/file-not-closed	File is not always closed
CWE‑400	Python	py/regex-injection	Regular expression injection
CWE‑400	JavaScript	js/polynomial-redos	Polynomial regular expression used on uncontrolled data
CWE‑400	JavaScript	js/redos	Inefficient regular expression
CWE‑400	JavaScript	js/resource-exhaustion-from-deep-object-traversal	Resources exhaustion from deep object traversal
CWE‑400	JavaScript	js/remote-property-injection	Remote property injection
CWE‑400	JavaScript	js/regex-injection	Regular expression injection
CWE‑400	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑400	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑400	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑400	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑400	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑400	JavaScript	js/resource-exhaustion	Resource exhaustion
CWE‑401	C++	cpp/catch-missing-free	Leaky catch
CWE‑401	C++	cpp/memory-may-not-be-freed	Memory may not be freed
CWE‑401	C++	cpp/memory-never-freed	Memory is never freed
CWE‑401	C++	cpp/new-free-mismatch	Mismatching new/free or malloc/delete
CWE‑401	C++	cpp/memory-leak-on-failed-call-to-realloc	Memory leak on failed call to realloc
CWE‑404	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑404	Java	java/input-resource-leak	Potential input resource leak
CWE‑404	Java	java/database-resource-leak	Potential database resource leak
CWE‑404	Java	java/output-resource-leak	Potential output resource leak
CWE‑404	Java	java/empty-finalizer	Empty body of finalizer
CWE‑404	Java	java/disabled-certificate-revocation-checking	Disabled ceritificate revocation checking
CWE‑404	C++	cpp/catch-missing-free	Leaky catch
CWE‑404	C++	cpp/descriptor-may-not-be-closed	Open descriptor may not be closed
CWE‑404	C++	cpp/descriptor-never-closed	Open descriptor never closed
CWE‑404	C++	cpp/file-may-not-be-closed	Open file may not be closed
CWE‑404	C++	cpp/file-never-closed	Open file is not closed
CWE‑404	C++	cpp/memory-may-not-be-freed	Memory may not be freed
CWE‑404	C++	cpp/memory-never-freed	Memory is never freed
CWE‑404	C++	cpp/new-free-mismatch	Mismatching new/free or malloc/delete
CWE‑404	C++	cpp/memory-leak-on-failed-call-to-realloc	Memory leak on failed call to realloc
CWE‑404	C++	cpp/resource-not-released-in-destructor	Resource not released in destructor
CWE‑404	C#	cs/dispose-not-called-on-throw	Dispose may not be called if an exception is thrown during execution
CWE‑404	C#	cs/member-not-disposed	Missing Dispose call
CWE‑404	C#	cs/missing-dispose-method	Missing Dispose method
CWE‑404	C#	cs/local-not-disposed	Missing Dispose call on local IDisposable
CWE‑404	Python	py/file-not-closed	File is not always closed
CWE‑405	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑405	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑405	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑405	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑409	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑409	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑409	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑409	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑413	Java	java/unsynchronized-getter	Inconsistent synchronization of getter and setter
CWE‑416	C++	cpp/use-after-free	Potential use after free
CWE‑420	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑421	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑428	C++	cpp/unsafe-create-process-call	NULL application name with an unquoted path in call to CreateProcess
CWE‑434	C#	cs/web/file-upload	Use of file upload
CWE‑434	JavaScript	js/http-to-file-access	Network data written to file
CWE‑435	C++	cpp/memset-may-be-deleted	Call to memset may be deleted
CWE‑441	Java	java/ssrf	Server Side Request Forgery (SSRF)
CWE‑441	JavaScript	js/request-forgery	Uncontrolled data used in network request
CWE‑441	Go	go/request-forgery	Uncontrolled data used in network request
CWE‑451	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑451	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑456	C++	cpp/initialization-not-run	Initialization code not run
CWE‑457	Java	java/unassigned-field	Field is never assigned a non-null value
CWE‑457	C++	cpp/global-use-before-init	Global variable may be used before initialization
CWE‑457	C++	cpp/not-initialised	Variable not initialized before use
CWE‑457	C++	cpp/uninitialized-local	Potentially uninitialized local variable
CWE‑457	C++	cpp/conditionally-uninitialized-variable	Conditionally uninitialized variable
CWE‑457	C#	cs/unassigned-field	Field is never assigned a non-default value
CWE‑459	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑459	Java	java/empty-finalizer	Empty body of finalizer
CWE‑459	C#	cs/dispose-not-called-on-throw	Dispose may not be called if an exception is thrown during execution
CWE‑459	C#	cs/member-not-disposed	Missing Dispose call
CWE‑459	C#	cs/missing-dispose-method	Missing Dispose method
CWE‑459	C#	cs/local-not-disposed	Missing Dispose call on local IDisposable
CWE‑460	C#	cs/dispose-not-called-on-throw	Dispose may not be called if an exception is thrown during execution
CWE‑460	C#	cs/local-not-disposed	Missing Dispose call on local IDisposable
CWE‑467	C++	cpp/suspicious-sizeof	Suspicious 'sizeof' use
CWE‑468	C++	cpp/suspicious-pointer-scaling	Suspicious pointer scaling
CWE‑468	C++	cpp/incorrect-pointer-scaling-char	Suspicious pointer scaling to char
CWE‑468	C++	cpp/suspicious-pointer-scaling-void	Suspicious pointer scaling to void
CWE‑468	C++	cpp/suspicious-add-sizeof	Suspicious add with sizeof
CWE‑471	C#	cs/web/html-hidden-input	Use of HTMLInputHidden
CWE‑472	C#	cs/web/html-hidden-input	Use of HTMLInputHidden
CWE‑476	Java	java/dereferenced-value-is-always-null	Dereferenced variable is always null
CWE‑476	Java	java/dereferenced-expr-may-be-null	Dereferenced expression may be null
CWE‑476	Java	java/dereferenced-value-may-be-null	Dereferenced variable may be null
CWE‑476	C++	cpp/inconsistent-nullness-testing	Inconsistent null check of pointer
CWE‑476	C++	cpp/missing-null-test	Returned pointer not checked
CWE‑476	C++	cpp/inconsistent-null-check	Inconsistent nullness check
CWE‑476	C++	cpp/redundant-null-check-simple	Redundant null check due to previous dereference
CWE‑476	C++	cpp/redundant-null-check-param	Redundant null check or missing null check of parameter
CWE‑476	C#	cs/dereferenced-value-is-always-null	Dereferenced variable is always null
CWE‑476	C#	cs/dereferenced-value-may-be-null	Dereferenced variable may be null
CWE‑476	JavaScript	js/call-to-non-callable	Invocation of non-function
CWE‑476	JavaScript	js/property-access-on-non-object	Property access on null or undefined
CWE‑477	Java	java/deprecated-call	Deprecated method or constructor invocation
CWE‑477	C#	cs/call-to-obsolete-method	Call to obsolete method
CWE‑477	Python	py/import-deprecated-module	Import of deprecated module
CWE‑478	Java	java/missing-default-in-switch	Missing default case in switch
CWE‑478	Java	java/missing-case-in-switch	Missing enum case in switch
CWE‑478	C++	cpp/missing-case-in-switch	Missing enum case in switch
CWE‑480	Java	java/assignment-in-boolean-expression	Assignment in Boolean expression
CWE‑480	Java	java/reference-equality-on-strings	Reference equality test on strings
CWE‑480	C++	cpp/assign-where-compare-meant	Assignment where comparison was intended
CWE‑480	C++	cpp/compare-where-assign-meant	Comparison where assignment was intended
CWE‑480	C++	cpp/incorrect-not-operator-usage	Incorrect 'not' operator usage
CWE‑480	C++	cpp/logical-operator-applied-to-flag	Short-circuiting operator applied to flag
CWE‑480	C++	cpp/operator-precedence-logic-error-when-use-bool-type	Operator Precedence Logic Error When Use Bool Type
CWE‑480	C#	cs/non-short-circuit	Potentially dangerous use of non-short-circuit logic
CWE‑480	JavaScript	js/useless-expression	Expression has no effect
CWE‑480	JavaScript	js/redundant-operation	Identical operands
CWE‑480	JavaScript	js/redundant-assignment	Self assignment
CWE‑480	JavaScript	js/deletion-of-non-property	Deleting non-property
CWE‑480	Go	go/useless-expression	Expression has no effect
CWE‑480	Go	go/redundant-operation	Identical operands
CWE‑480	Go	go/redundant-assignment	Self assignment
CWE‑481	Java	java/assignment-in-boolean-expression	Assignment in Boolean expression
CWE‑481	C++	cpp/assign-where-compare-meant	Assignment where comparison was intended
CWE‑482	C++	cpp/compare-where-assign-meant	Comparison where assignment was intended
CWE‑483	JavaScript	js/misleading-indentation-of-dangling-else	Misleading indentation of dangling 'else'
CWE‑483	JavaScript	js/misleading-indentation-after-control-statement	Misleading indentation after control statement
CWE‑484	Java	java/switch-fall-through	Unterminated switch case
CWE‑485	Java	java/missing-call-to-super-clone	Missing super clone
CWE‑485	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑485	Java	java/abstract-to-concrete-cast	Cast from abstract to concrete collection
CWE‑485	Java	java/internal-representation-exposure	Exposing internal representation
CWE‑485	Java	java/struts-development-mode	Apache Struts development mode enabled
CWE‑485	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑485	C#	cs/class-name-comparison	Erroneous class compare
CWE‑485	C#	cs/web/debug-code	ASP.NET: leftover debug code
CWE‑485	C#	cs/cast-from-abstract-to-concrete-collection	Cast from abstract to concrete collection
CWE‑485	C#	cs/expose-implementation	Exposing internal representation
CWE‑485	Python	py/flask-debug	Flask app is run in debug mode
CWE‑485	JavaScript	js/alert-call	Invocation of alert
CWE‑485	JavaScript	js/debugger-statement	Use of debugger statement
CWE‑486	C#	cs/class-name-comparison	Erroneous class compare
CWE‑489	Java	java/struts-development-mode	Apache Struts development mode enabled
CWE‑489	C#	cs/web/debug-code	ASP.NET: leftover debug code
CWE‑489	Python	py/flask-debug	Flask app is run in debug mode
CWE‑489	JavaScript	js/alert-call	Invocation of alert
CWE‑489	JavaScript	js/debugger-statement	Use of debugger statement
CWE‑494	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑497	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑497	C++	cpp/system-data-exposure	Exposure of system data to an unauthorized control sphere
CWE‑497	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑497	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑497	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑499	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑502	Java	java/unsafe-deserialization	Deserialization of user-controlled data
CWE‑502	Java	java/unsafe-deserialization-spring-exporter-in-configuration-class	Unsafe deserialization with Spring's remote service exporters.
CWE‑502	Java	java/unsafe-deserialization-spring-exporter-in-xml-configuration	Unsafe deserialization with Spring's remote service exporters.
CWE‑502	C#	cs/deserialized-delegate	Deserialized delegate
CWE‑502	C#	cs/unsafe-deserialization	Unsafe deserializer
CWE‑502	C#	cs/unsafe-deserialization-untrusted-input	Deserialization of untrusted data
CWE‑502	Python	py/unsafe-deserialization	Deserializing untrusted input
CWE‑502	JavaScript	js/unsafe-deserialization	Deserialization of user-controlled data
CWE‑506	JavaScript	js/hardcoded-data-interpreted-as-code	Hard-coded data interpreted as code
CWE‑521	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑522	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑522	Java	java/password-in-configuration	Password in configuration file
CWE‑522	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑522	C#	cs/password-in-configuration	Password in configuration file
CWE‑522	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑538	C#	cs/web/persistent-cookie	Cookie security: persistent cookie
CWE‑538	C#	cs/web/directory-browse-enabled	ASP.NET config file enables directory browsing
CWE‑539	C#	cs/web/persistent-cookie	Cookie security: persistent cookie
CWE‑543	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑546	Java	java/todo-comment	TODO/FIXME comments
CWE‑546	C++	cpp/fixme-comment	FIXME comment
CWE‑546	C++	cpp/todo-comment	TODO comment
CWE‑546	C#	cs/todo-comment	TODO comment
CWE‑546	JavaScript	js/todo-comment	TODO comment
CWE‑548	C#	cs/web/directory-browse-enabled	ASP.NET config file enables directory browsing
CWE‑552	C#	cs/web/directory-browse-enabled	ASP.NET config file enables directory browsing
CWE‑555	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑555	Java	java/password-in-configuration	Password in configuration file
CWE‑561	Java	java/dead-class	Dead class
CWE‑561	Java	java/dead-enum-constant	Dead enum constant
CWE‑561	Java	java/dead-field	Dead field
CWE‑561	Java	java/dead-function	Dead method
CWE‑561	Java	java/lines-of-dead-code	Lines of dead code in files
CWE‑561	Java	java/unused-parameter	Useless parameter
CWE‑561	Java	java/useless-null-check	Useless null check
CWE‑561	Java	java/useless-type-test	Useless type test
CWE‑561	Java	java/useless-upcast	Useless upcast
CWE‑561	Java	java/empty-container	Container contents are never initialized
CWE‑561	Java	java/unused-container	Container contents are never accessed
CWE‑561	Java	java/constant-comparison	Useless comparison test
CWE‑561	Java	java/unreachable-catch-clause	Unreachable catch clause
CWE‑561	Java	java/unused-reference-type	Unused classes and interfaces
CWE‑561	Java	java/useless-assignment-to-local	Useless assignment to local variable
CWE‑561	Java	java/local-variable-is-never-read	Unread local variable
CWE‑561	Java	java/unused-field	Unused field
CWE‑561	Java	java/unused-label	Unused label
CWE‑561	Java	java/redundant-cast	Unnecessary cast
CWE‑561	Java	java/unused-import	Unnecessary import
CWE‑561	C++	cpp/unused-static-function	Unused static function
CWE‑561	C++	cpp/dead-code-condition	Branching condition always evaluates to same value
CWE‑561	C++	cpp/dead-code-function	Function is never called
CWE‑561	C++	cpp/dead-code-goto	Dead code due to goto or break statement
CWE‑561	C++	cpp/useless-expression	Expression has no effect
CWE‑561	C++	cpp/incorrect-allocation-error-handling	Incorrect allocation-error handling
CWE‑561	C#	cs/unused-reftype	Dead reference types
CWE‑561	C#	cs/unused-field	Unused field
CWE‑561	C#	cs/unused-method	Unused method
CWE‑561	C#	cs/useless-cast-to-self	Cast to same type
CWE‑561	C#	cs/useless-is-before-as	Useless 'is' before 'as'
CWE‑561	C#	cs/coalesce-of-identical-expressions	Useless ?? expression
CWE‑561	C#	cs/useless-type-test	Useless type test
CWE‑561	C#	cs/useless-upcast	Useless upcast
CWE‑561	C#	cs/empty-collection	Container contents are never initialized
CWE‑561	C#	cs/unused-collection	Container contents are never accessed
CWE‑561	C#	cs/linq/useless-select	Redundant Select
CWE‑561	Python	py/unreachable-except	Unreachable 'except' block
CWE‑561	Python	py/comparison-of-constants	Comparison of constants
CWE‑561	Python	py/comparison-of-identical-expressions	Comparison of identical values
CWE‑561	Python	py/comparison-missing-self	Maybe missing 'self' in comparison
CWE‑561	Python	py/duplicate-key-dict-literal	Duplicate key in dict literal
CWE‑561	Python	py/redundant-comparison	Redundant comparison
CWE‑561	Python	py/constant-conditional-expression	Constant in conditional expression or statement
CWE‑561	Python	py/ineffectual-statement	Statement has no effect
CWE‑561	Python	py/unreachable-statement	Unreachable code
CWE‑561	JavaScript	js/comparison-of-identical-expressions	Comparison of identical values
CWE‑561	JavaScript	js/comparison-with-nan	Comparison with NaN
CWE‑561	JavaScript	js/duplicate-condition	Duplicate 'if' condition
CWE‑561	JavaScript	js/duplicate-switch-case	Duplicate switch case
CWE‑561	JavaScript	js/useless-expression	Expression has no effect
CWE‑561	JavaScript	js/comparison-between-incompatible-types	Comparison between inconvertible types
CWE‑561	JavaScript	js/redundant-operation	Identical operands
CWE‑561	JavaScript	js/redundant-assignment	Self assignment
CWE‑561	JavaScript	js/unneeded-defensive-code	Unneeded defensive code
CWE‑561	JavaScript	js/useless-type-test	Useless type test
CWE‑561	JavaScript	js/regex/unmatchable-caret	Unmatchable caret in regular expression
CWE‑561	JavaScript	js/regex/unmatchable-dollar	Unmatchable dollar in regular expression
CWE‑561	JavaScript	js/unreachable-statement	Unreachable statement
CWE‑561	JavaScript	js/trivial-conditional	Useless conditional
CWE‑561	Go	go/comparison-of-identical-expressions	Comparison of identical values
CWE‑561	Go	go/duplicate-branches	Duplicate 'if' branches
CWE‑561	Go	go/duplicate-condition	Duplicate 'if' condition
CWE‑561	Go	go/duplicate-switch-case	Duplicate switch case
CWE‑561	Go	go/useless-expression	Expression has no effect
