txt2stix 1.1.8__py3-none-any.whl → 1.1.10__py3-none-any.whl

txt2stix/includes/lookups/{mitre_cwe_name_v4_15.txt → mitre_cwe_name_v4_18.txt}

@@ -1,939 +1,944 @@
-Sensitive Cookie Without 'HttpOnly' Flag
-Insufficient Visual Distinction of Homoglyphs Presented to User
-Struts: Duplicate Validation Forms
-Improper Restriction of Rendered UI Layers or Frames
-Use of Web Link to Untrusted Target with window.opener Access
-Incomplete Comparison with Missing Factors
-Comparison of Incompatible Types
-Comparison Using Wrong Factors
+Reliance on Machine-Dependent Data Representation
+Path Traversal: '../filedir'
+Improper Access Control Applied to Mirrored or Aliased Memory Regions
+Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
+Unchecked Error Condition
+Spyware
+Duplicate Key in Associative List (Alist)
+Empty Password in Configuration File
+Function Call With Incorrect Order of Arguments
 Struts: Incomplete validate() Method Definition
-Processor Optimization Removal or Modification of Security-critical Code
-Insecure Automated Optimizations
-Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations
-Struts: Form Bean Does Not Extend Validation Class
-Use of Redundant Code
-Static Member Data Element outside of a Singleton Class Element
-Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
-Architecture with Number of Horizontal Layers Outside of Expected Range
-Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
+Incorrect Control Flow Scoping
+Covert Channel
+Exposure of Backup File to an Unauthorized Control Sphere
+Improper Clearing of Heap Memory Before Release ('Heap Inspection')
+Reflection Attack in an Authentication Protocol
+Use of Hard-coded Cryptographic Key
+Off-by-one Error
+Use of Less Trusted Source
+Use of Wrong Operator in String Comparison
+ASP.NET Misconfiguration: Improper Model Validation
+Improper Handling of Length Parameter Inconsistency
+Expired Pointer Dereference
+Null Byte Interaction Error (Poison Null Byte)
+Improper Verification of Cryptographic Signature
+Missing Critical Step in Authentication
+Improper Neutralization of Value Delimiters
+Insufficient Isolation of Symbolic Constant Definitions
+Improper Handling of Overlap Between Protected Memory Ranges
+Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
+Path Traversal: '/../filedir'
+Improper Neutralization of Leading Special Elements
+Improper Null Termination
+Privilege Dropping / Lowering Errors
+Path Traversal: '...' (Triple Dot)
+Reliance on Cookies without Validation and Integrity Checking
+Missing Release of File Descriptor or Handle after Effective Lifetime
+Reliance on HTTP instead of HTTPS
+Improper Neutralization of Data within XPath Expressions ('XPath Injection')
+Improper Restriction of Write-Once Bit Fields
+Use of Inherently Dangerous Function
+Improper Verification of Source of a Communication Channel
 Creation of Immutable Text Using String Concatenation
 Modules with Circular Dependencies
-Invokable Control Element with Large Number of Outward Calls
-Excessive Data Query Operations in a Large Data Table
-Struts: Form Field Without Validator
-Excessive Platform Resource Consumption within a Loop
-Initialization with Hard-Coded Network Resource Configuration Data
-Excessive Use of Hard-Coded Literals in Initialization
-Missing Documentation for Design
-Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
-Multiple Inheritance from Concrete Classes
-Invokable Control Element with Variadic Parameters
-Data Access Operations Outside of Expected Data Manager Component
-Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
-Insufficient Technical Documentation
-Struts: Plug-in Framework not in Use
-Excessive Number of Inefficient Server-Side Data Accesses
-Insufficient Encapsulation
-Parent Class with References to Child Class
-Creation of Class Instance within a Static Code Block
-Invokable Control Element with Signature Containing an Excessive Number of Parameters
-Runtime Resource Management Control Element in a Component Built to Run on Application Servers
-Missing Serialization Control Element
-Excessive Execution of Sequential Searches of Data Resource
-Inconsistency Between Implementation and Documented Design
-Empty Exception Block
-Struts: Unused Validation Form
-Serializable Data Element Containing non-Serializable Item Elements
-Empty Code Block
-Data Resource Access without Use of Connection Pooling
-Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
-Class with Excessively Deep Inheritance
-Unconditional Control Flow Transfer outside of Switch Block
-Insufficient Adherence to Expected Conventions