CWE‑561	Go	go/redundant-operation	Identical operands
CWE‑561	Go	go/redundant-assignment	Self assignment
CWE‑561	Go	go/unreachable-statement	Unreachable statement
CWE‑563	Java	java/overwritten-assignment-to-local	Assigned value is overwritten
CWE‑563	Java	java/unused-initialized-local	Local variable is initialized but not used
CWE‑563	Java	java/unused-local-variable	Unused local variable
CWE‑563	C++	cpp/unused-local-variable	Unused local variable
CWE‑563	C++	cpp/unused-static-variable	Unused static variable
CWE‑563	C++	cpp/unused-variable	Variable is assigned a value that is never read
CWE‑563	C#	cs/useless-assignment-to-local	Useless assignment to local variable
CWE‑563	Python	py/redundant-assignment	Redundant assignment
CWE‑563	Python	py/multiple-definition	Variable defined multiple times
CWE‑563	Python	py/unused-local-variable	Unused local variable
CWE‑563	Python	py/unused-global-variable	Unused global variable
CWE‑563	JavaScript	js/variable-initialization-conflict	Conflicting variable initialization
CWE‑563	JavaScript	js/function-declaration-conflict	Conflicting function declarations
CWE‑563	JavaScript	js/useless-assignment-to-global	Useless assignment to global variable
CWE‑563	JavaScript	js/useless-assignment-to-local	Useless assignment to local variable
CWE‑563	JavaScript	js/overwritten-property	Overwritten property
CWE‑563	JavaScript	js/duplicate-property	Duplicate property
CWE‑563	JavaScript	js/node/assignment-to-exports-variable	Assignment to exports variable
CWE‑563	JavaScript	js/useless-assignment-in-return	Return statement assigns local variable
CWE‑563	Go	go/useless-assignment-to-field	Useless assignment to field
CWE‑563	Go	go/useless-assignment-to-local	Useless assignment to local variable
CWE‑564	Java	java/sql-injection	Query built from user-controlled sources
CWE‑564	Java	java/sql-injection-local	Query built from local-user-controlled sources
CWE‑564	Java	java/concatenated-sql-query	Query built without neutralizing special characters
CWE‑567	C#	cs/unsynchronized-static-access	Unsynchronized access to static collection member in non-static context
CWE‑568	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑568	Java	java/empty-finalizer	Empty body of finalizer
CWE‑570	Java	java/constant-comparison	Useless comparison test
CWE‑570	C++	cpp/incorrect-allocation-error-handling	Incorrect allocation-error handling
CWE‑570	Python	py/comparison-of-constants	Comparison of constants
CWE‑570	Python	py/comparison-of-identical-expressions	Comparison of identical values
CWE‑570	Python	py/comparison-missing-self	Maybe missing 'self' in comparison
CWE‑570	Python	py/redundant-comparison	Redundant comparison
CWE‑570	Python	py/constant-conditional-expression	Constant in conditional expression or statement
CWE‑570	JavaScript	js/comparison-of-identical-expressions	Comparison of identical values
CWE‑570	JavaScript	js/comparison-with-nan	Comparison with NaN
CWE‑570	JavaScript	js/comparison-between-incompatible-types	Comparison between inconvertible types
CWE‑570	JavaScript	js/unneeded-defensive-code	Unneeded defensive code
CWE‑570	JavaScript	js/useless-type-test	Useless type test
CWE‑570	JavaScript	js/trivial-conditional	Useless conditional
CWE‑570	Go	go/comparison-of-identical-expressions	Comparison of identical values
CWE‑571	Java	java/constant-comparison	Useless comparison test
CWE‑571	Python	py/comparison-of-constants	Comparison of constants
CWE‑571	Python	py/comparison-of-identical-expressions	Comparison of identical values
CWE‑571	Python	py/comparison-missing-self	Maybe missing 'self' in comparison
CWE‑571	Python	py/redundant-comparison	Redundant comparison
CWE‑571	Python	py/constant-conditional-expression	Constant in conditional expression or statement
CWE‑571	JavaScript	js/comparison-of-identical-expressions	Comparison of identical values
CWE‑571	JavaScript	js/comparison-with-nan	Comparison with NaN
CWE‑571	JavaScript	js/comparison-between-incompatible-types	Comparison between inconvertible types
CWE‑571	JavaScript	js/unneeded-defensive-code	Unneeded defensive code
CWE‑571	JavaScript	js/useless-type-test	Useless type test
CWE‑571	JavaScript	js/trivial-conditional	Useless conditional
CWE‑571	Go	go/comparison-of-identical-expressions	Comparison of identical values
CWE‑572	Java	java/call-to-thread-run	Direct call to a run() method
CWE‑573	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑573	Java	java/ejb/file-io	EJB uses file input/output
CWE‑573	Java	java/ejb/graphics	EJB uses graphics
CWE‑573	Java	java/ejb/native-code	EJB uses native code
CWE‑573	Java	java/ejb/reflection	EJB uses reflection
CWE‑573	Java	java/ejb/security-configuration-access	EJB accesses security configuration
CWE‑573	Java	java/ejb/substitution-in-serialization	EJB uses substitution in serialization
CWE‑573	Java	java/ejb/socket-or-stream-handler-factory	EJB sets socket factory or URL stream handler factory
CWE‑573	Java	java/ejb/server-socket	EJB uses server socket
CWE‑573	Java	java/ejb/non-final-static-field	EJB uses non-final static field
CWE‑573	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑573	Java	java/ejb/this	EJB uses 'this' as argument or result
CWE‑573	Java	java/ejb/threads	EJB uses threads
CWE‑573	Java	java/missing-call-to-super-clone	Missing super clone
CWE‑573	Java	java/inconsistent-equals-and-hashcode	Inconsistent equals and hashCode
CWE‑573	Java	java/unreleased-lock	Unreleased lock
CWE‑573	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑573	Java	java/missing-format-argument	Missing format argument
CWE‑573	Java	java/unused-format-argument	Unused format argument
CWE‑573	Java	java/empty-finalizer	Empty body of finalizer
CWE‑573	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑573	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑573	C++	cpp/wrong-type-format-argument	Wrong type of arguments to formatting function
CWE‑573	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑573	C++	cpp/ignore-return-value-sal	SAL requires inspecting return value
CWE‑573	C++	cpp/hresult-boolean-conversion	Cast between HRESULT and a Boolean type
CWE‑573	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑573	C++	cpp/twice-locked	Mutex locked twice
CWE‑573	C++	cpp/unreleased-lock	Lock may not be released
CWE‑573	C#	cs/inconsistent-equals-and-gethashcode	Inconsistent Equals(object) and GetHashCode()
CWE‑573	C#	cs/invalid-dynamic-call	Bad dynamic call
CWE‑573	Python	py/equals-hash-mismatch	Inconsistent equality and hashing
CWE‑573	Python	py/call/wrong-named-class-argument	Wrong name for an argument in a class instantiation
CWE‑573	Python	py/call/wrong-number-class-arguments	Wrong number of arguments in a class instantiation
CWE‑573	Python	py/super-not-enclosing-class	First argument to super() is not enclosing class
CWE‑573	Python	py/call/wrong-named-argument	Wrong name for an argument in a call
CWE‑573	Python	py/percent-format/wrong-arguments	Wrong number of arguments for format
CWE‑573	Python	py/call/wrong-arguments	Wrong number of arguments in a call
CWE‑573	JavaScript	js/superfluous-trailing-arguments	Superfluous trailing arguments
CWE‑574	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑575	Java	java/ejb/graphics	EJB uses graphics
CWE‑576	Java	java/ejb/file-io	EJB uses file input/output
CWE‑577	Java	java/ejb/socket-or-stream-handler-factory	EJB sets socket factory or URL stream handler factory
CWE‑577	Java	java/ejb/server-socket	EJB uses server socket
CWE‑578	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑580	Java	java/missing-call-to-super-clone	Missing super clone
CWE‑581	Java	java/inconsistent-equals-and-hashcode	Inconsistent equals and hashCode
CWE‑581	C#	cs/inconsistent-equals-and-gethashcode	Inconsistent Equals(object) and GetHashCode()
CWE‑581	Python	py/equals-hash-mismatch	Inconsistent equality and hashing
CWE‑582	Java	java/static-array	Array constant vulnerable to change
CWE‑582	C#	cs/static-array	Array constant vulnerable to change
CWE‑584	Java	java/abnormal-finally-completion	Finally block may not complete normally
CWE‑584	Python	py/exit-from-finally	'break' or 'return' statement in finally
CWE‑584	JavaScript	js/exit-from-finally	Jump from finally
CWE‑585	Java	java/empty-synchronized-block	Empty synchronized block
CWE‑585	C#	cs/empty-lock-statement	Empty lock statement
CWE‑592	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑592	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑592	C++	cpp/user-controlled-bypass	Authentication bypass by spoofing
CWE‑592	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑592	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑592	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑592	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑595	Java	java/reference-equality-with-object	Reference equality test on java.lang.Object
CWE‑595	Java	java/reference-equality-of-boxed-types	Reference equality test of boxed types
CWE‑595	Java	java/reference-equality-on-strings	Reference equality test on strings
CWE‑595	C#	cs/reference-equality-with-object	Reference equality test on System.Object
CWE‑595	C#	cs/reference-equality-on-valuetypes	Call to ReferenceEquals(...) on value type expressions
CWE‑597	Java	java/reference-equality-on-strings	Reference equality test on strings
CWE‑601	Java	java/unvalidated-url-redirection	URL redirection from remote source
CWE‑601	Java	java/unvalidated-url-redirection-local	URL redirection from local source
CWE‑601	C#	cs/web/unvalidated-url-redirection	URL redirection from remote source
CWE‑601	Python	py/url-redirection	URL redirection from remote source
CWE‑601	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑601	JavaScript	js/server-side-unvalidated-url-redirection	Server-side URL redirect
CWE‑601	Go	go/bad-redirect-check	Bad redirect check
CWE‑601	Go	go/unvalidated-url-redirection	Open URL redirect
CWE‑609	Java	java/unsafe-double-checked-locking	Double-checked locking is not thread-safe
CWE‑609	Java	java/unsafe-double-checked-locking-init-order	Race condition in double-checked locking object initialization
CWE‑609	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑609	C#	cs/unsafe-double-checked-lock	Double-checked lock is not thread-safe
CWE‑610	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑610	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑610	Java	java/unvalidated-url-redirection	URL redirection from remote source
CWE‑610	Java	java/unvalidated-url-redirection-local	URL redirection from local source
CWE‑610	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑610	Java	java/ssrf	Server Side Request Forgery (SSRF)
CWE‑610	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑610	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑610	C#	cs/web/unvalidated-url-redirection	URL redirection from remote source
CWE‑610	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑610	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑610	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑610	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑610	Python	py/url-redirection	URL redirection from remote source
CWE‑610	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑610	JavaScript	js/template-object-injection	Template Object Injection
CWE‑610	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑610	JavaScript	js/server-side-unvalidated-url-redirection	Server-side URL redirect
CWE‑610	JavaScript	js/xxe	XML external entity expansion
CWE‑610	JavaScript	js/request-forgery	Uncontrolled data used in network request
CWE‑610	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑610	Go	go/bad-redirect-check	Bad redirect check
CWE‑610	Go	go/unvalidated-url-redirection	Open URL redirect
CWE‑610	Go	go/request-forgery	Uncontrolled data used in network request
CWE‑611	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑611	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑611	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑611	JavaScript	js/xxe	XML external entity expansion
CWE‑614	Java	java/insecure-cookie	Failure to use secure cookies
CWE‑614	C#	cs/web/requiressl-not-set	'requireSSL' attribute is not set to true
CWE‑614	JavaScript	js/insecure-cookie	Failure to set secure cookies
CWE‑625	JavaScript	js/angular/insecure-url-whitelist	Insecure URL whitelist
CWE‑628	Java	java/missing-format-argument	Missing format argument
CWE‑628	Java	java/unused-format-argument	Unused format argument
CWE‑628	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑628	C++	cpp/wrong-type-format-argument	Wrong type of arguments to formatting function
CWE‑628	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑628	C#	cs/invalid-dynamic-call	Bad dynamic call
CWE‑628	Python	py/call/wrong-named-class-argument	Wrong name for an argument in a class instantiation
CWE‑628	Python	py/call/wrong-number-class-arguments	Wrong number of arguments in a class instantiation
CWE‑628	Python	py/super-not-enclosing-class	First argument to super() is not enclosing class
CWE‑628	Python	py/call/wrong-named-argument	Wrong name for an argument in a call
CWE‑628	Python	py/percent-format/wrong-arguments	Wrong number of arguments for format
CWE‑628	Python	py/call/wrong-arguments	Wrong number of arguments in a call
CWE‑628	JavaScript	js/superfluous-trailing-arguments	Superfluous trailing arguments
CWE‑639	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑640	JavaScript	js/host-header-forgery-in-email-generation	Host header poisoning in email generation
CWE‑640	Go	go/email-injection	Email content injection
CWE‑642	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑642	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑642	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑642	C#	cs/web/html-hidden-input	Use of HTMLInputHidden
CWE‑642	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑642	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑642	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑642	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑642	JavaScript	js/template-object-injection	Template Object Injection
CWE‑642	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑643	Java	java/xml/xpath-injection	XPath injection
CWE‑643	C#	cs/xml/stored-xpath-injection	Stored XPath injection
CWE‑643	C#	cs/xml/xpath-injection	XPath injection
CWE‑643	Python	py/xslt-injection	XSLT query built from user-controlled sources
CWE‑643	Python	py/xpath-injection	XPath query built from user-controlled sources
CWE‑643	JavaScript	js/xpath-injection	XPath injection
CWE‑643	Go	go/xml/xpath-injection	XPath injection
CWE‑652	Java	java/xquery-injection	XQuery query built from user-controlled sources
CWE‑657	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑657	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑657	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑657	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑657	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑657	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑657	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑657	JavaScript	js/remote-property-injection	Remote property injection
CWE‑657	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑657	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑662	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑662	Java	java/wait-on-condition-interface	Wait on condition
CWE‑662	Java	java/call-to-thread-run	Direct call to a run() method
CWE‑662	Java	java/unsafe-double-checked-locking	Double-checked locking is not thread-safe
CWE‑662	Java	java/unsafe-double-checked-locking-init-order	Race condition in double-checked locking object initialization
CWE‑662	Java	java/unsafe-sync-on-field	Futile synchronization on field
CWE‑662	Java	java/inconsistent-field-synchronization	Inconsistent synchronization for field
CWE‑662	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑662	Java	java/non-sync-override	Non-synchronized override of synchronized method
CWE‑662	Java	java/notify-instead-of-notify-all	notify instead of notifyAll
CWE‑662	Java	java/sleep-with-lock-held	Sleep with lock held
CWE‑662	Java	java/sync-on-boxed-types	Synchronization on boxed types or strings
CWE‑662	Java	java/unsynchronized-getter	Inconsistent synchronization of getter and setter
CWE‑662	Java	java/inconsistent-sync-writeobject	Inconsistent synchronization for writeObject()
CWE‑662	Java	java/unreleased-lock	Unreleased lock
CWE‑662	Java	java/wait-with-two-locks	Wait with two locks held
CWE‑662	Java	java/lock-order-inconsistency	Lock order inconsistency
CWE‑662	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑662	C++	cpp/twice-locked	Mutex locked twice
CWE‑662	C++	cpp/unreleased-lock	Lock may not be released
CWE‑662	C#	cs/unsafe-sync-on-field	Futile synchronization on field