-Floating Point Comparison with Incorrect Operator
-Inappropriate Source Code Style or Formatting
-Parent Class without Virtual Destructor Method
-Struts: Unvalidated Action Form
-Source Code File with Excessive Number of Lines of Code
-Class Instance Self Destruction Control Element
-Data Access from Outside Expected Data Manager Component
-Invokable Control Element with Excessive File or Data Access Operations
-Invokable Control Element with Excessive Volume of Commented-out Code
-Class with Excessive Number of Child Classes
-Class with Virtual Method without a Virtual Destructor
-Synchronous Access of Remote Resource without Timeout
-Large Data Table with Excessive Number of Indices
-Struts: Validator Turned Off
-Method Containing Access of a Member Element from Another Class
-Use of Object without Invoking Destructor Method
-Use of Same Invokable Control Element in Multiple Architectural Layers
-Excessively Complex Data Representation
-Excessive Index Range Scan for a Data Resource
-Loop Condition Value Update within the Loop
-Singleton Class Instance Creation without Proper Locking or Synchronization
-Persistent Storable Data Element without Associated Comparison Control Element
-Data Element containing Pointer Item without Proper Copy Control Element
-Inconsistent Naming Conventions for Identifiers
-ASP.NET Misconfiguration: Creating Debug Binary
-Struts: Validator Without Form Field
-Insufficient Isolation of System-Dependent Functions
-Reliance on Runtime Component in Generated Code
-Reliance on Machine-Dependent Data Representation
-Use of Platform-Dependent Third Party Components
-Use of Unmaintained Third Party Components
-Insufficient Encapsulation of Machine-Dependent Functionality
-Insufficient Use of Symbolic Constants
-Insufficient Isolation of Symbolic Constant Definitions
-Excessive Reliance on Global Variables
-Use of Same Variable for Multiple Purposes
-Direct Use of Unsafe JNI
-Incomplete Design Documentation
-Incomplete I/O Documentation
-Incomplete Documentation of Program Execution
-Inappropriate Comment Style
-Inappropriate Whitespace Style
-Source Code Element without Standard Prologue
-Inaccurate Comments
-Callable with Insufficient Behavioral Summary
-Insufficient Documentation of Error Handling Techniques
-Excessive Use of Unconditional Branching
-Missing XML Validation
-Excessive Code Complexity
-Excessive McCabe Cyclomatic Complexity
+Omission of Security-relevant Information
 Excessive Halstead Complexity
-Excessive Use of Self-Modifying Code
-Excessively Deep Nesting
-Excessive Attack Surface
-Declaration of Variable with Unnecessarily Wide Scope
-Compilation with Insufficient Warnings or Errors
-Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
-Process Control
-Misinterpretation of Input
-Improper Encoding or Escaping of Output
-Irrelevant Code
-Improper Output Neutralization for Logs
-Improper Use of Validation Framework
-ASP.NET Misconfiguration: Improper Model Validation
+J2EE Misconfiguration: Weak Access Permissions for EJB Methods
+Server-Side Request Forgery (SSRF)
+Public Static Field Not Marked Final
+Use of GET Request Method With Sensitive Query Strings
+Not Failing Securely ('Failing Open')
+Incorrect Regular Expression
+Parent Class with a Virtual Destructor and a Child Class without a Virtual Destructor
+Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
+Access of Resource Using Incompatible Type ('Type Confusion')
+Insufficient Resource Pool
+Permissive List of Allowed Inputs
+Path Equivalence: 'filename ' (Trailing Space)
+Callable with Insufficient Behavioral Summary
+Missing Source Correlation of Multiple Independent Data
+Exposure of Version-Control Repository to an Unauthorized Control Sphere
+Improper Neutralization of Invalid Characters in Identifiers in Web Pages
+Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
+Missing Encryption of Sensitive Data
+Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
+Improper Neutralization of Escape, Meta, or Control Sequences
 Inefficient CPU Computation
-Use of Prohibited Code
+Path Equivalence: 'file...name' (Multiple Internal Dot)
+Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)
 Incorrect Access of Indexable Resource ('Range Error')
-Initialization of a Resource with an Insecure Default
-Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
-Improper Restriction of Operations within the Bounds of a Memory Buffer
+Excessive Data Query Operations in a Large Data Table
+Use of Blocking Code in Single-threaded, Non-blocking Context
+Missing Protection Mechanism for Alternate Hardware Interface
+Incorrect Calculation
+Application-Level Admin Tool with Inconsistent View of Underlying Operating System
 DMA Device Enabled Too Early in Boot Phase
-On-Chip Debug and Test Interface With Improper Access Control
-Improper Identifier for IP Block used in System-On-Chip (SOC)
-Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
-ASP.NET Misconfiguration: Missing Custom Error Page
-Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
-Generation of Weak Initialization Vector (IV)
-Failure to Disable Reserved Bits
-Stack-based Buffer Overflow
-Heap-based Buffer Overflow
-Insufficient Granularity of Access Control
-Incorrect Register Defaults or Module Parameters
-Insufficient Granularity of Address Regions Protected by Register Locks
-Race Condition for Write-Once Attributes
-Improper Restriction of Write-Once Bit Fields
-Creation of Emergent Resource
+Missing Initialization of Resource
+Externally-Generated Error Message Containing Sensitive Information
+Reliance on Data/Memory Layout
+Improper Handling of Undefined Parameters
+Improper Neutralization of Script in Attributes in a Web Page
+ASP.NET Misconfiguration: Creating Debug Binary
+Improper Validation of Function Hook Arguments
+Improper Handling of Extra Values
+Authorization Bypass Through User-Controlled SQL Primary Key
+Invokable Control Element with Excessive File or Data Access Operations
+Path Equivalence: '\multiple\\internal\backslash'
+Excessive Use of Hard-Coded Literals in Initialization
+Modification of Assumed-Immutable Data (MAID)
+Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
+Windows Shortcut Following (.LNK)
+Excessive Reliance on Global Variables
+XML Injection (aka Blind XPath Injection)
+Improper Isolation or Compartmentalization
+Improper Protection of Alternate Path
+Misinterpretation of Input
+Improper Restriction of Names for Files and Other Resources
+Missing Support for Security Features in On-chip Fabrics or Buses
+Incorrect Behavior Order: Validate Before Canonicalize
+External Influence of Sphere Definition
+Improper Handling of URL Encoding (Hex Encoding)
+Improper Enforcement of Message Integrity During Transmission in a Communication Channel
+Improper Control of Document Type Definition
+J2EE Misconfiguration: Missing Custom Error Page
+Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
 Write-what-where Condition
-Exposure of Sensitive Information Through Metadata
-Improper Prevention of Lock Bit Modification
-Improper Lock Behavior After Power State Transition
-Security-Sensitive Hardware Controls with Missing Lock Bit Protection
-Hardware Internal or Debug Modes Allow Override of Locks
-Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
-Improper Neutralization of Formula Elements in a CSV File
-Improper Zeroization of Hardware Register
-Buffer Underwrite ('Buffer Underflow')
-Use of a Cryptographic Primitive with a Risky Implementation
-Use of Predictable Algorithm in Random Number Generator
-Inclusion of Undocumented Features or Chicken Bits
-Sensitive Non-Volatile Information Not Protected During Debug
-Internal Asset Exposed to Unsafe Debug Access Level or State
+External Control of Critical State Data
+Synchronous Access of Remote Resource without Timeout
+Use of Out-of-range Pointer Offset
+Remanent Data Readable after Memory Erase
+Struts: Validator Turned Off
+Insufficient Use of Symbolic Constants
+Use of Non-Canonical URL Paths for Authorization Decisions
 Improper Finite State Machines (FSMs) in Hardware Logic
-Improper Write Handling in Limited-write Non-Volatile Memories
-Improper Protection Against Voltage and Clock Glitches
-Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
-Application-Level Admin Tool with Inconsistent View of Underlying Operating System
-Out-of-bounds Read
-Improper Preservation of Consistency Between Independent Representations of Shared State
-Mirrored Regions with Different Values
-CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
-Incorrect Selection of Fuse Values
-Incorrect Comparison Logic Granularity
-Comparison Logic is Vulnerable to Power Side-Channel Attacks
-Improper Restriction of Software Interfaces to Hardware Features
-Improper Access Control Applied to Mirrored or Aliased Memory Regions
-Exposure of Sensitive System Information Due to Uncleared Debug Information
-Improper Restriction of Security Token Assignment
-Buffer Over-read
-Improper Handling of Overlap Between Protected Memory Ranges
-Improper Handling of Single Event Upsets
-Improper Access Control for Register Interface
-Improper Physical Access Control