CWE‑662	C#	cs/inconsistent-lock-sequence	Inconsistent lock sequence
CWE‑662	C#	cs/lock-this	Locking the 'this' object in a lock statement
CWE‑662	C#	cs/locked-wait	A lock is held during a wait
CWE‑662	C#	cs/unsynchronized-getter	Inconsistently synchronized property
CWE‑662	C#	cs/unsafe-double-checked-lock	Double-checked lock is not thread-safe
CWE‑662	C#	cs/unsynchronized-static-access	Unsynchronized access to static collection member in non-static context
CWE‑664	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑664	Java	java/implicit-cast-in-compound-assignment	Implicit narrowing conversion in compound assignment
CWE‑664	Java	java/integer-multiplication-cast-to-long	Result of multiplication cast to wider type
CWE‑664	Java	java/missing-call-to-super-clone	Missing super clone
CWE‑664	Java	java/wait-on-condition-interface	Wait on condition
CWE‑664	Java	java/call-to-thread-run	Direct call to a run() method
CWE‑664	Java	java/unsafe-double-checked-locking	Double-checked locking is not thread-safe
CWE‑664	Java	java/unsafe-double-checked-locking-init-order	Race condition in double-checked locking object initialization
CWE‑664	Java	java/unsafe-sync-on-field	Futile synchronization on field
CWE‑664	Java	java/inconsistent-field-synchronization	Inconsistent synchronization for field
CWE‑664	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑664	Java	java/non-sync-override	Non-synchronized override of synchronized method
CWE‑664	Java	java/notify-instead-of-notify-all	notify instead of notifyAll
CWE‑664	Java	java/sleep-with-lock-held	Sleep with lock held
CWE‑664	Java	java/sync-on-boxed-types	Synchronization on boxed types or strings
CWE‑664	Java	java/unsynchronized-getter	Inconsistent synchronization of getter and setter
CWE‑664	Java	java/inconsistent-sync-writeobject	Inconsistent synchronization for writeObject()
CWE‑664	Java	java/unreleased-lock	Unreleased lock
CWE‑664	Java	java/wait-with-two-locks	Wait with two locks held
CWE‑664	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑664	Java	java/input-resource-leak	Potential input resource leak
CWE‑664	Java	java/database-resource-leak	Potential database resource leak
CWE‑664	Java	java/output-resource-leak	Potential output resource leak
CWE‑664	Java	java/impossible-array-cast	Impossible array cast
CWE‑664	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑664	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑664	Java	java/zipslip	Arbitrary file write during archive extraction ("Zip Slip")
CWE‑664	Java	java/insecure-bean-validation	Insecure Bean Validation
CWE‑664	Java	java/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑664	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑664	Java	java/unsafe-hostname-verification	Unsafe hostname verification
CWE‑664	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑664	Java	java/cleartext-storage-in-cookie	Cleartext storage of sensitive information in cookie
CWE‑664	Java	java/cleartext-storage-in-properties	Cleartext storage of sensitive information using 'Properties' class
CWE‑664	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑664	Java	java/unsafe-deserialization	Deserialization of user-controlled data
CWE‑664	Java	java/unvalidated-url-redirection	URL redirection from remote source
CWE‑664	Java	java/unvalidated-url-redirection-local	URL redirection from local source
CWE‑664	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑664	Java	java/tainted-numeric-cast	User-controlled data in numeric cast
CWE‑664	Java	java/tainted-numeric-cast-local	Local-user-controlled data in numeric cast
CWE‑664	Java	java/world-writable-file-read	Reading from a world writable file
CWE‑664	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑664	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑664	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑664	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑664	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑664	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑664	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑664	Java	java/lock-order-inconsistency	Lock order inconsistency
CWE‑664	Java	java/empty-finalizer	Empty body of finalizer
CWE‑664	Java	java/unassigned-field	Field is never assigned a non-null value
CWE‑664	Java	java/overly-general-catch	Overly-general catch clause
CWE‑664	Java	java/abstract-to-concrete-cast	Cast from abstract to concrete collection
CWE‑664	Java	java/internal-representation-exposure	Exposing internal representation
CWE‑664	Java	java/static-array	Array constant vulnerable to change
CWE‑664	Java	java/openstream-called-on-tainted-url	openStream called on URLs created from remote source
CWE‑664	Java	java/groovy-injection	Groovy Language injection
CWE‑664	Java	java/android-insecure-dex-loading	Insecure loading of an Android Dex File
CWE‑664	Java	java/javaee-expression-injection	Jakarta Expression Language injection
CWE‑664	Java	java/jexl-expression-injection	Expression language injection (JEXL)
CWE‑664	Java	java/mvel-expression-injection	Expression language injection (MVEL)
CWE‑664	Java	java/unsafe-eval	ScriptEngine evaluation
CWE‑664	Java	java/spel-expression-injection	Expression language injection (Spring)
CWE‑664	Java	java/spring-view-manipulation-implicit	Spring Implicit View Manipulation
CWE‑664	Java	java/spring-view-manipulation	Spring View Manipulation
CWE‑664	Java	java/disabled-certificate-revocation-checking	Disabled ceritificate revocation checking
CWE‑664	Java	java/android/cleartext-storage-shared-prefs	Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑664	Java	java/unvalidated-cors-origin-set	CORS is derived from untrusted input
CWE‑664	Java	java/struts-development-mode	Apache Struts development mode enabled
CWE‑664	Java	java/unsafe-deserialization-spring-exporter-in-configuration-class	Unsafe deserialization with Spring's remote service exporters.
CWE‑664	Java	java/unsafe-deserialization-spring-exporter-in-xml-configuration	Unsafe deserialization with Spring's remote service exporters.
CWE‑664	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑664	Java	java/password-in-configuration	Password in configuration file
CWE‑664	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑664	Java	java/ssrf	Server Side Request Forgery (SSRF)
CWE‑664	C++	cpp/catch-missing-free	Leaky catch
CWE‑664	C++	cpp/descriptor-may-not-be-closed	Open descriptor may not be closed
CWE‑664	C++	cpp/descriptor-never-closed	Open descriptor never closed
CWE‑664	C++	cpp/file-may-not-be-closed	Open file may not be closed
CWE‑664	C++	cpp/file-never-closed	Open file is not closed
CWE‑664	C++	cpp/global-use-before-init	Global variable may be used before initialization
CWE‑664	C++	cpp/initialization-not-run	Initialization code not run
CWE‑664	C++	cpp/memory-may-not-be-freed	Memory may not be freed
CWE‑664	C++	cpp/memory-never-freed	Memory is never freed
CWE‑664	C++	cpp/new-free-mismatch	Mismatching new/free or malloc/delete
CWE‑664	C++	cpp/not-initialised	Variable not initialized before use
CWE‑664	C++	cpp/use-after-free	Potential use after free
CWE‑664	C++	cpp/bad-addition-overflow-check	Bad check for overflow of integer addition
CWE‑664	C++	cpp/integer-multiplication-cast-to-long	Multiplication result converted to larger type
CWE‑664	C++	cpp/upcast-array-pointer-arithmetic	Upcast array used in pointer arithmetic
CWE‑664	C++	cpp/alloca-in-loop	Call to alloca in a loop
CWE‑664	C++	cpp/improper-null-termination	Potential improper null termination
CWE‑664	C++	cpp/return-stack-allocated-memory	Returning stack-allocated memory
CWE‑664	C++	cpp/uninitialized-local	Potentially uninitialized local variable
CWE‑664	C++	cpp/self-assignment-check	Self assignment check
CWE‑664	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑664	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑664	C++	cpp/integer-overflow-tainted	Potential integer arithmetic overflow
CWE‑664	C++	cpp/user-controlled-bypass	Authentication bypass by spoofing
CWE‑664	C++	cpp/cleartext-storage-buffer	Cleartext storage of sensitive information in buffer
CWE‑664	C++	cpp/cleartext-storage-file	Cleartext storage of sensitive information in file
CWE‑664	C++	cpp/cleartext-storage-database	Cleartext storage of sensitive information in an SQLite database
CWE‑664	C++	cpp/unsafe-create-process-call	NULL application name with an unquoted path in call to CreateProcess
CWE‑664	C++	cpp/conditionally-uninitialized-variable	Conditionally uninitialized variable
CWE‑664	C++	cpp/system-data-exposure	Exposure of system data to an unauthorized control sphere
CWE‑664	C++	cpp/incorrect-string-type-conversion	Cast from char to wchar_t
CWE‑664	C++	cpp/world-writable-file-creation	File created without restricting permissions
CWE‑664	C++	cpp/unsafe-dacl-security-descriptor	Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑664	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑664	C++	cpp/twice-locked	Mutex locked twice
CWE‑664	C++	cpp/unreleased-lock	Lock may not be released
CWE‑664	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑664	C++	cpp/private-cleartext-write	Exposure of private information
CWE‑664	C++	cpp/memory-leak-on-failed-call-to-realloc	Memory leak on failed call to realloc
CWE‑664	C++	cpp/resource-not-released-in-destructor	Resource not released in destructor
CWE‑664	C#	cs/dispose-not-called-on-throw	Dispose may not be called if an exception is thrown during execution
CWE‑664	C#	cs/member-not-disposed	Missing Dispose call
CWE‑664	C#	cs/missing-dispose-method	Missing Dispose method
CWE‑664	C#	cs/local-not-disposed	Missing Dispose call on local IDisposable
CWE‑664	C#	cs/class-name-comparison	Erroneous class compare
CWE‑664	C#	cs/web/debug-code	ASP.NET: leftover debug code
CWE‑664	C#	cs/web/html-hidden-input	Use of HTMLInputHidden
CWE‑664	C#	cs/cast-from-abstract-to-concrete-collection	Cast from abstract to concrete collection
CWE‑664	C#	cs/expose-implementation	Exposing internal representation
CWE‑664	C#	cs/static-array	Array constant vulnerable to change
CWE‑664	C#	cs/unsafe-sync-on-field	Futile synchronization on field
CWE‑664	C#	cs/inconsistent-lock-sequence	Inconsistent lock sequence
CWE‑664	C#	cs/lock-this	Locking the 'this' object in a lock statement
CWE‑664	C#	cs/locked-wait	A lock is held during a wait
CWE‑664	C#	cs/unsynchronized-getter	Inconsistently synchronized property
CWE‑664	C#	cs/unsafe-double-checked-lock	Double-checked lock is not thread-safe
CWE‑664	C#	cs/unsynchronized-static-access	Unsynchronized access to static collection member in non-static context
CWE‑664	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑664	C#	cs/password-in-configuration	Password in configuration file
CWE‑664	C#	cs/unassigned-field	Field is never assigned a non-default value
CWE‑664	C#	cs/web/file-upload	Use of file upload
CWE‑664	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑664	C#	cs/loss-of-precision	Possible loss of precision
CWE‑664	C#	cs/web/broad-cookie-domain	Cookie security: overly broad domain
CWE‑664	C#	cs/web/broad-cookie-path	Cookie security: overly broad path
CWE‑664	C#	cs/web/persistent-cookie	Cookie security: persistent cookie
CWE‑664	C#	cs/web/debug-binary	Creating an ASP.NET debug binary may reveal sensitive information
CWE‑664	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑664	C#	cs/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664	C#	cs/code-injection	Improper control of generation of code
CWE‑664	C#	cs/sensitive-data-transmission	Information exposure through transmitted data
CWE‑664	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑664	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑664	C#	cs/exposure-of-sensitive-information	Exposure of private information
CWE‑664	C#	cs/session-reuse	Failure to abandon session
CWE‑664	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑664	C#	cs/deserialized-delegate	Deserialized delegate
CWE‑664	C#	cs/unsafe-deserialization	Unsafe deserializer
CWE‑664	C#	cs/unsafe-deserialization-untrusted-input	Deserialization of untrusted data
CWE‑664	C#	cs/web/directory-browse-enabled	ASP.NET config file enables directory browsing
CWE‑664	C#	cs/web/unvalidated-url-redirection	URL redirection from remote source
CWE‑664	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑664	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑664	C#	cs/redos	Denial of Service from comparison of user input against expensive regex
CWE‑664	C#	cs/regex-injection	Regular expression injection
CWE‑664	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑664	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑664	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑664	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑664	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑664	Python	py/implicit-string-concatenation-in-list	Implicit string concatenation in a list
CWE‑664	Python	py/file-not-closed	File is not always closed
CWE‑664	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑664	Python	py/tarslip	Arbitrary file write during tarfile extraction
CWE‑664	Python	py/code-injection	Code injection
CWE‑664	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑664	Python	py/flask-debug	Flask app is run in debug mode
CWE‑664	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑664	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑664	Python	py/insecure-temporary-file	Insecure temporary file
CWE‑664	Python	py/unsafe-deserialization	Deserializing untrusted input
CWE‑664	Python	py/url-redirection	URL redirection from remote source
CWE‑664	Python	py/overly-permissive-file	Overly permissive file permissions
CWE‑664	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑664	Python	py/regex-injection	Regular expression injection
CWE‑664	JavaScript	js/alert-call	Invocation of alert
CWE‑664	JavaScript	js/unsafe-external-link	Potentially unsafe external link
CWE‑664	JavaScript	js/enabling-electron-renderer-node-integration	Enabling Node.js integration for Electron web content renderers
CWE‑664	JavaScript	js/implicit-operand-conversion	Implicit operand conversion
CWE‑664	JavaScript	js/shift-out-of-range	Shift out of range
CWE‑664	JavaScript	js/debugger-statement	Use of debugger statement
CWE‑664	JavaScript	js/invalid-prototype-value	Invalid prototype value
CWE‑664	JavaScript	js/property-assignment-on-primitive	Assignment to property of primitive value
CWE‑664	JavaScript	js/polynomial-redos	Polynomial regular expression used on uncontrolled data
CWE‑664	JavaScript	js/redos	Inefficient regular expression
CWE‑664	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑664	JavaScript	js/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑664	JavaScript	js/template-object-injection	Template Object Injection
CWE‑664	JavaScript	js/code-injection	Code injection
CWE‑664	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑664	JavaScript	js/unsafe-dynamic-method-access	Unsafe dynamic method access
CWE‑664	JavaScript	js/file-access-to-http	File data in outbound network request
CWE‑664	JavaScript	js/exposure-of-private-files	Exposure of private files
CWE‑664	JavaScript	js/cross-window-information-leak	Cross-window communication with unrestricted target origin
CWE‑664	JavaScript	js/stack-trace-exposure	Information exposure through a stack trace
CWE‑664	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑664	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑664	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑664	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑664	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑664	JavaScript	js/resource-exhaustion-from-deep-object-traversal	Resources exhaustion from deep object traversal
CWE‑664	JavaScript	js/remote-property-injection	Remote property injection
CWE‑664	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑664	JavaScript	js/unsafe-deserialization	Deserialization of user-controlled data
CWE‑664	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑664	JavaScript	js/server-side-unvalidated-url-redirection	Server-side URL redirect
CWE‑664	JavaScript	js/xxe	XML external entity expansion
CWE‑664	JavaScript	js/host-header-forgery-in-email-generation	Host header poisoning in email generation
CWE‑664	JavaScript	js/regex-injection	Regular expression injection
CWE‑664	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑664	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑664	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑664	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑664	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑664	JavaScript	js/insecure-download	Download of sensitive file through insecure connection