-Hardware Logic with Insecure De-Synchronization between Control and Data Channels
-Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
-Improper Scrubbing of Sensitive Data from Decommissioned Device
-Policy Uses Obsolete Encoding
-Policy Privileges are not Assigned Consistently Between Control and Data Agents
-Product Released in Non-Release Configuration
-Buffer Under-read
-Generation of Incorrect Security Tokens
-Uninitialized Value on Reset for Registers Holding Security Settings
-Sensitive Information Uncleared Before Debug/Power State Transition
-Device Unlock Credential Sharing
-Improper Access Control for Volatile Memory Containing Boot Code
-Sensitive Cookie with Improper SameSite Attribute
-Hardware Child Block Incorrectly Connected to Parent System
-Firmware Not Updateable
-Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques
-Cryptographic Operations are run Before Supporting Units are Ready
-Wrap-around Error
-Access Control Check Implemented After Asset is Accessed
-Sequence of Processor Instructions Leads to Unexpected Behavior
-Assumed-Immutable Data is Stored in Writable Memory
-Mutable Attestation or Measurement Reporting Data
-Improper Validation of Specified Quantity in Input
-Improper Validation of Specified Index, Position, or Offset in Input
-Improper Validation of Syntactic Correctness of Input
-Improper Validation of Specified Type of Input
-Improper Validation of Consistency within Input
-Improper Validation of Unsafe Equivalence in Input
-Improper Validation of Array Index
-Incorrect Decoding of Security Identifiers 
-Public Key Re-Use for Signing both Debug and Production Code
-Incorrect Conversion of Security Identifiers
-Missing Source Correlation of Multiple Independent Data
-Insecure Security Identifier Mechanism
-Debug Messages Revealing Unnecessary Information
-Incorrect Chaining or Granularity of Debug Components
-Unprotected Confidential Information on Device is Accessible by OSAT Vendors
-Hardware Logic Contains Race Conditions
-Missing Protection Mechanism for Alternate Hardware Interface
-ASP.NET Misconfiguration: Password in Configuration File
-Improper Handling of Length Parameter Inconsistency
-Improper Protection of Physical Side Channels
-Insufficient or Incomplete Data Removal within Hardware Component
-Missing Source Identifier in Entity Transactions on a System-On-Chip (SOC)
-Non-Transparent Sharing of Microarchitectural Resources
-Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation
-Incorrect Calculation of Buffer Size
-Missing Ability to Patch ROM Code
-Improper Translation of Security Attributes by Fabric Bridge
-Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
-Hardware Allows Activation of Test or Debug Logic at Runtime
-Missing Write Protection for Parametric Data Values
-Improper Setting of Bus Controlling Capability in Fabric End-point
-Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
-Improper Access Control in Fabric Bridge
-Missing Support for Security Features in On-chip Fabrics or Buses
-Improper Protection against Electromagnetic Fault Injection (EM-FI)
-Improper Protection for Outbound Error Messages and Alert Signals
-Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
-Use of Blocking Code in Single-threaded, Non-blocking Context
-Improper Management of Sensitive Trace Data
-Improperly Controlled Sequential Memory Allocation
-Missing Immutable Root of Trust in Hardware
-Binding to an Unrestricted IP Address
-Security Version Number Mutable to Older Versions
-Reliance on Component That is Not Updateable
-Remanent Data Readable after Memory Erase
-Improper Isolation of Shared Resources in Network On Chip (NoC)
-Improper Handling of Faults that Lead to Instruction Skips
-Inefficient Regular Expression Complexity
-Unauthorized Error Injection Can Degrade Hardware Redundancy
-Incorrect Bitwise Shift of Integer
-Improper Neutralization of Special Elements Used in a Template Engine
-Improper Protections Against Hardware Overheating
-Insufficient Precision or Accuracy of a Real Number
-Use of Externally-Controlled Format String
-Multiple Releases of Same Resource or Handle
-Information Exposure through Microarchitectural State after Transient Execution
-Incorrect Calculation of Multi-Byte String Length
-Improper Handling of Hardware Behavior in Exceptionally Cold Environments
-Reliance on Insufficiently Trustworthy Component
-Improper Neutralization of Special Elements
-Improper Handling of Physical or Environmental Conditions
-Missing Origin Validation in WebSockets
-Insecure Operation on Windows Junction / Mount Point
-Incorrect Parsing of Numbers with Different Radices
-Weak Authentication
-Use of Weak Credentials
-Use of Default Credentials
-Use of Default Password
-Use of Default Cryptographic Key
-Dependency on Vulnerable Third-Party Component
-Compiler Removal of Code to Clear Buffers
-Improper Neutralization of Delimiters
-Improper Neutralization of Parameter/Argument Delimiters
-Incorrect Initialization of Resource
-Improper Neutralization of Value Delimiters
-Exposure of Sensitive Information during Transient Execution
-Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
-Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
-Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
-Improper Validation of Generative AI Output
-Improper Neutralization of Record Delimiters
-Improper Neutralization of Line Delimiters
-Improper Neutralization of Section Delimiters
-Improper Neutralization of Expression/Command Delimiters
-Improper Neutralization of Input Terminators
-Improper Neutralization of Input Leaders
-Improper Neutralization of Quoting Syntax
-External Control of System or Configuration Setting
-Improper Neutralization of Escape, Meta, or Control Sequences
-Improper Neutralization of Comment Delimiters
-Improper Neutralization of Macro Symbols
-Improper Neutralization of Substitution Characters
-Improper Neutralization of Variable Name Delimiters
-Improper Neutralization of Wildcards or Matching Symbols
-Improper Neutralization of Whitespace
-Failure to Sanitize Paired Delimiters
-Improper Neutralization of Null Byte or NUL Character
-Improper Handling of Invalid Use of Special Elements
-Improper Neutralization of Leading Special Elements
+Improper Enforcement of a Single, Unique Action
+Insecure Automated Optimizations
+Transmission of Private Resources into a New Sphere ('Resource Leak')
+Path Equivalence: '/multiple//internal/slash'
+Incorrect Short Circuit Evaluation
+Missing Reference to Active Allocated Resource
+Empty Exception Block
 Improper Neutralization of Multiple Leading Special Elements
-Improper Neutralization of Trailing Special Elements
-Improper Neutralization of Multiple Trailing Special Elements
-Improper Neutralization of Internal Special Elements
-Improper Neutralization of Multiple Internal Special Elements
-Improper Handling of Missing Special Element
-Improper Handling of Additional Special Element
-Improper Handling of Inconsistent Special Elements
-Improper Null Termination
-Encoding Error
-Improper Handling of Alternate Encoding
-Double Decoding of the Same Data
-Improper Handling of Mixed Encoding
-Improper Handling of Unicode Encoding
-Improper Handling of URL Encoding (Hex Encoding)
-Improper Handling of Case Sensitivity
-Incorrect Behavior Order: Early Validation
-Incorrect Behavior Order: Validate Before Canonicalize
-Incorrect Behavior Order: Validate Before Filter
-Collapse of Data into Unsafe Value
-Permissive List of Allowed Inputs
-Incomplete List of Disallowed Inputs
-Incorrect Regular Expression
-Overly Restrictive Regular Expression
-Partial String Comparison
-Reliance on Data/Memory Layout
-Integer Overflow or Wraparound
-Integer Underflow (Wrap or Wraparound)
-Integer Coercion Error
-Off-by-one Error
-Unexpected Sign Extension
-Signed to Unsigned Conversion Error
-Unsigned to Signed Conversion Error
-Numeric Truncation Error
+Inefficient Regular Expression Complexity
+Struts: Unused Validation Form
 Use of Incorrect Byte Ordering
-Improper Input Validation
-Exposure of Sensitive Information to an Unauthorized Actor
-Insertion of Sensitive Information Into Sent Data
-Exposure of Sensitive Information Through Data Queries
-Observable Discrepancy
-Observable Response Discrepancy
-Observable Behavioral Discrepancy
-Observable Internal Behavioral Discrepancy
-Observable Behavioral Discrepancy With Equivalent Products
-Observable Timing Discrepancy
-Generation of Error Message Containing Sensitive Information
-Self-generated Error Message Containing Sensitive Information
-Externally-Generated Error Message Containing Sensitive Information
-Improper Removal of Sensitive Information Before Storage or Transfer
-Exposure of Sensitive Information Due to Incompatible Policies
-Invocation of Process Using Visible Sensitive Information
-Insertion of Sensitive Information Into Debugging Code
-Storage of File with Sensitive Data Under Web Root
-Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
-Storage of File With Sensitive Data Under FTP Root
-Information Loss or Omission
-Truncation of Security-relevant Information
-Omission of Security-relevant Information
-Obscured Security-relevant Information by Alternate Name