CWE‑664	JavaScript	js/type-confusion-through-parameter-tampering	Type confusion through parameter tampering
CWE‑664	JavaScript	js/http-to-file-access	Network data written to file
CWE‑664	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑664	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑664	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑664	JavaScript	js/request-forgery	Uncontrolled data used in network request
CWE‑664	JavaScript	js/actions/injection	Expression injection in Actions
CWE‑664	JavaScript	js/actions/pull-request-target	Checkout of untrusted code in trusted context
CWE‑664	JavaScript	js/resource-exhaustion	Resource exhaustion
CWE‑664	Go	go/shift-out-of-range	Shift out of range
CWE‑664	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑664	Go	go/unsafe-unzip-symlink	Arbitrary file write extracting an archive containing symbolic links
CWE‑664	Go	go/zipslip	Arbitrary file write during zip extraction ("zip slip")
CWE‑664	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑664	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑664	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑664	Go	go/bad-redirect-check	Bad redirect check
CWE‑664	Go	go/unvalidated-url-redirection	Open URL redirect
CWE‑664	Go	go/email-injection	Email content injection
CWE‑664	Go	go/incorrect-integer-conversion	Incorrect conversion between integer types
CWE‑664	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑664	Go	go/request-forgery	Uncontrolled data used in network request
CWE‑664	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑665	Java	java/unassigned-field	Field is never assigned a non-null value
CWE‑665	C++	cpp/global-use-before-init	Global variable may be used before initialization
CWE‑665	C++	cpp/initialization-not-run	Initialization code not run
CWE‑665	C++	cpp/not-initialised	Variable not initialized before use
CWE‑665	C++	cpp/alloca-in-loop	Call to alloca in a loop
CWE‑665	C++	cpp/improper-null-termination	Potential improper null termination
CWE‑665	C++	cpp/uninitialized-local	Potentially uninitialized local variable
CWE‑665	C++	cpp/conditionally-uninitialized-variable	Conditionally uninitialized variable
CWE‑665	C#	cs/unassigned-field	Field is never assigned a non-default value
CWE‑665	Python	py/implicit-string-concatenation-in-list	Implicit string concatenation in a list
CWE‑665	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑665	JavaScript	js/resource-exhaustion	Resource exhaustion
CWE‑666	C++	cpp/use-after-free	Potential use after free
CWE‑666	C++	cpp/return-stack-allocated-memory	Returning stack-allocated memory
CWE‑666	C++	cpp/self-assignment-check	Self assignment check
CWE‑667	Java	java/unsafe-double-checked-locking	Double-checked locking is not thread-safe
CWE‑667	Java	java/unsafe-double-checked-locking-init-order	Race condition in double-checked locking object initialization
CWE‑667	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑667	Java	java/sleep-with-lock-held	Sleep with lock held
CWE‑667	Java	java/unsynchronized-getter	Inconsistent synchronization of getter and setter
CWE‑667	Java	java/unreleased-lock	Unreleased lock
CWE‑667	Java	java/wait-with-two-locks	Wait with two locks held
CWE‑667	Java	java/lock-order-inconsistency	Lock order inconsistency
CWE‑667	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑667	C++	cpp/twice-locked	Mutex locked twice
CWE‑667	C++	cpp/unreleased-lock	Lock may not be released
CWE‑667	C#	cs/locked-wait	A lock is held during a wait
CWE‑667	C#	cs/unsafe-double-checked-lock	Double-checked lock is not thread-safe
CWE‑668	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑668	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑668	Java	java/zipslip	Arbitrary file write during archive extraction ("Zip Slip")
CWE‑668	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑668	Java	java/world-writable-file-read	Reading from a world writable file
CWE‑668	Java	java/static-array	Array constant vulnerable to change
CWE‑668	Java	java/openstream-called-on-tainted-url	openStream called on URLs created from remote source
CWE‑668	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑668	Java	java/password-in-configuration	Password in configuration file
CWE‑668	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑668	C++	cpp/unsafe-create-process-call	NULL application name with an unquoted path in call to CreateProcess
CWE‑668	C++	cpp/system-data-exposure	Exposure of system data to an unauthorized control sphere
CWE‑668	C++	cpp/world-writable-file-creation	File created without restricting permissions
CWE‑668	C++	cpp/unsafe-dacl-security-descriptor	Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑668	C++	cpp/private-cleartext-write	Exposure of private information
CWE‑668	C#	cs/web/html-hidden-input	Use of HTMLInputHidden
CWE‑668	C#	cs/static-array	Array constant vulnerable to change
CWE‑668	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑668	C#	cs/password-in-configuration	Password in configuration file
CWE‑668	C#	cs/web/persistent-cookie	Cookie security: persistent cookie
CWE‑668	C#	cs/web/debug-binary	Creating an ASP.NET debug binary may reveal sensitive information
CWE‑668	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑668	C#	cs/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668	C#	cs/sensitive-data-transmission	Information exposure through transmitted data
CWE‑668	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑668	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑668	C#	cs/exposure-of-sensitive-information	Exposure of private information
CWE‑668	C#	cs/web/directory-browse-enabled	ASP.NET config file enables directory browsing
CWE‑668	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑668	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑668	Python	py/tarslip	Arbitrary file write during tarfile extraction
CWE‑668	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑668	Python	py/flask-debug	Flask app is run in debug mode
CWE‑668	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑668	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑668	Python	py/insecure-temporary-file	Insecure temporary file
CWE‑668	Python	py/overly-permissive-file	Overly permissive file permissions
CWE‑668	JavaScript	js/unsafe-external-link	Potentially unsafe external link
CWE‑668	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑668	JavaScript	js/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑668	JavaScript	js/template-object-injection	Template Object Injection
CWE‑668	JavaScript	js/file-access-to-http	File data in outbound network request
CWE‑668	JavaScript	js/exposure-of-private-files	Exposure of private files
CWE‑668	JavaScript	js/cross-window-information-leak	Cross-window communication with unrestricted target origin
CWE‑668	JavaScript	js/stack-trace-exposure	Information exposure through a stack trace
CWE‑668	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑668	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑668	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑668	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑668	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑668	Go	go/unsafe-unzip-symlink	Arbitrary file write extracting an archive containing symbolic links
CWE‑668	Go	go/zipslip	Arbitrary file write during zip extraction ("zip slip")
CWE‑668	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑668	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑669	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑669	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑669	C#	cs/web/file-upload	Use of file upload
CWE‑669	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑669	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑669	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑669	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑669	JavaScript	js/xxe	XML external entity expansion
CWE‑669	JavaScript	js/insecure-download	Download of sensitive file through insecure connection
CWE‑669	JavaScript	js/http-to-file-access	Network data written to file
CWE‑670	Java	java/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑670	Java	java/assignment-in-boolean-expression	Assignment in Boolean expression
CWE‑670	Java	java/reference-equality-on-strings	Reference equality test on strings
CWE‑670	Java	java/switch-fall-through	Unterminated switch case
CWE‑670	C++	cpp/assign-where-compare-meant	Assignment where comparison was intended
CWE‑670	C++	cpp/compare-where-assign-meant	Comparison where assignment was intended
CWE‑670	C++	cpp/incorrect-not-operator-usage	Incorrect 'not' operator usage
CWE‑670	C++	cpp/logical-operator-applied-to-flag	Short-circuiting operator applied to flag
CWE‑670	C++	cpp/unsafe-use-of-this	Unsafe use of this in constructor
CWE‑670	C++	cpp/operator-precedence-logic-error-when-use-bool-type	Operator Precedence Logic Error When Use Bool Type
CWE‑670	C#	cs/non-short-circuit	Potentially dangerous use of non-short-circuit logic
CWE‑670	Python	py/asserts-tuple	Asserting a tuple
CWE‑670	JavaScript	js/useless-expression	Expression has no effect
CWE‑670	JavaScript	js/redundant-operation	Identical operands
CWE‑670	JavaScript	js/redundant-assignment	Self assignment
CWE‑670	JavaScript	js/unclear-operator-precedence	Unclear precedence of nested operators
CWE‑670	JavaScript	js/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑670	JavaScript	js/deletion-of-non-property	Deleting non-property
CWE‑670	JavaScript	js/misleading-indentation-of-dangling-else	Misleading indentation of dangling 'else'
CWE‑670	JavaScript	js/misleading-indentation-after-control-statement	Misleading indentation after control statement
CWE‑670	Go	go/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑670	Go	go/useless-expression	Expression has no effect
CWE‑670	Go	go/redundant-operation	Identical operands
CWE‑670	Go	go/redundant-assignment	Self assignment
CWE‑671	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑671	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑671	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑671	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑671	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑671	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑671	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑671	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑671	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑672	C++	cpp/use-after-free	Potential use after free
CWE‑672	C++	cpp/return-stack-allocated-memory	Returning stack-allocated memory
CWE‑674	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑674	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑674	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑674	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑675	Java	java/unreleased-lock	Unreleased lock
CWE‑675	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑675	C++	cpp/twice-locked	Mutex locked twice
CWE‑675	C++	cpp/unreleased-lock	Lock may not be released
CWE‑676	Java	java/potentially-dangerous-function	Use of a potentially dangerous function
CWE‑676	C++	cpp/bad-strncpy-size	Possibly wrong buffer size in string copy
CWE‑676	C++	cpp/suspicious-call-to-memset	Suspicious call to memset
CWE‑676	C++	cpp/unsafe-strncat	Potentially unsafe call to strncat
CWE‑676	C++	cpp/unsafe-strcat	Potentially unsafe use of strcat
CWE‑676	C++	cpp/dangerous-function-overflow	Use of dangerous function
CWE‑676	C++	cpp/dangerous-cin	Dangerous use of 'cin'
CWE‑676	C++	cpp/potentially-dangerous-function	Use of potentially dangerous function
CWE‑676	JavaScript	js/eval-like-call	Call to eval-like DOM function
CWE‑676	JavaScript	js/eval-call	Use of eval
CWE‑681	Java	java/implicit-cast-in-compound-assignment	Implicit narrowing conversion in compound assignment
CWE‑681	Java	java/integer-multiplication-cast-to-long	Result of multiplication cast to wider type
CWE‑681	Java	java/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑681	Java	java/tainted-numeric-cast	User-controlled data in numeric cast
CWE‑681	Java	java/tainted-numeric-cast-local	Local-user-controlled data in numeric cast
CWE‑681	C++	cpp/bad-addition-overflow-check	Bad check for overflow of integer addition
CWE‑681	C++	cpp/integer-multiplication-cast-to-long	Multiplication result converted to larger type
CWE‑681	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑681	C++	cpp/integer-overflow-tainted	Potential integer arithmetic overflow
CWE‑681	C#	cs/loss-of-precision	Possible loss of precision
CWE‑681	JavaScript	js/shift-out-of-range	Shift out of range
CWE‑681	Go	go/shift-out-of-range	Shift out of range
CWE‑681	Go	go/incorrect-integer-conversion	Incorrect conversion between integer types
CWE‑682	Java	java/implicit-cast-in-compound-assignment	Implicit narrowing conversion in compound assignment
CWE‑682	Java	java/integer-multiplication-cast-to-long	Result of multiplication cast to wider type
CWE‑682	Java	java/index-out-of-bounds	Array index out of bounds
CWE‑682	Java	java/tainted-arithmetic	User-controlled data in arithmetic expression
CWE‑682	Java	java/tainted-arithmetic-local	Local-user-controlled data in arithmetic expression
CWE‑682	Java	java/uncontrolled-arithmetic	Uncontrolled data in arithmetic expression
CWE‑682	Java	java/extreme-value-arithmetic	Use of extreme values in arithmetic expression
CWE‑682	Java	java/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑682	C++	cpp/overflow-calculated	Buffer not sufficient for string
CWE‑682	C++	cpp/overflow-destination	Copy function using source size
CWE‑682	C++	cpp/static-buffer-overflow	Static array access may cause overflow
CWE‑682	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑682	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑682	C++	cpp/ambiguously-signed-bit-field	Ambiguously signed bit-field member
CWE‑682	C++	cpp/bad-addition-overflow-check	Bad check for overflow of integer addition
CWE‑682	C++	cpp/integer-multiplication-cast-to-long	Multiplication result converted to larger type
CWE‑682	C++	cpp/signed-overflow-check	Signed overflow check
CWE‑682	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑682	C++	cpp/suspicious-sizeof	Suspicious 'sizeof' use
CWE‑682	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑682	C++	cpp/tainted-arithmetic	User-controlled data in arithmetic expression
CWE‑682	C++	cpp/uncontrolled-arithmetic	Uncontrolled data in arithmetic expression
CWE‑682	C++	cpp/arithmetic-with-extreme-values	Use of extreme values in arithmetic expression
CWE‑682	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑682	C++	cpp/integer-overflow-tainted	Potential integer arithmetic overflow
CWE‑682	C++	cpp/uncontrolled-allocation-size	Overflow in uncontrolled allocation size
CWE‑682	C++	cpp/unsigned-difference-expression-compared-zero	Unsigned difference expression compared to zero
CWE‑682	C++	cpp/suspicious-pointer-scaling	Suspicious pointer scaling
CWE‑682	C++	cpp/incorrect-pointer-scaling-char	Suspicious pointer scaling to char
CWE‑682	C++	cpp/suspicious-pointer-scaling-void	Suspicious pointer scaling to void
CWE‑682	C++	cpp/suspicious-add-sizeof	Suspicious add with sizeof
CWE‑682	C++	cpp/multiplication-overflow-in-alloc	Multiplication result may overflow and be used in allocation
CWE‑682	C++	cpp/signed-bit-field	Possible signed bit-field member
CWE‑682	C#	cs/loss-of-precision	Possible loss of precision
CWE‑682	C#	cs/index-out-of-bounds	Off-by-one comparison against container length
CWE‑682	JavaScript	js/index-out-of-bounds	Off-by-one comparison against length
CWE‑682	Go	go/index-out-of-bounds	Off-by-one comparison against length
CWE‑682	Go	go/allocation-size-overflow	Size computation for allocation may overflow
CWE‑682	Go	go/incorrect-integer-conversion	Incorrect conversion between integer types
CWE‑682	Go	go/divide-by-zero	Divide by zero
CWE‑684	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑684	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑685	Java	java/missing-format-argument	Missing format argument
CWE‑685	Java	java/unused-format-argument	Unused format argument
CWE‑685	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑685	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑685	Python	py/call/wrong-number-class-arguments	Wrong number of arguments in a class instantiation
CWE‑685	Python	py/percent-format/wrong-arguments	Wrong number of arguments for format
CWE‑685	Python	py/call/wrong-arguments	Wrong number of arguments in a call
CWE‑685	JavaScript	js/superfluous-trailing-arguments	Superfluous trailing arguments
CWE‑686	C++	cpp/wrong-type-format-argument	Wrong type of arguments to formatting function
CWE‑687	Python	py/super-not-enclosing-class	First argument to super() is not enclosing class