-Sensitive Information in Resource Not Removed Before Reuse
-Improper Handling of Syntactically Invalid Structure
-Improper Handling of Values
-Relative Path Traversal
-Improper Handling of Missing Values
-Improper Handling of Extra Values
-Improper Handling of Undefined Values
-Improper Handling of Parameters
-Failure to Handle Missing Parameter
-Improper Handling of Extra Parameters
-Improper Handling of Undefined Parameters
-Improper Handling of Structural Elements
+Missing Reference to Active File Descriptor or Handle
 Improper Handling of Incomplete Structural Elements
-Failure to Handle Incomplete Element
-Path Traversal: '../filedir'
-Improper Handling of Inconsistent Structural Elements
-Improper Handling of Unexpected Data Type
-Use of Inherently Dangerous Function
-Creation of chroot Jail Without Changing Working Directory
-Improper Clearing of Heap Memory Before Release ('Heap Inspection')
-J2EE Bad Practices: Direct Management of Connections
-J2EE Bad Practices: Direct Use of Sockets
-Uncaught Exception
-Path Traversal: '/../filedir'
-Execution with Unnecessary Privileges
-Unchecked Return Value
-Incorrect Check of Function Return Value
-Plaintext Storage of a Password
-Storing Passwords in a Recoverable Format
-Empty Password in Configuration File
-Use of Hard-coded Password
-Path Traversal: '/dir/../filename'
-Password in Configuration File
-Weak Encoding for Password
-Not Using Password Aging
-Password Aging with Long Expiration
-Incorrect Privilege Assignment
-Privilege Defined With Unsafe Actions
-Privilege Chaining
-Improper Privilege Management
-Path Traversal: 'dir/../../filename'
-Privilege Context Switching Error
-Privilege Dropping / Lowering Errors
-Least Privilege Violation
-Improper Check for Dropped Privileges
-Improper Handling of Insufficient Privileges
-Incorrect Default Permissions
-Insecure Inherited Permissions
-Insecure Preserved Inherited Permissions
-Incorrect Execution-Assigned Permissions
+Incorrect Behavior Order: Validate Before Filter
+Incorrect Conversion between Numeric Types
+Struts: Plug-in Framework not in Use
+Windows Hard Link
 Path Traversal: '..\filedir'
-Improper Handling of Insufficient Permissions or Privileges 
-Improper Preservation of Permissions
-Improper Ownership Management
-Unverified Ownership
-Improper Access Control
-Improper Authorization
-Incorrect User Management
-Improper Authentication
-Authentication Bypass Using an Alternate Path or Channel
-Authentication Bypass by Alternate Name
+Use of Invariant Value in Dynamically Changing Context
+Partial String Comparison
 Path Traversal: '\..\filename'
-Authentication Bypass by Spoofing
-Reliance on IP Address for Authentication
-Using Referer Field for Authentication
-Authentication Bypass by Capture-replay
-Improper Certificate Validation
-Improper Following of a Certificate's Chain of Trust
-Improper Validation of Certificate with Host Mismatch
+Access of Memory Location Before Start of Buffer
 Improper Validation of Certificate Expiration
-Improper Check for Certificate Revocation
-Path Traversal: '\dir\..\filename'
-Channel Accessible by Non-Endpoint
-Reflection Attack in an Authentication Protocol
-Authentication Bypass by Assumed-Immutable Data
-Incorrect Implementation of Authentication Algorithm
-Missing Critical Step in Authentication
-Authentication Bypass by Primary Weakness
-Missing Authentication for Critical Function
+Unprotected Alternate Channel
+Multiple Interpretations of UI Input
+Free of Pointer not at Start of Buffer
+Exposed IOCTL with Insufficient Access Control
 Improper Restriction of Excessive Authentication Attempts
+Reliance on Security Through Obscurity
+Dependency on Vulnerable Third-Party Component
+Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer
+Mutable Attestation or Measurement Reporting Data
+Improper Scrubbing of Sensitive Data from Decommissioned Device
+Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
+Trust of System Event Data
+Use of Pointer Subtraction to Determine Size
+Improper Neutralization of Special Elements
+Inclusion of Functionality from Untrusted Control Sphere
+Exposure of Sensitive Information Through Metadata
+Files or Directories Accessible to External Parties
+Path Traversal: 'C:dirname'
+Lack of Administrator Control over Security
+UNIX Hard Link
+Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
+Dangerous Signal Handler not Disabled During Sensitive Operations
+Incorrect Conversion of Security Identifiers
+Authentication Bypass Using an Alternate Path or Channel
+Incorrect Behavior Order
+Insertion of Sensitive Information into Externally-Accessible File or Directory
+Incorrect Authorization
+Singleton Class Instance Creation without Proper Locking or Synchronization
+Class Instance Self Destruction Control Element
+Improper Restriction of Operations within the Bounds of a Memory Buffer
+Origin Validation Error
+Improper Preservation of Consistency Between Independent Representations of Shared State
+Use of Expired File Descriptor
+Improper Resolution of Path Equivalence
+Use After Free
+Improper Validation of Syntactic Correctness of Input
+Improper Synchronization
+Exposed Dangerous Method or Function
+Unsigned to Signed Conversion Error
+Free of Memory not on the Heap
+Compiler Removal of Code to Clear Buffers
+Buffer Access with Incorrect Length Value
+Improper Handling of Structural Elements
+Exposure of WSDL File Containing Sensitive Information
+Improper Neutralization of Trailing Special Elements
+Incorrect Pointer Scaling
+Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
+Driving Intermediate Cryptographic State/Results to Hardware Module Outputs
 Use of Single-factor Authentication
-Use of Password System for Primary Authentication
-Path Traversal: 'dir\..\..\filename'
-Missing Encryption of Sensitive Data
-Cleartext Storage of Sensitive Information
-Cleartext Storage in a File or on Disk
-Cleartext Storage in the Registry
-Cleartext Storage of Sensitive Information in a Cookie
-Cleartext Storage of Sensitive Information in Memory
-Cleartext Storage of Sensitive Information in GUI
-Cleartext Storage of Sensitive Information in Executable
-Cleartext Transmission of Sensitive Information
-Path Traversal: '...' (Triple Dot)
-Use of Hard-coded Cryptographic Key
+Incomplete Identification of Uploaded File Variables (PHP)
+Buffer Access Using Size of Source Buffer
+Improper Access Control for Register Interface
 Key Exchange without Entity Authentication
+Missing Initialization of a Variable
+Comparison Logic is Vulnerable to Power Side-Channel Attacks
+Use of Default Password
+Use of Weak Hash
+Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
+Failure to Handle Missing Parameter
+Not Using Complete Mediation
+Excessive Use of Self-Modifying Code
+Inclusion of Sensitive Information in Source Code Comments
+Array Declared Public, Final, and Static
+Persistent Storable Data Element without Associated Comparison Control Element
+Improper Locking
+Improper Neutralization of Encoded URI Schemes in a Web Page
+Use of umask() with chmod-style Argument
 Reusing a Nonce, Key Pair in Encryption
-Use of a Key Past its Expiration Date
-Missing Cryptographic Step
+Use of a One-Way Hash with a Predictable Salt
+Session Fixation
+Incomplete Internal State Distinction
+Sensitive Information in Resource Not Removed Before Reuse
+Object Model Violation: Just One of Equals and Hashcode Defined
+Reliance on IP Address for Authentication
+Critical Public Variable Without Final Modifier
+Missing Check for Certificate Revocation after Initial Check
+Inclusion of Sensitive Information in an Include File
+Incorrect Parsing of Numbers with Different Radices
 Inadequate Encryption Strength
-Use of a Broken or Risky Cryptographic Algorithm
-Use of Weak Hash
-Generation of Predictable IV with CBC Mode
-Path Traversal: '....' (Multiple Dot)
-Use of Insufficiently Random Values
-Insufficient Entropy
-Insufficient Entropy in PRNG
-Improper Handling of Insufficient Entropy in TRNG
-Small Space of Random Values
-Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
+Unlock of a Resource that is not Locked
+Permission Race Condition During Resource Copy
+Improper Filtering of Special Elements
+Unparsed Raw Web Content Delivery
+Only Filtering Special Elements Relative to a Marker
+Protection Mechanism Failure
+Processor Optimization Removal or Modification of Security-critical Code
+Insecure Operation on Windows Junction / Mount Point
+Incorrect Synchronization
 Same Seed in Pseudo-Random Number Generator (PRNG)
-Predictable Seed in Pseudo-Random Number Generator (PRNG)
-Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
-Small Seed Space in PRNG
-Path Traversal: '....//'
-Generation of Predictable Numbers or Identifiers
-Predictable from Observable State
-Predictable Exact Value from Previous Values
-Predictable Value Range from Previous Values
-Use of Invariant Value in Dynamically Changing Context
-Insufficient Verification of Data Authenticity
-Origin Validation Error
-Improper Verification of Cryptographic Signature
-Use of Less Trusted Source
-Acceptance of Extraneous Untrusted Data With Trusted Data
+Path Equivalence: 'fakedir/../realdir/filename'
 Path Traversal: '.../...//'