CWE‑691	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑691	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑691	Java	java/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑691	Java	java/assignment-in-boolean-expression	Assignment in Boolean expression
CWE‑691	Java	java/reference-equality-on-strings	Reference equality test on strings
CWE‑691	Java	java/wait-on-condition-interface	Wait on condition
CWE‑691	Java	java/call-to-thread-run	Direct call to a run() method
CWE‑691	Java	java/unsafe-double-checked-locking	Double-checked locking is not thread-safe
CWE‑691	Java	java/unsafe-double-checked-locking-init-order	Race condition in double-checked locking object initialization
CWE‑691	Java	java/unsafe-sync-on-field	Futile synchronization on field
CWE‑691	Java	java/inconsistent-field-synchronization	Inconsistent synchronization for field
CWE‑691	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑691	Java	java/non-sync-override	Non-synchronized override of synchronized method
CWE‑691	Java	java/notify-instead-of-notify-all	notify instead of notifyAll
CWE‑691	Java	java/sleep-with-lock-held	Sleep with lock held
CWE‑691	Java	java/sync-on-boxed-types	Synchronization on boxed types or strings
CWE‑691	Java	java/unsynchronized-getter	Inconsistent synchronization of getter and setter
CWE‑691	Java	java/inconsistent-sync-writeobject	Inconsistent synchronization for writeObject()
CWE‑691	Java	java/unreleased-lock	Unreleased lock
CWE‑691	Java	java/wait-with-two-locks	Wait with two locks held
CWE‑691	Java	java/non-short-circuit-evaluation	Dangerous non-short-circuit logic
CWE‑691	Java	java/constant-loop-condition	Constant loop condition
CWE‑691	Java	java/insecure-bean-validation	Insecure Bean Validation
CWE‑691	Java	java/toctou-race-condition	Time-of-check time-of-use race condition
CWE‑691	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑691	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑691	Java	java/lock-order-inconsistency	Lock order inconsistency
CWE‑691	Java	java/unreachable-exit-in-loop	Loop with unreachable exit condition
CWE‑691	Java	java/switch-fall-through	Unterminated switch case
CWE‑691	Java	java/overly-general-catch	Overly-general catch clause
CWE‑691	Java	java/uncaught-number-format-exception	Missing catch of NumberFormatException
CWE‑691	Java	java/jvm-exit	Forcible JVM termination
CWE‑691	Java	java/abnormal-finally-completion	Finally block may not complete normally
CWE‑691	Java	java/groovy-injection	Groovy Language injection
CWE‑691	Java	java/android-insecure-dex-loading	Insecure loading of an Android Dex File
CWE‑691	Java	java/javaee-expression-injection	Jakarta Expression Language injection
CWE‑691	Java	java/jexl-expression-injection	Expression language injection (JEXL)
CWE‑691	Java	java/mvel-expression-injection	Expression language injection (MVEL)
CWE‑691	Java	java/unsafe-eval	ScriptEngine evaluation
CWE‑691	Java	java/spel-expression-injection	Expression language injection (Spring)
CWE‑691	Java	java/spring-view-manipulation-implicit	Spring Implicit View Manipulation
CWE‑691	Java	java/spring-view-manipulation	Spring View Manipulation
CWE‑691	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑691	C++	cpp/assign-where-compare-meant	Assignment where comparison was intended
CWE‑691	C++	cpp/compare-where-assign-meant	Comparison where assignment was intended
CWE‑691	C++	cpp/incorrect-not-operator-usage	Incorrect 'not' operator usage
CWE‑691	C++	cpp/logical-operator-applied-to-flag	Short-circuiting operator applied to flag
CWE‑691	C++	cpp/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑691	C++	cpp/unsafe-use-of-this	Unsafe use of this in constructor
CWE‑691	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑691	C++	cpp/toctou-race-condition	Time-of-check time-of-use filesystem race condition
CWE‑691	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑691	C++	cpp/twice-locked	Mutex locked twice
CWE‑691	C++	cpp/unreleased-lock	Lock may not be released
CWE‑691	C++	cpp/infinite-loop-with-unsatisfiable-exit-condition	Infinite loop with unsatisfiable exit condition
CWE‑691	C++	cpp/errors-after-refactoring	Errors After Refactoring
CWE‑691	C++	cpp/errors-when-using-bit-operations	Errors When Using Bit Operations
CWE‑691	C++	cpp/operator-precedence-logic-error-when-use-bool-type	Operator Precedence Logic Error When Use Bool Type
CWE‑691	C#	cs/catch-nullreferenceexception	Poor error handling: catch of NullReferenceException
CWE‑691	C#	cs/constant-condition	Constant condition
CWE‑691	C#	cs/unsafe-sync-on-field	Futile synchronization on field
CWE‑691	C#	cs/inconsistent-lock-sequence	Inconsistent lock sequence
CWE‑691	C#	cs/lock-this	Locking the 'this' object in a lock statement
CWE‑691	C#	cs/locked-wait	A lock is held during a wait
CWE‑691	C#	cs/unsynchronized-getter	Inconsistently synchronized property
CWE‑691	C#	cs/unsafe-double-checked-lock	Double-checked lock is not thread-safe
CWE‑691	C#	cs/unsynchronized-static-access	Unsynchronized access to static collection member in non-static context
CWE‑691	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑691	C#	cs/non-short-circuit	Potentially dangerous use of non-short-circuit logic
CWE‑691	C#	cs/thread-unsafe-icryptotransform-field-in-class	Thread-unsafe use of a static ICryptoTransform field
CWE‑691	C#	cs/thread-unsafe-icryptotransform-captured-in-lambda	Thread-unsafe capturing of an ICryptoTransform object
CWE‑691	C#	cs/linq/inconsistent-enumeration	Bad multiple iteration
CWE‑691	C#	cs/code-injection	Improper control of generation of code
CWE‑691	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑691	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑691	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑691	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑691	Python	py/code-injection	Code injection
CWE‑691	Python	py/asserts-tuple	Asserting a tuple
CWE‑691	Python	py/exit-from-finally	'break' or 'return' statement in finally
CWE‑691	JavaScript	js/enabling-electron-renderer-node-integration	Enabling Node.js integration for Electron web content renderers
CWE‑691	JavaScript	js/useless-expression	Expression has no effect
CWE‑691	JavaScript	js/redundant-operation	Identical operands
CWE‑691	JavaScript	js/redundant-assignment	Self assignment
CWE‑691	JavaScript	js/unclear-operator-precedence	Unclear precedence of nested operators
CWE‑691	JavaScript	js/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑691	JavaScript	js/deletion-of-non-property	Deleting non-property
CWE‑691	JavaScript	js/exit-from-finally	Jump from finally
CWE‑691	JavaScript	js/template-object-injection	Template Object Injection
CWE‑691	JavaScript	js/code-injection	Code injection
CWE‑691	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑691	JavaScript	js/unsafe-dynamic-method-access	Unsafe dynamic method access
CWE‑691	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑691	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑691	JavaScript	js/loop-bound-injection	Loop bound injection
CWE‑691	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑691	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑691	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑691	JavaScript	js/misleading-indentation-of-dangling-else	Misleading indentation of dangling 'else'
CWE‑691	JavaScript	js/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑691	JavaScript	js/misleading-indentation-after-control-statement	Misleading indentation after control statement
CWE‑691	JavaScript	js/actions/injection	Expression injection in Actions
CWE‑691	JavaScript	js/actions/pull-request-target	Checkout of untrusted code in trusted context
CWE‑691	Go	go/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑691	Go	go/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑691	Go	go/useless-expression	Expression has no effect
CWE‑691	Go	go/redundant-operation	Identical operands
CWE‑691	Go	go/redundant-assignment	Self assignment
CWE‑691	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑693	Java	java/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑693	Java	java/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑693	Java	java/improper-validation-of-array-construction	Improper validation of user-provided size used for array construction
CWE‑693	Java	java/improper-validation-of-array-construction-code-specified	Improper validation of code-specified size used for array construction
CWE‑693	Java	java/improper-validation-of-array-construction-local	Improper validation of local user-provided size used for array construction
CWE‑693	Java	java/improper-validation-of-array-index	Improper validation of user-provided array index
CWE‑693	Java	java/improper-validation-of-array-index-code-specified	Improper validation of code-specified array index
CWE‑693	Java	java/improper-validation-of-array-index-local	Improper validation of local user-provided array index
CWE‑693	Java	java/unsafe-hostname-verification	Unsafe hostname verification
CWE‑693	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑693	Java	java/cleartext-storage-in-cookie	Cleartext storage of sensitive information in cookie
CWE‑693	Java	java/cleartext-storage-in-properties	Cleartext storage of sensitive information using 'Properties' class
CWE‑693	Java	java/non-https-url	Failure to use HTTPS URLs
CWE‑693	Java	java/non-ssl-connection	Failure to use SSL
CWE‑693	Java	java/non-ssl-socket-factory	Failure to use SSL socket factories
CWE‑693	Java	java/weak-cryptographic-algorithm	Use of a broken or risky cryptographic algorithm
CWE‑693	Java	java/potentially-weak-cryptographic-algorithm	Use of a potentially broken or risky cryptographic algorithm
CWE‑693	Java	java/spring-disabled-csrf-protection	Disabled Spring CSRF protection
CWE‑693	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑693	Java	java/insecure-cookie	Failure to use secure cookies
CWE‑693	Java	java/world-writable-file-read	Reading from a world writable file
CWE‑693	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑693	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑693	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑693	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑693	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑693	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑693	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑693	Java	java/jxbrowser/disabled-certificate-validation	JxBrowser with disabled certificate validation
CWE‑693	Java	java/disabled-certificate-revocation-checking	Disabled ceritificate revocation checking
CWE‑693	Java	java/android/cleartext-storage-shared-prefs	Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑693	Java	java/insufficient-key-size	Weak encryption: Insufficient key size
CWE‑693	Java	java/unsafe-tls-version	Unsafe TLS version
CWE‑693	Java	java/unvalidated-cors-origin-set	CORS is derived from untrusted input
CWE‑693	Java	java/missing-jwt-signature-check	Missing JWT signature check
CWE‑693	Java	java/ip-address-spoofing	IP address spoofing
CWE‑693	Java	java/jsonp-injection	JSONP Injection
CWE‑693	Java	java/credentials-in-properties	Cleartext Credentials in Properties File
CWE‑693	Java	java/password-in-configuration	Password in configuration file
CWE‑693	C++	cpp/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑693	C++	cpp/count-untrusted-data-external-api-ir	Frequency counts for external APIs that are used with untrusted data
CWE‑693	C++	cpp/untrusted-data-to-external-api-ir	Untrusted data passed to external API
CWE‑693	C++	cpp/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑693	C++	cpp/uncontrolled-process-operation	Uncontrolled process operation
CWE‑693	C++	cpp/unclear-array-index-validation	Unclear validation of array index
CWE‑693	C++	cpp/user-controlled-bypass	Authentication bypass by spoofing
CWE‑693	C++	cpp/cleartext-storage-buffer	Cleartext storage of sensitive information in buffer
CWE‑693	C++	cpp/cleartext-storage-file	Cleartext storage of sensitive information in file
CWE‑693	C++	cpp/cleartext-storage-database	Cleartext storage of sensitive information in an SQLite database
CWE‑693	C++	cpp/weak-cryptographic-algorithm	Use of a broken or risky cryptographic algorithm
CWE‑693	C++	cpp/openssl-heartbleed	Use of a version of OpenSSL with Heartbleed
CWE‑693	C++	cpp/world-writable-file-creation	File created without restricting permissions
CWE‑693	C++	cpp/unsafe-dacl-security-descriptor	Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑693	C++	cpp/tainted-permissions-check	Untrusted input for a condition
CWE‑693	C++	cpp/late-check-of-function-argument	Late Check Of Function Argument
CWE‑693	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑693	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑693	C#	cs/password-in-configuration	Password in configuration file
CWE‑693	C#	cs/web/broad-cookie-domain	Cookie security: overly broad domain
CWE‑693	C#	cs/web/broad-cookie-path	Cookie security: overly broad path
CWE‑693	C#	cs/ecb-encryption	Encryption using ECB
CWE‑693	C#	cs/inadequate-rsa-padding	Weak encryption: inadequate RSA padding
CWE‑693	C#	cs/insufficient-key-size	Weak encryption: Insufficient key size
CWE‑693	C#	cs/weak-encryption	Weak encryption
CWE‑693	C#	csharp/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑693	C#	cs/serialization-check-bypass	Serialization check bypass
CWE‑693	C#	csharp/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑693	C#	cs/xml/missing-validation	Missing XML validation
CWE‑693	C#	cs/assembly-path-injection	Assembly path injection
CWE‑693	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑693	C#	cs/adding-cert-to-root-store	Do not add certificates to the system root store.
CWE‑693	C#	cs/insecure-sql-connection	Insecure SQL connection
CWE‑693	C#	cs/web/missing-token-validation	Missing cross-site request forgery token validation
CWE‑693	C#	cs/session-reuse	Failure to abandon session
CWE‑693	C#	cs/web/requiressl-not-set	'requireSSL' attribute is not set to true
CWE‑693	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑693	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑693	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑693	Python	py/incomplete-hostname-regexp	Incomplete regular expression for hostnames
CWE‑693	Python	py/incomplete-url-substring-sanitization	Incomplete URL substring sanitization
CWE‑693	Python	python/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑693	Python	python/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑693	Python	py/paramiko-missing-host-key-validation	Accepting unknown SSH host keys when using Paramiko
CWE‑693	Python	py/request-without-cert-validation	Request without certificate validation
CWE‑693	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑693	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑693	Python	py/weak-crypto-key	Use of weak cryptographic key
CWE‑693	Python	py/weak-cryptographic-algorithm	Use of a broken or weak cryptographic algorithm
CWE‑693	Python	py/insecure-default-protocol	Default version of SSL/TLS may be insecure
CWE‑693	Python	py/insecure-protocol	Use of insecure SSL/TLS version
CWE‑693	Python	py/overly-permissive-file	Overly permissive file permissions
CWE‑693	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑693	JavaScript	js/angular/insecure-url-whitelist	Insecure URL whitelist
CWE‑693	JavaScript	js/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑693	JavaScript	js/incomplete-hostname-regexp	Incomplete regular expression for hostnames
CWE‑693	JavaScript	js/incomplete-url-scheme-check	Incomplete URL scheme check
CWE‑693	JavaScript	js/incomplete-url-substring-sanitization	Incomplete URL substring sanitization
CWE‑693	JavaScript	js/incorrect-suffix-check	Incorrect suffix check
CWE‑693	JavaScript	js/regex/missing-regexp-anchor	Missing regular expression anchor
CWE‑693	JavaScript	js/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑693	JavaScript	js/useless-regexp-character-escape	Useless regular-expression character escape
CWE‑693	JavaScript	js/double-escaping	Double escaping or unescaping
CWE‑693	JavaScript	js/incomplete-html-attribute-sanitization	Incomplete HTML attribute sanitization
CWE‑693	JavaScript	js/incomplete-multi-character-sanitization	Incomplete multi-character sanitization
CWE‑693	JavaScript	js/incomplete-sanitization	Incomplete string escaping or encoding
CWE‑693	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑693	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑693	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑693	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑693	JavaScript	js/biased-cryptographic-random	Creating biased random numbers from a cryptographically secure source.
CWE‑693	JavaScript	js/weak-cryptographic-algorithm	Use of a broken or weak cryptographic algorithm
CWE‑693	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑693	JavaScript	js/missing-token-validation	Missing CSRF middleware
CWE‑693	JavaScript	js/remote-property-injection	Remote property injection
CWE‑693	JavaScript	js/host-header-forgery-in-email-generation	Host header poisoning in email generation
CWE‑693	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑693	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑693	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑693	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑693	JavaScript	js/insufficient-password-hash	Use of password hash with insufficient computational effort
CWE‑693	JavaScript	js/missing-postmessageorigin-verification	Missing MessageEvent.origin verification in postMessage handlers
CWE‑693	JavaScript	js/jwt-missing-verification	JWT missing secret or public key verification
CWE‑693	JavaScript	js/insecure-cookie	Failure to set secure cookies
CWE‑693	Go	go/count-untrusted-data-external-api	Frequency counts for external APIs that are used with untrusted data
CWE‑693	Go	go/incomplete-hostname-regexp	Incomplete regular expression for hostnames
CWE‑693	Go	go/incomplete-url-scheme-check	Incomplete URL scheme check
CWE‑693	Go	go/regex/missing-regexp-anchor	Missing regular expression anchor
CWE‑693	Go	go/suspicious-character-in-regex	Suspicious characters in a regular expression
CWE‑693	Go	go/untrusted-data-to-external-api	Untrusted data passed to external API
CWE‑693	Go	go/untrusted-data-to-unknown-external-api	Untrusted data passed to unknown external API
CWE‑693	Go	go/disabled-certificate-check	Disabled TLS certificate check
CWE‑693	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑693	Go	go/insecure-tls	Insecure TLS configuration
CWE‑693	Go	go/constant-oauth2-state	Use of constant state value in OAuth 2.0 URL
CWE‑693	Go	go/email-injection	Email content injection
CWE‑693	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑693	Go	go/weak-crypto-algorithm	Use of a weak cryptographic algorithm
CWE‑693	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑695	Java	java/ejb/file-io	EJB uses file input/output
CWE‑695	Java	java/ejb/graphics	EJB uses graphics
CWE‑695	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑695	Java	java/ejb/threads	EJB uses threads
CWE‑697	Java	java/missing-default-in-switch	Missing default case in switch
CWE‑697	Java	java/reference-equality-with-object	Reference equality test on java.lang.Object
CWE‑697	Java	java/reference-equality-of-boxed-types	Reference equality test of boxed types
CWE‑697	Java	java/reference-equality-on-strings	Reference equality test on strings
CWE‑697	Java	java/missing-case-in-switch	Missing enum case in switch
CWE‑697	C++	cpp/missing-case-in-switch	Missing enum case in switch
CWE‑697	C#	cs/class-name-comparison	Erroneous class compare
CWE‑697	C#	cs/reference-equality-with-object	Reference equality test on System.Object
CWE‑697	C#	cs/reference-equality-on-valuetypes	Call to ReferenceEquals(...) on value type expressions
CWE‑697	JavaScript	js/angular/insecure-url-whitelist	Insecure URL whitelist
CWE‑703	Java	java/inconsistent-call-on-result	Inconsistent operation on return value
CWE‑703	Java	java/return-value-ignored	Method result ignored
CWE‑703	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑703	Java	java/discarded-exception	Discarded exception
CWE‑703	Java	java/overly-general-catch	Overly-general catch clause
CWE‑703	Java	java/ignored-error-status-of-call	Ignored error status of call
CWE‑703	Java	java/uncaught-number-format-exception	Missing catch of NumberFormatException
CWE‑703	Java	java/android/nfe-local-android-dos	Local Android DoS Caused By NumberFormatException
CWE‑703	C++	cpp/return-value-ignored	Return value of a function is ignored
CWE‑703	C++	cpp/inconsistent-call-on-result	Inconsistent operation on return value
CWE‑703	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑703	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑703	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑703	C++	cpp/ignore-return-value-sal	SAL requires inspecting return value
CWE‑703	C++	cpp/hresult-boolean-conversion	Cast between HRESULT and a Boolean type
CWE‑703	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑703	C#	cs/dispose-not-called-on-throw	Dispose may not be called if an exception is thrown during execution
CWE‑703	C#	cs/local-not-disposed	Missing Dispose call on local IDisposable
CWE‑703	C#	cs/unchecked-return-value	Unchecked return value
CWE‑703	C#	cs/catch-nullreferenceexception	Poor error handling: catch of NullReferenceException
CWE‑703	C#	cs/empty-catch-block	Poor error handling: empty catch block
CWE‑703	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑703	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑703	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑703	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑703	Python	py/empty-except	Empty except
CWE‑703	Python	py/ignored-return-value	Ignored return value
CWE‑703	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑703	JavaScript	js/stack-trace-exposure	Information exposure through a stack trace
CWE‑703	JavaScript	js/unvalidated-dynamic-method-call	Unvalidated dynamic method call
CWE‑703	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑704	Java	java/implicit-cast-in-compound-assignment	Implicit narrowing conversion in compound assignment
CWE‑704	Java	java/integer-multiplication-cast-to-long	Result of multiplication cast to wider type
CWE‑704	Java	java/impossible-array-cast	Impossible array cast
CWE‑704	Java	java/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑704	Java	java/tainted-numeric-cast	User-controlled data in numeric cast
CWE‑704	Java	java/tainted-numeric-cast-local	Local-user-controlled data in numeric cast
CWE‑704	C++	cpp/bad-addition-overflow-check	Bad check for overflow of integer addition
CWE‑704	C++	cpp/integer-multiplication-cast-to-long	Multiplication result converted to larger type
CWE‑704	C++	cpp/upcast-array-pointer-arithmetic	Upcast array used in pointer arithmetic
CWE‑704	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑704	C++	cpp/integer-overflow-tainted	Potential integer arithmetic overflow
CWE‑704	C++	cpp/incorrect-string-type-conversion	Cast from char to wchar_t
CWE‑704	C#	cs/loss-of-precision	Possible loss of precision
CWE‑704	JavaScript	js/implicit-operand-conversion	Implicit operand conversion
CWE‑704	JavaScript	js/shift-out-of-range	Shift out of range
CWE‑704	JavaScript	js/invalid-prototype-value	Invalid prototype value
CWE‑704	JavaScript	js/property-assignment-on-primitive	Assignment to property of primitive value
CWE‑704	JavaScript	js/type-confusion-through-parameter-tampering	Type confusion through parameter tampering
CWE‑704	Go	go/shift-out-of-range	Shift out of range
CWE‑704	Go	go/incorrect-integer-conversion	Incorrect conversion between integer types
CWE‑705	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑705	Java	java/overly-general-catch	Overly-general catch clause
CWE‑705	Java	java/uncaught-number-format-exception	Missing catch of NumberFormatException
CWE‑705	Java	java/jvm-exit	Forcible JVM termination
CWE‑705	Java	java/abnormal-finally-completion	Finally block may not complete normally
CWE‑705	C#	cs/catch-nullreferenceexception	Poor error handling: catch of NullReferenceException
CWE‑705	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑705	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑705	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑705	Python	py/exit-from-finally	'break' or 'return' statement in finally
CWE‑705	JavaScript	js/exit-from-finally	Jump from finally
CWE‑706	Java	java/path-injection	Uncontrolled data used in path expression
CWE‑706	Java	java/path-injection-local	Local-user-controlled data in path expression
CWE‑706	Java	java/zipslip	Arbitrary file write during archive extraction ("Zip Slip")
CWE‑706	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑706	Java	java/openstream-called-on-tainted-url	openStream called on URLs created from remote source
CWE‑706	C++	cpp/path-injection	Uncontrolled data used in path expression
CWE‑706	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑706	C#	cs/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑706	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑706	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑706	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑706	Python	py/tarslip	Arbitrary file write during tarfile extraction
CWE‑706	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑706	JavaScript	js/zipslip	Arbitrary file write during zip extraction ("Zip Slip")
CWE‑706	JavaScript	js/xxe	XML external entity expansion
CWE‑706	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑706	Go	go/unsafe-unzip-symlink	Arbitrary file write extracting an archive containing symbolic links
CWE‑706	Go	go/zipslip	Arbitrary file write during zip extraction ("zip slip")
CWE‑707	Java	java/relative-path-command	Executing a command with a relative path
CWE‑707	Java	java/command-line-injection	Uncontrolled command line
CWE‑707	Java	java/command-line-injection-local	Local-user-controlled command line
CWE‑707	Java	java/concatenated-command-line	Building a command line with string concatenation
CWE‑707	Java	java/xss	Cross-site scripting
CWE‑707	Java	java/xss-local	Cross-site scripting from local source
CWE‑707	Java	java/sql-injection	Query built from user-controlled sources
CWE‑707	Java	java/sql-injection-local	Query built from local-user-controlled sources
CWE‑707	Java	java/concatenated-sql-query	Query built without neutralizing special characters
CWE‑707	Java	java/ldap-injection	LDAP query built from user-controlled sources
CWE‑707	Java	java/insecure-bean-validation	Insecure Bean Validation
CWE‑707	Java	java/netty-http-response-splitting	Disabled Netty HTTP header validation
CWE‑707	Java	java/http-response-splitting	HTTP response splitting
CWE‑707	Java	java/http-response-splitting-local	HTTP response splitting from local source
CWE‑707	Java	java/tainted-format-string	Use of externally-controlled format string
CWE‑707	Java	java/tainted-format-string-local	Use of externally-controlled format string from local source
CWE‑707	Java	java/xml/xpath-injection	XPath injection
CWE‑707	Java	java/jndi-injection	JNDI lookup with user-controlled name
CWE‑707	Java	java/xslt-injection	XSLT transformation with user-controlled stylesheet
CWE‑707	Java	java/command-line-injection	Uncontrolled command line
CWE‑707	Java	java/groovy-injection	Groovy Language injection
CWE‑707	Java	java/android-insecure-dex-loading	Insecure loading of an Android Dex File
CWE‑707	Java	java/javaee-expression-injection	Jakarta Expression Language injection
CWE‑707	Java	java/jexl-expression-injection	Expression language injection (JEXL)
CWE‑707	Java	java/mvel-expression-injection	Expression language injection (MVEL)
CWE‑707	Java	java/unsafe-eval	ScriptEngine evaluation
CWE‑707	Java	java/spel-expression-injection	Expression language injection (Spring)
CWE‑707	Java	java/spring-view-manipulation-implicit	Spring Implicit View Manipulation
CWE‑707	Java	java/spring-view-manipulation	Spring View Manipulation
CWE‑707	Java	java/log-injection	Log Injection
CWE‑707	Java	java/xquery-injection	XQuery query built from user-controlled sources
CWE‑707	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑707	Java	java/ognl-injection	OGNL Expression Language statement with user-controlled input
CWE‑707	C++	cpp/non-constant-format	Non-constant format string
CWE‑707	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑707	C++	cpp/improper-null-termination	Potential improper null termination
CWE‑707	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑707	C++	cpp/command-line-injection	Uncontrolled data used in OS command
CWE‑707	C++	cpp/cgi-xss	CGI script vulnerable to cross-site scripting
CWE‑707	C++	cpp/sql-injection	Uncontrolled data in SQL query
CWE‑707	C++	cpp/tainted-format-string	Uncontrolled format string
CWE‑707	C++	cpp/tainted-format-string-through-global	Uncontrolled format string (through global variable)
CWE‑707	C++	cpp/user-controlled-null-termination-tainted	User-controlled data may not be null terminated
CWE‑707	C#	cs/web/disabled-header-checking	Header checking disabled
CWE‑707	C#	cs/path-injection	Uncontrolled data used in path expression
CWE‑707	C#	cs/command-line-injection	Uncontrolled command line
CWE‑707	C#	cs/stored-command-line-injection	Uncontrolled command line from stored user input
CWE‑707	C#	cs/web/stored-xss	Stored cross-site scripting
CWE‑707	C#	cs/web/xss	Cross-site scripting
CWE‑707	C#	cs/second-order-sql-injection	SQL query built from stored user-controlled sources
CWE‑707	C#	cs/sql-injection	SQL query built from user-controlled sources
CWE‑707	C#	cs/ldap-injection	LDAP query built from user-controlled sources
CWE‑707	C#	cs/stored-ldap-injection	LDAP query built from stored user-controlled sources
CWE‑707	C#	cs/xml-injection	XML injection
CWE‑707	C#	cs/code-injection	Improper control of generation of code
CWE‑707	C#	cs/resource-injection	Resource injection
CWE‑707	C#	cs/log-forging	Log entries created from user input
CWE‑707	C#	cs/uncontrolled-format-string	Uncontrolled format string
CWE‑707	C#	cs/xml/stored-xpath-injection	Stored XPath injection
CWE‑707	C#	cs/xml/xpath-injection	XPath injection
CWE‑707	C#	cs/inappropriate-encoding	Inappropriate encoding
CWE‑707	C#	cs/webclient-path-injection	Uncontrolled data used in a WebClient
CWE‑707	Python	py/path-injection	Uncontrolled data used in path expression
CWE‑707	Python	py/command-line-injection	Uncontrolled command line
CWE‑707	Python	py/jinja2/autoescape-false	Jinja2 templating with autoescape=False
CWE‑707	Python	py/reflective-xss	Reflected server-side cross-site scripting
CWE‑707	Python	py/sql-injection	SQL query built from user-controlled sources
CWE‑707	Python	py/code-injection	Code injection
CWE‑707	Python	py/template-injection	Server Side Template Injection
CWE‑707	Python	py/xslt-injection	XSLT query built from user-controlled sources
CWE‑707	Python	py/xpath-injection	XPath query built from user-controlled sources
CWE‑707	JavaScript	js/enabling-electron-renderer-node-integration	Enabling Node.js integration for Electron web content renderers
CWE‑707	JavaScript	js/identity-replacement	Replacement of a substring with itself
CWE‑707	JavaScript	js/path-injection	Uncontrolled data used in path expression
CWE‑707	JavaScript	js/template-object-injection	Template Object Injection
CWE‑707	JavaScript	js/command-line-injection	Uncontrolled command line
CWE‑707	JavaScript	js/indirect-command-line-injection	Indirect uncontrolled command line
CWE‑707	JavaScript	js/shell-command-injection-from-environment	Shell command built from environment values
CWE‑707	JavaScript	js/shell-command-constructed-from-input	Unsafe shell command constructed from library input
CWE‑707	JavaScript	js/xss-through-exception	Exception text reinterpreted as HTML
CWE‑707	JavaScript	js/reflected-xss	Reflected cross-site scripting
CWE‑707	JavaScript	js/stored-xss	Stored cross-site scripting
CWE‑707	JavaScript	js/html-constructed-from-input	Unsafe HTML constructed from library input
CWE‑707	JavaScript	js/unsafe-jquery-plugin	Unsafe jQuery plugin
CWE‑707	JavaScript	js/xss	Client-side cross-site scripting
CWE‑707	JavaScript	js/xss-through-dom	DOM text reinterpreted as HTML
CWE‑707	JavaScript	js/sql-injection	Database query built from user-controlled sources
CWE‑707	JavaScript	js/code-injection	Code injection
CWE‑707	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑707	JavaScript	js/unsafe-dynamic-method-access	Unsafe dynamic method access
CWE‑707	JavaScript	js/double-escaping	Double escaping or unescaping
CWE‑707	JavaScript	js/incomplete-html-attribute-sanitization	Incomplete HTML attribute sanitization
CWE‑707	JavaScript	js/incomplete-multi-character-sanitization	Incomplete multi-character sanitization
CWE‑707	JavaScript	js/incomplete-sanitization	Incomplete string escaping or encoding
CWE‑707	JavaScript	js/unsafe-html-expansion	Unsafe expansion of self-closing HTML tag
CWE‑707	JavaScript	js/log-injection	Log injection
CWE‑707	JavaScript	js/tainted-format-string	Use of externally-controlled format string
CWE‑707	JavaScript	js/client-side-unvalidated-url-redirection	Client-side URL redirect
CWE‑707	JavaScript	js/xpath-injection	XPath injection
CWE‑707	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑707	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑707	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑707	JavaScript	javascript/ldap-injection	LDAP query built from user-controlled sources
CWE‑707	JavaScript	js/actions/injection	Expression injection in Actions
CWE‑707	JavaScript	js/actions/pull-request-target	Checkout of untrusted code in trusted context
CWE‑707	Go	go/path-injection	Uncontrolled data used in path expression
CWE‑707	Go	go/command-injection	Command built from user-controlled sources
CWE‑707	Go	go/stored-command	Command built from stored data
CWE‑707	Go	go/reflected-xss	Reflected cross-site scripting
CWE‑707	Go	go/stored-xss	Stored cross-site scripting
CWE‑707	Go	go/sql-injection	Database query built from user-controlled sources
CWE‑707	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑707	Go	go/xml/xpath-injection	XPath injection
CWE‑707	Go	go/html-template-escaping-passthrough	HTML template escaping passthrough
CWE‑710	Java	java/deprecated-call	Deprecated method or constructor invocation
CWE‑710	Java	java/dead-class	Dead class
CWE‑710	Java	java/dead-enum-constant	Dead enum constant
CWE‑710	Java	java/dead-field	Dead field
CWE‑710	Java	java/dead-function	Dead method
CWE‑710	Java	java/lines-of-dead-code	Lines of dead code in files
CWE‑710	Java	java/unused-parameter	Useless parameter
CWE‑710	Java	java/ejb/container-interference	EJB interferes with container operation
CWE‑710	Java	java/ejb/file-io	EJB uses file input/output
CWE‑710	Java	java/ejb/graphics	EJB uses graphics
CWE‑710	Java	java/ejb/native-code	EJB uses native code
CWE‑710	Java	java/ejb/reflection	EJB uses reflection
CWE‑710	Java	java/ejb/security-configuration-access	EJB accesses security configuration
CWE‑710	Java	java/ejb/substitution-in-serialization	EJB uses substitution in serialization
CWE‑710	Java	java/ejb/socket-or-stream-handler-factory	EJB sets socket factory or URL stream handler factory
CWE‑710	Java	java/ejb/server-socket	EJB uses server socket
CWE‑710	Java	java/ejb/non-final-static-field	EJB uses non-final static field
CWE‑710	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑710	Java	java/ejb/this	EJB uses 'this' as argument or result
CWE‑710	Java	java/ejb/threads	EJB uses threads
CWE‑710	Java	java/useless-null-check	Useless null check
CWE‑710	Java	java/useless-type-test	Useless type test
CWE‑710	Java	java/useless-upcast	Useless upcast
CWE‑710	Java	java/missing-call-to-super-clone	Missing super clone
CWE‑710	Java	java/empty-container	Container contents are never initialized
CWE‑710	Java	java/unused-container	Container contents are never accessed
CWE‑710	Java	java/inconsistent-equals-and-hashcode	Inconsistent equals and hashCode
CWE‑710	Java	java/constant-comparison	Useless comparison test
CWE‑710	Java	java/unreleased-lock	Unreleased lock
CWE‑710	Java	java/missing-super-finalize	Finalizer inconsistency
CWE‑710	Java	java/missing-format-argument	Missing format argument
CWE‑710	Java	java/unused-format-argument	Unused format argument
CWE‑710	Java	java/dereferenced-value-is-always-null	Dereferenced variable is always null
CWE‑710	Java	java/dereferenced-expr-may-be-null	Dereferenced expression may be null
CWE‑710	Java	java/dereferenced-value-may-be-null	Dereferenced variable may be null
CWE‑710	Java	java/empty-synchronized-block	Empty synchronized block
CWE‑710	Java	java/unreachable-catch-clause	Unreachable catch clause
CWE‑710	Java	java/potentially-dangerous-function	Use of a potentially dangerous function
CWE‑710	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑710	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑710	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑710	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑710	Java	java/todo-comment	TODO/FIXME comments
CWE‑710	Java	java/unused-reference-type	Unused classes and interfaces
CWE‑710	Java	java/overwritten-assignment-to-local	Assigned value is overwritten
CWE‑710	Java	java/useless-assignment-to-local	Useless assignment to local variable
CWE‑710	Java	java/empty-finalizer	Empty body of finalizer
CWE‑710	Java	java/unused-initialized-local	Local variable is initialized but not used
CWE‑710	Java	java/local-variable-is-never-read	Unread local variable
CWE‑710	Java	java/unused-field	Unused field
CWE‑710	Java	java/unused-label	Unused label
CWE‑710	Java	java/unused-local-variable	Unused local variable
CWE‑710	Java	java/switch-fall-through	Unterminated switch case
CWE‑710	Java	java/redundant-cast	Unnecessary cast
CWE‑710	Java	java/unused-import	Unnecessary import
CWE‑710	C++	cpp/unused-local-variable	Unused local variable
CWE‑710	C++	cpp/unused-static-function	Unused static function
CWE‑710	C++	cpp/unused-static-variable	Unused static variable
CWE‑710	C++	cpp/dead-code-condition	Branching condition always evaluates to same value
CWE‑710	C++	cpp/dead-code-function	Function is never called
CWE‑710	C++	cpp/dead-code-goto	Dead code due to goto or break statement
CWE‑710	C++	cpp/inconsistent-nullness-testing	Inconsistent null check of pointer
CWE‑710	C++	cpp/missing-null-test	Returned pointer not checked
CWE‑710	C++	cpp/unused-variable	Variable is assigned a value that is never read
CWE‑710	C++	cpp/fixme-comment	FIXME comment
CWE‑710	C++	cpp/todo-comment	TODO comment
CWE‑710	C++	cpp/inconsistent-null-check	Inconsistent nullness check
CWE‑710	C++	cpp/redundant-null-check-simple	Redundant null check due to previous dereference
CWE‑710	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑710	C++	cpp/wrong-number-format-arguments	Too few arguments to formatting function
CWE‑710	C++	cpp/wrong-type-format-argument	Wrong type of arguments to formatting function
CWE‑710	C++	cpp/useless-expression	Expression has no effect
CWE‑710	C++	cpp/pointer-overflow-check	Pointer overflow check
CWE‑710	C++	cpp/bad-strncpy-size	Possibly wrong buffer size in string copy
CWE‑710	C++	cpp/suspicious-call-to-memset	Suspicious call to memset
CWE‑710	C++	cpp/unsafe-strncat	Potentially unsafe call to strncat
CWE‑710	C++	cpp/unsafe-strcat	Potentially unsafe use of strcat
CWE‑710	C++	cpp/too-few-arguments	Call to function with fewer arguments than declared parameters
CWE‑710	C++	cpp/ignore-return-value-sal	SAL requires inspecting return value
CWE‑710	C++	cpp/memset-may-be-deleted	Call to memset may be deleted
CWE‑710	C++	cpp/hresult-boolean-conversion	Cast between HRESULT and a Boolean type
CWE‑710	C++	cpp/dangerous-function-overflow	Use of dangerous function
CWE‑710	C++	cpp/dangerous-cin	Dangerous use of 'cin'
CWE‑710	C++	cpp/potentially-dangerous-function	Use of potentially dangerous function
CWE‑710	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑710	C++	cpp/twice-locked	Mutex locked twice
CWE‑710	C++	cpp/unreleased-lock	Lock may not be released
CWE‑710	C++	cpp/redundant-null-check-param	Redundant null check or missing null check of parameter
CWE‑710	C++	cpp/incorrect-allocation-error-handling	Incorrect allocation-error handling
CWE‑710	C#	cs/call-to-obsolete-method	Call to obsolete method
CWE‑710	C#	cs/inconsistent-equals-and-gethashcode	Inconsistent Equals(object) and GetHashCode()
CWE‑710	C#	cs/todo-comment	TODO comment
CWE‑710	C#	cs/dereferenced-value-is-always-null	Dereferenced variable is always null
CWE‑710	C#	cs/dereferenced-value-may-be-null	Dereferenced variable may be null
CWE‑710	C#	cs/unused-reftype	Dead reference types
CWE‑710	C#	cs/useless-assignment-to-local	Useless assignment to local variable
CWE‑710	C#	cs/unused-field	Unused field
CWE‑710	C#	cs/unused-method	Unused method
CWE‑710	C#	cs/captured-foreach-variable	Capturing a foreach variable
CWE‑710	C#	cs/useless-cast-to-self	Cast to same type
CWE‑710	C#	cs/useless-is-before-as	Useless 'is' before 'as'
CWE‑710	C#	cs/coalesce-of-identical-expressions	Useless ?? expression
CWE‑710	C#	cs/useless-type-test	Useless type test
CWE‑710	C#	cs/useless-upcast	Useless upcast
CWE‑710	C#	cs/empty-collection	Container contents are never initialized
CWE‑710	C#	cs/unused-collection	Container contents are never accessed
CWE‑710	C#	cs/invalid-dynamic-call	Bad dynamic call
CWE‑710	C#	cs/empty-lock-statement	Empty lock statement
CWE‑710	C#	cs/linq/useless-select	Redundant Select
CWE‑710	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑710	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑710	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑710	Python	py/equals-hash-mismatch	Inconsistent equality and hashing
CWE‑710	Python	py/call/wrong-named-class-argument	Wrong name for an argument in a class instantiation
CWE‑710	Python	py/call/wrong-number-class-arguments	Wrong number of arguments in a class instantiation
CWE‑710	Python	py/unreachable-except	Unreachable 'except' block
CWE‑710	Python	py/super-not-enclosing-class	First argument to super() is not enclosing class
CWE‑710	Python	py/comparison-of-constants	Comparison of constants
CWE‑710	Python	py/comparison-of-identical-expressions	Comparison of identical values
CWE‑710	Python	py/comparison-missing-self	Maybe missing 'self' in comparison
CWE‑710	Python	py/duplicate-key-dict-literal	Duplicate key in dict literal
CWE‑710	Python	py/call/wrong-named-argument	Wrong name for an argument in a call
CWE‑710	Python	py/percent-format/wrong-arguments	Wrong number of arguments for format
CWE‑710	Python	py/call/wrong-arguments	Wrong number of arguments in a call
CWE‑710	Python	py/redundant-comparison	Redundant comparison
CWE‑710	Python	py/import-deprecated-module	Import of deprecated module
CWE‑710	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑710	Python	py/constant-conditional-expression	Constant in conditional expression or statement
CWE‑710	Python	py/redundant-assignment	Redundant assignment
CWE‑710	Python	py/ineffectual-statement	Statement has no effect
CWE‑710	Python	py/unreachable-statement	Unreachable code
CWE‑710	Python	py/multiple-definition	Variable defined multiple times
CWE‑710	Python	py/unused-local-variable	Unused local variable
CWE‑710	Python	py/unused-global-variable	Unused global variable
CWE‑710	JavaScript	js/todo-comment	TODO comment
CWE‑710	JavaScript	js/conflicting-html-attribute	Conflicting HTML element attributes
CWE‑710	JavaScript	js/malformed-html-id	Malformed id attribute
CWE‑710	JavaScript	js/eval-like-call	Call to eval-like DOM function
CWE‑710	JavaScript	js/variable-initialization-conflict	Conflicting variable initialization
CWE‑710	JavaScript	js/function-declaration-conflict	Conflicting function declarations
CWE‑710	JavaScript	js/useless-assignment-to-global	Useless assignment to global variable
CWE‑710	JavaScript	js/useless-assignment-to-local	Useless assignment to local variable
CWE‑710	JavaScript	js/overwritten-property	Overwritten property
CWE‑710	JavaScript	js/comparison-of-identical-expressions	Comparison of identical values
CWE‑710	JavaScript	js/comparison-with-nan	Comparison with NaN
CWE‑710	JavaScript	js/duplicate-condition	Duplicate 'if' condition
CWE‑710	JavaScript	js/duplicate-property	Duplicate property
CWE‑710	JavaScript	js/duplicate-switch-case	Duplicate switch case
CWE‑710	JavaScript	js/useless-expression	Expression has no effect
CWE‑710	JavaScript	js/comparison-between-incompatible-types	Comparison between inconvertible types
CWE‑710	JavaScript	js/redundant-operation	Identical operands
CWE‑710	JavaScript	js/redundant-assignment	Self assignment
CWE‑710	JavaScript	js/call-to-non-callable	Invocation of non-function
CWE‑710	JavaScript	js/property-access-on-non-object	Property access on null or undefined
CWE‑710	JavaScript	js/unneeded-defensive-code	Unneeded defensive code
CWE‑710	JavaScript	js/useless-type-test	Useless type test
CWE‑710	JavaScript	js/conditional-comment	Conditional comments
CWE‑710	JavaScript	js/eval-call	Use of eval
CWE‑710	JavaScript	js/non-standard-language-feature	Use of platform-specific language features
CWE‑710	JavaScript	js/for-in-comprehension	Use of for-in comprehension blocks
CWE‑710	JavaScript	js/superfluous-trailing-arguments	Superfluous trailing arguments
CWE‑710	JavaScript	js/yield-outside-generator	Yield in non-generator function
CWE‑710	JavaScript	js/node/assignment-to-exports-variable	Assignment to exports variable
CWE‑710	JavaScript	js/regex/unmatchable-caret	Unmatchable caret in regular expression
CWE‑710	JavaScript	js/regex/unmatchable-dollar	Unmatchable dollar in regular expression
CWE‑710	JavaScript	js/remote-property-injection	Remote property injection
CWE‑710	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑710	JavaScript	js/hardcoded-data-interpreted-as-code	Hard-coded data interpreted as code
CWE‑710	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑710	JavaScript	js/http-to-file-access	Network data written to file
CWE‑710	JavaScript	js/useless-assignment-in-return	Return statement assigns local variable
CWE‑710	JavaScript	js/unreachable-statement	Unreachable statement
CWE‑710	JavaScript	js/trivial-conditional	Useless conditional
CWE‑710	Go	go/comparison-of-identical-expressions	Comparison of identical values
CWE‑710	Go	go/useless-assignment-to-field	Useless assignment to field
CWE‑710	Go	go/useless-assignment-to-local	Useless assignment to local variable
CWE‑710	Go	go/duplicate-branches	Duplicate 'if' branches
CWE‑710	Go	go/duplicate-condition	Duplicate 'if' condition
CWE‑710	Go	go/duplicate-switch-case	Duplicate switch case
CWE‑710	Go	go/useless-expression	Expression has no effect
CWE‑710	Go	go/redundant-operation	Identical operands
CWE‑710	Go	go/redundant-assignment	Self assignment
CWE‑710	Go	go/unreachable-statement	Unreachable statement
CWE‑710	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑732	Java	java/world-writable-file-read	Reading from a world writable file
CWE‑732	C++	cpp/world-writable-file-creation	File created without restricting permissions
CWE‑732	C++	cpp/unsafe-dacl-security-descriptor	Setting a DACL to NULL in a SECURITY_DESCRIPTOR
CWE‑732	Python	py/overly-permissive-file	Overly permissive file permissions
CWE‑733	C++	cpp/memset-may-be-deleted	Call to memset may be deleted
CWE‑749	Java	java/android/unsafe-android-webview-fetch	Unsafe resource fetching in Android webview
CWE‑754	Java	java/inconsistent-call-on-result	Inconsistent operation on return value
CWE‑754	Java	java/return-value-ignored	Method result ignored
CWE‑754	C++	cpp/return-value-ignored	Return value of a function is ignored
CWE‑754	C++	cpp/inconsistent-call-on-result	Inconsistent operation on return value
CWE‑754	C++	cpp/overflowing-snprintf	Potentially overflowing call to snprintf
CWE‑754	C++	cpp/ignore-return-value-sal	SAL requires inspecting return value
CWE‑754	C++	cpp/hresult-boolean-conversion	Cast between HRESULT and a Boolean type
CWE‑754	C++	cpp/drop-linux-privileges-outoforder	LinuxPrivilegeDroppingOutoforder
CWE‑754	C#	cs/unchecked-return-value	Unchecked return value
CWE‑754	Python	py/ignored-return-value	Ignored return value
CWE‑754	JavaScript	js/unvalidated-dynamic-method-call	Unvalidated dynamic method call
CWE‑755	Java	java/stack-trace-exposure	Information exposure through a stack trace
CWE‑755	Java	java/overly-general-catch	Overly-general catch clause
CWE‑755	Java	java/android/nfe-local-android-dos	Local Android DoS Caused By NumberFormatException
CWE‑755	C#	cs/dispose-not-called-on-throw	Dispose may not be called if an exception is thrown during execution
CWE‑755	C#	cs/local-not-disposed	Missing Dispose call on local IDisposable
CWE‑755	C#	cs/catch-nullreferenceexception	Poor error handling: catch of NullReferenceException
CWE‑755	C#	cs/empty-catch-block	Poor error handling: empty catch block
CWE‑755	C#	cs/catch-of-all-exceptions	Generic catch clause
CWE‑755	C#	cs/information-exposure-through-exception	Information exposure through an exception
CWE‑755	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑755	Python	py/catch-base-exception	Except block handles 'BaseException'
CWE‑755	Python	py/empty-except	Empty except
CWE‑755	Python	py/stack-trace-exposure	Information exposure through an exception
CWE‑755	JavaScript	js/stack-trace-exposure	Information exposure through a stack trace
CWE‑755	Go	go/stack-trace-exposure	Information exposure through a stack trace
CWE‑756	C#	cs/web/missing-global-error-handler	Missing global error handler
CWE‑758	C++	cpp/pointer-overflow-check	Pointer overflow check
CWE‑758	C++	cpp/memset-may-be-deleted	Call to memset may be deleted
CWE‑758	C#	cs/captured-foreach-variable	Capturing a foreach variable
CWE‑758	JavaScript	js/conflicting-html-attribute	Conflicting HTML element attributes
CWE‑758	JavaScript	js/malformed-html-id	Malformed id attribute
CWE‑758	JavaScript	js/conditional-comment	Conditional comments
CWE‑758	JavaScript	js/non-standard-language-feature	Use of platform-specific language features
CWE‑758	JavaScript	js/for-in-comprehension	Use of for-in comprehension blocks
CWE‑758	JavaScript	js/yield-outside-generator	Yield in non-generator function
CWE‑764	Java	java/unreleased-lock	Unreleased lock
CWE‑764	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑764	C++	cpp/twice-locked	Mutex locked twice
CWE‑764	C++	cpp/unreleased-lock	Lock may not be released
CWE‑770	C++	cpp/alloca-in-loop	Call to alloca in a loop
CWE‑770	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑770	JavaScript	js/resource-exhaustion	Resource exhaustion
CWE‑772	Java	java/input-resource-leak	Potential input resource leak
CWE‑772	Java	java/database-resource-leak	Potential database resource leak
CWE‑772	Java	java/output-resource-leak	Potential output resource leak
CWE‑772	C++	cpp/catch-missing-free	Leaky catch
CWE‑772	C++	cpp/descriptor-may-not-be-closed	Open descriptor may not be closed
CWE‑772	C++	cpp/descriptor-never-closed	Open descriptor never closed
CWE‑772	C++	cpp/file-may-not-be-closed	Open file may not be closed
CWE‑772	C++	cpp/file-never-closed	Open file is not closed
CWE‑772	C++	cpp/memory-may-not-be-freed	Memory may not be freed
CWE‑772	C++	cpp/memory-never-freed	Memory is never freed
CWE‑772	C++	cpp/new-free-mismatch	Mismatching new/free or malloc/delete
CWE‑772	C++	cpp/memory-leak-on-failed-call-to-realloc	Memory leak on failed call to realloc
CWE‑772	Python	py/file-not-closed	File is not always closed
CWE‑775	C++	cpp/descriptor-may-not-be-closed	Open descriptor may not be closed
CWE‑775	C++	cpp/descriptor-never-closed	Open descriptor never closed
CWE‑775	C++	cpp/file-may-not-be-closed	Open file may not be closed
CWE‑775	C++	cpp/file-never-closed	Open file is not closed
CWE‑776	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑776	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑776	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑776	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑780	C#	cs/inadequate-rsa-padding	Weak encryption: inadequate RSA padding
CWE‑783	Java	java/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑783	C++	cpp/operator-precedence-logic-error-when-use-bool-type	Operator Precedence Logic Error When Use Bool Type
CWE‑783	JavaScript	js/unclear-operator-precedence	Unclear precedence of nested operators
CWE‑783	JavaScript	js/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑783	Go	go/whitespace-contradicts-precedence	Whitespace contradicts operator precedence
CWE‑787	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑787	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑787	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑787	C++	cpp/badly-bounded-write	Badly bounded write
CWE‑787	C++	cpp/overrunning-write	Potentially overrunning write
CWE‑787	C++	cpp/overrunning-write-with-float	Potentially overrunning write with float to string conversion
CWE‑787	C++	cpp/unbounded-write	Unbounded write
CWE‑787	C++	cpp/unterminated-variadic-call	Unterminated variadic call
CWE‑787	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑787	C#	cs/unvalidated-local-pointer-arithmetic	Unvalidated local pointer arithmetic
CWE‑788	C++	cpp/allocation-too-small	Not enough memory allocated for pointer type
CWE‑788	C++	cpp/suspicious-allocation-size	Not enough memory allocated for array of pointer type
CWE‑788	C++	cpp/overflow-buffer	Call to memory access function may overflow buffer
CWE‑788	C++	cpp/unterminated-variadic-call	Unterminated variadic call
CWE‑788	C++	cpp/no-space-for-terminator	No space for zero terminator
CWE‑788	C++	cpp/openssl-heartbleed	Use of a version of OpenSSL with Heartbleed
CWE‑788	C++	cpp/access-memory-location-after-end-buffer-strlen	Access Of Memory Location After End Of Buffer
CWE‑788	C++	cpp/access-memory-location-after-end-buffer-strncat	Access Of Memory Location After The End Of A Buffer Using Strncat
CWE‑788	C#	cs/unvalidated-local-pointer-arithmetic	Unvalidated local pointer arithmetic
CWE‑788	Go	go/wrong-usage-of-unsafe	Wrong usage of package unsafe
CWE‑798	Java	java/hardcoded-credential-api-call	Hard-coded credential in API call
CWE‑798	Java	java/hardcoded-credential-comparison	Hard-coded credential comparison
CWE‑798	Java	java/hardcoded-credential-sensitive-call	Hard-coded credential in sensitive call
CWE‑798	Java	java/hardcoded-password-field	Hard-coded password field
CWE‑798	C#	cs/hardcoded-connection-string-credentials	Hard-coded connection string with credentials
CWE‑798	C#	cs/hardcoded-credentials	Hard-coded credentials
CWE‑798	Python	py/hardcoded-credentials	Hard-coded credentials
CWE‑798	JavaScript	js/hardcoded-credentials	Hard-coded credentials
CWE‑798	Go	go/hardcoded-credentials	Hard-coded credentials
CWE‑799	JavaScript	js/missing-rate-limiting	Missing rate limiting
CWE‑805	C++	cpp/badly-bounded-write	Badly bounded write
CWE‑805	C++	cpp/overrunning-write	Potentially overrunning write
CWE‑805	C++	cpp/overrunning-write-with-float	Potentially overrunning write with float to string conversion
CWE‑805	C++	cpp/unbounded-write	Unbounded write
CWE‑807	Java	java/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑807	Java	java/tainted-permissions-check	User-controlled data used in permissions check
CWE‑807	C++	cpp/tainted-permissions-check	Untrusted input for a condition
CWE‑807	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑807	JavaScript	js/user-controlled-bypass	User-controlled bypass of security check
CWE‑807	JavaScript	js/different-kinds-comparison-bypass	Comparison of user-controlled data of different kinds
CWE‑807	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑820	Java	java/lazy-initialization	Incorrect lazy initialization of a static field
CWE‑820	Java	java/non-sync-override	Non-synchronized override of synchronized method
CWE‑820	C#	cs/unsynchronized-static-access	Unsynchronized access to static collection member in non-static context
CWE‑821	Java	java/ejb/synchronization	EJB uses synchronization
CWE‑821	Java	java/call-to-thread-run	Direct call to a run() method
CWE‑823	C++	cpp/late-negative-test	Pointer offset used before it is checked
CWE‑823	C++	cpp/missing-negativity-test	Unchecked return value used as offset
CWE‑825	C++	cpp/use-after-free	Potential use after free
CWE‑825	C++	cpp/return-stack-allocated-memory	Returning stack-allocated memory
CWE‑826	C++	cpp/self-assignment-check	Self assignment check
CWE‑827	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑827	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑827	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑827	JavaScript	js/xxe	XML external entity expansion
CWE‑829	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑829	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑829	C#	cs/web/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑829	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑829	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑829	JavaScript	js/missing-x-frame-options	Missing X-Frame-Options HTTP header
CWE‑829	JavaScript	js/xxe	XML external entity expansion
CWE‑829	JavaScript	js/insecure-download	Download of sensitive file through insecure connection
CWE‑833	Java	java/sleep-with-lock-held	Sleep with lock held
CWE‑833	Java	java/unreleased-lock	Unreleased lock
CWE‑833	Java	java/wait-with-two-locks	Wait with two locks held
CWE‑833	Java	java/lock-order-inconsistency	Lock order inconsistency
CWE‑833	C++	cpp/lock-order-cycle	Cyclic lock order dependency
CWE‑833	C++	cpp/twice-locked	Mutex locked twice
CWE‑833	C++	cpp/unreleased-lock	Lock may not be released
CWE‑833	C#	cs/locked-wait	A lock is held during a wait
CWE‑834	Java	java/constant-loop-condition	Constant loop condition
CWE‑834	Java	java/xxe	Resolving XML external entity in user-controlled data
CWE‑834	Java	java/unreachable-exit-in-loop	Loop with unreachable exit condition
CWE‑834	C++	cpp/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑834	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑834	C++	cpp/infinite-loop-with-unsatisfiable-exit-condition	Infinite loop with unsatisfiable exit condition
CWE‑834	C#	cs/constant-condition	Constant condition
CWE‑834	C#	cs/linq/inconsistent-enumeration	Bad multiple iteration
CWE‑834	C#	cs/xml/insecure-dtd-handling	Untrusted XML is read insecurely
CWE‑834	C#	cs/insecure-xml-read	XML is read insecurely
CWE‑834	JavaScript	js/xml-bomb	XML internal entity expansion
CWE‑834	JavaScript	js/loop-bound-injection	Loop bound injection
CWE‑834	JavaScript	js/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑834	Go	go/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑835	Java	java/constant-loop-condition	Constant loop condition
CWE‑835	Java	java/unreachable-exit-in-loop	Loop with unreachable exit condition
CWE‑835	C++	cpp/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑835	C++	cpp/comparison-with-wider-type	Comparison of narrow type with wide type in loop condition
CWE‑835	C++	cpp/infinite-loop-with-unsatisfiable-exit-condition	Infinite loop with unsatisfiable exit condition
CWE‑835	C#	cs/constant-condition	Constant condition
CWE‑835	JavaScript	js/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑835	Go	go/inconsistent-loop-direction	Inconsistent direction of for loop
CWE‑838	C#	cs/inappropriate-encoding	Inappropriate encoding
CWE‑843	C++	cpp/upcast-array-pointer-arithmetic	Upcast array used in pointer arithmetic
CWE‑843	JavaScript	js/type-confusion-through-parameter-tampering	Type confusion through parameter tampering
CWE‑862	C#	cs/empty-password-in-configuration	Empty password in configuration file
CWE‑862	JavaScript	js/cors-misconfiguration-for-credentials	CORS misconfiguration for credentials transfer
CWE‑909	C++	cpp/initialization-not-run	Initialization code not run
CWE‑912	JavaScript	js/hardcoded-data-interpreted-as-code	Hard-coded data interpreted as code
CWE‑912	JavaScript	js/http-to-file-access	Network data written to file
CWE‑913	Java	java/insecure-bean-validation	Insecure Bean Validation
CWE‑913	Java	java/unsafe-deserialization	Deserialization of user-controlled data
CWE‑913	Java	java/groovy-injection	Groovy Language injection
CWE‑913	Java	java/android-insecure-dex-loading	Insecure loading of an Android Dex File
CWE‑913	Java	java/javaee-expression-injection	Jakarta Expression Language injection
CWE‑913	Java	java/jexl-expression-injection	Expression language injection (JEXL)
CWE‑913	Java	java/mvel-expression-injection	Expression language injection (MVEL)
CWE‑913	Java	java/unsafe-eval	ScriptEngine evaluation
CWE‑913	Java	java/spel-expression-injection	Expression language injection (Spring)
CWE‑913	Java	java/spring-view-manipulation-implicit	Spring Implicit View Manipulation
CWE‑913	Java	java/spring-view-manipulation	Spring View Manipulation
CWE‑913	Java	java/unsafe-deserialization-spring-exporter-in-configuration-class	Unsafe deserialization with Spring's remote service exporters.
CWE‑913	Java	java/unsafe-deserialization-spring-exporter-in-xml-configuration	Unsafe deserialization with Spring's remote service exporters.
CWE‑913	C#	cs/code-injection	Improper control of generation of code
CWE‑913	C#	cs/deserialized-delegate	Deserialized delegate
CWE‑913	C#	cs/unsafe-deserialization	Unsafe deserializer
CWE‑913	C#	cs/unsafe-deserialization-untrusted-input	Deserialization of untrusted data
CWE‑913	Python	py/code-injection	Code injection
CWE‑913	Python	py/unsafe-deserialization	Deserializing untrusted input
CWE‑913	JavaScript	js/enabling-electron-renderer-node-integration	Enabling Node.js integration for Electron web content renderers
CWE‑913	JavaScript	js/template-object-injection	Template Object Injection
CWE‑913	JavaScript	js/code-injection	Code injection
CWE‑913	JavaScript	js/bad-code-sanitization	Improper code sanitization
CWE‑913	JavaScript	js/unsafe-dynamic-method-access	Unsafe dynamic method access
CWE‑913	JavaScript	js/unsafe-deserialization	Deserialization of user-controlled data
CWE‑913	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑913	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑913	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑913	JavaScript	js/actions/injection	Expression injection in Actions
CWE‑913	JavaScript	js/actions/pull-request-target	Checkout of untrusted code in trusted context
CWE‑913	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑915	JavaScript	js/prototype-polluting-assignment	Prototype-polluting assignment
CWE‑915	JavaScript	js/prototype-pollution-utility	Prototype-polluting function
CWE‑915	JavaScript	js/prototype-pollution	Prototype-polluting merge call
CWE‑916	JavaScript	js/insufficient-password-hash	Use of password hash with insufficient computational effort
CWE‑917	Java	java/ognl-injection	OGNL Expression Language statement with user-controlled input
CWE‑918	Java	java/ssrf	Server Side Request Forgery (SSRF)
CWE‑918	JavaScript	js/request-forgery	Uncontrolled data used in network request
CWE‑918	Go	go/request-forgery	Uncontrolled data used in network request
CWE‑922	Java	java/cleartext-storage-in-class	Cleartext storage of sensitive information using storable class
CWE‑922	Java	java/cleartext-storage-in-cookie	Cleartext storage of sensitive information in cookie
CWE‑922	Java	java/cleartext-storage-in-properties	Cleartext storage of sensitive information using 'Properties' class
CWE‑922	Java	java/android/cleartext-storage-shared-prefs	Cleartext storage of sensitive information using SharedPreferences on Android
CWE‑922	C++	cpp/cleartext-storage-buffer	Cleartext storage of sensitive information in buffer
CWE‑922	C++	cpp/cleartext-storage-file	Cleartext storage of sensitive information in file
CWE‑922	C++	cpp/cleartext-storage-database	Cleartext storage of sensitive information in an SQLite database
CWE‑922	C#	cs/password-in-configuration	Password in configuration file
CWE‑922	C#	cs/cleartext-storage-of-sensitive-information	Clear text storage of sensitive information
CWE‑922	Python	py/clear-text-logging-sensitive-data	Clear-text logging of sensitive information
CWE‑922	Python	py/clear-text-storage-sensitive-data	Clear-text storage of sensitive information
CWE‑922	JavaScript	js/build-artifact-leak	Storage of sensitive information in build artifact
CWE‑922	JavaScript	js/clear-text-logging	Clear-text logging of sensitive information
CWE‑922	JavaScript	js/clear-text-storage-of-sensitive-data	Clear text storage of sensitive information
CWE‑922	JavaScript	js/password-in-configuration-file	Password in configuration file
CWE‑922	Go	go/clear-text-logging	Clear-text logging of sensitive information
CWE‑923	Java	java/unsafe-hostname-verification	Unsafe hostname verification
CWE‑923	Java	java/socket-auth-race-condition	Race condition in socket authentication
CWE‑923	Java	java/maven/non-https-url	Failure to use HTTPS or SFTP URL in Maven artifact upload/download
CWE‑923	C#	cs/user-controlled-bypass	User-controlled bypass of sensitive method
CWE‑923	Go	go/sensitive-condition-bypass	User-controlled bypassing of sensitive action
CWE‑943	Java	java/sql-injection	Query built from user-controlled sources
CWE‑943	Java	java/sql-injection-local	Query built from local-user-controlled sources
CWE‑943	Java	java/concatenated-sql-query	Query built without neutralizing special characters
CWE‑943	Java	java/ldap-injection	LDAP query built from user-controlled sources
CWE‑943	Java	java/xml/xpath-injection	XPath injection
CWE‑943	Java	java/xquery-injection	XQuery query built from user-controlled sources
CWE‑943	C++	cpp/sql-injection	Uncontrolled data in SQL query
CWE‑943	C#	cs/second-order-sql-injection	SQL query built from stored user-controlled sources
CWE‑943	C#	cs/sql-injection	SQL query built from user-controlled sources
CWE‑943	C#	cs/ldap-injection	LDAP query built from user-controlled sources
CWE‑943	C#	cs/stored-ldap-injection	LDAP query built from stored user-controlled sources
CWE‑943	C#	cs/xml/stored-xpath-injection	Stored XPath injection
CWE‑943	C#	cs/xml/xpath-injection	XPath injection
CWE‑943	Python	py/sql-injection	SQL query built from user-controlled sources
CWE‑943	Python	py/xslt-injection	XSLT query built from user-controlled sources
CWE‑943	Python	py/xpath-injection	XPath query built from user-controlled sources
CWE‑943	JavaScript	js/sql-injection	Database query built from user-controlled sources
CWE‑943	JavaScript	js/xpath-injection	XPath injection
CWE‑943	JavaScript	javascript/ldap-injection	LDAP query built from user-controlled sources
CWE‑943	Go	go/sql-injection	Database query built from user-controlled sources
CWE‑943	Go	go/unsafe-quoting	Potentially unsafe quoting
CWE‑943	Go	go/xml/xpath-injection	XPath injection
CWE‑1004	Java	java/tomcat-disabled-httponly	Tomcat config disables 'HttpOnly' flag (XSS risk)
CWE‑1004	Java	java/sensitive-cookie-not-httponly	Sensitive cookies without the HttpOnly response header set
CWE‑1004	JavaScript	js/cookie-httponly-not-set	'HttpOnly' attribute is not set to true
CWE‑1022	JavaScript	js/unsafe-external-link	Potentially unsafe external link
CWE‑1104	Java	java/maven/dependency-upon-bintray	Depending upon JCenter/Bintray as an artifact repository

• © 2021 GitHub, Inc.
• Terms
• Privacy