-Reliance on Reverse DNS Resolution for a Security-Critical Action
-Insufficient Type Distinction
-Cross-Site Request Forgery (CSRF)
-Missing Support for Integrity Check
-Improper Validation of Integrity Check Value
-Product UI does not Warn User of Unsafe Actions
-Insufficient UI Warning of Dangerous Operations
-Improperly Implemented Security Check for Standard
-Exposure of Private Personal Information to an Unauthorized Actor
-Absolute Path Traversal
-Trust of System Event Data
+Creation of chroot Jail Without Changing Working Directory
+Improper Protection Against Voltage and Clock Glitches
+Incorrect User Management
+Excessive Attack Surface
+J2EE Misconfiguration: Plaintext Password in Configuration File
+Static Member Data Element outside of a Singleton Class Element
+Source Code File with Excessive Number of Lines of Code
+Invokable Control Element with Large Number of Outward Calls
+Insufficient Encapsulation of Machine-Dependent Functionality
+Exposure of Sensitive Information in Shared Microarchitectural Structures during Transient Execution
+Improper Interaction Between Multiple Correctly-Behaving Entities
+Excessive Number of Inefficient Server-Side Data Accesses
+Storage of Sensitive Data in a Mechanism without Access Control
+Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges
+J2EE Bad Practices: Direct Use of Threads
+Improper Handling of Inconsistent Special Elements
+Improper Handling of Physical or Environmental Conditions
+Unrestricted Upload of File with Dangerous Type
+Improper Neutralization of Comment Delimiters
+Path Equivalence: 'filename/' (Trailing Slash)
+Excessive McCabe Cyclomatic Complexity
+Least Privilege Violation
+Improper Neutralization of Equivalent Special Elements
+Not Using Password Aging
+Function Call With Incorrect Variable or Reference as Argument
+Server-generated Error Message Containing Sensitive Information
+Improper Translation of Security Attributes by Fabric Bridge
+Invokable Control Element with Variadic Parameters
+Double Decoding of the Same Data
+Exposure of Data Element to Wrong Session
+Covert Storage Channel
+Predictable Exact Value from Previous Values
+Excessive Iteration
+Small Space of Random Values
+Empty Synchronized Block
+Observable Behavioral Discrepancy With Equivalent Products
+Premature Release of Resource During Expected Lifetime
+Reachable Assertion
+Hardware Logic with Insecure De-Synchronization between Control and Data Channels
+ASP.NET Misconfiguration: Password in Configuration File
+Double Free
+Inefficient Algorithmic Complexity
+Authentication Bypass by Capture-replay
+NULL Pointer Dereference
+Improper Link Resolution Before File Access ('Link Following')
+Improper Restriction of XML External Entity Reference
 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
-Race Condition Enabling Link Following
-Signal Handler Race Condition
-Race Condition within a Thread
-Time-of-check Time-of-use (TOCTOU) Race Condition
-Context Switching Race Condition
+Insufficient Control Flow Management
+Use of Low-Level Functionality
+Improper Control of Interaction Frequency
+Heap-based Buffer Overflow
+Deletion of Data Structure Sentinel
+Non-Transparent Sharing of Microarchitectural Resources
+Policy Privileges are not Assigned Consistently Between Control and Data Agents
+Exposure of Information Through Shell Error Message
+Absolute Path Traversal
+Uncontrolled Resource Consumption
+Non-exit on Failed Initialization
+Use of Function with Inconsistent Implementations
+Improper Neutralization of Wildcards or Matching Symbols
+ASP.NET Misconfiguration: Use of Identity Impersonation
+Debug Messages Revealing Unnecessary Information
+Parent Class without Virtual Destructor Method
+Improper Neutralization of Input Terminators
+Use of a One-Way Hash without a Salt
+Data Access Operations Outside of Expected Data Manager Component
+Uncontrolled Recursion
+J2EE Bad Practices: Non-serializable Object Stored in Session
+Missing Password Field Masking
+Predictable Seed in Pseudo-Random Number Generator (PRNG)
+Product UI does not Warn User of Unsafe Actions
+Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
+Large Data Table with Excessive Number of Indices
+Use of sizeof() on a Pointer Type
+Inclusion of Sensitive Information in Source Code
+J2EE Misconfiguration: Data Transmission Without Encryption
+Unprotected Primary Channel
+Incomplete Cleanup
+Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
+Failure to Disable Reserved Bits
+Use of getlogin() in Multithreaded Application
+Expression is Always False
+EJB Bad Practices: Use of Class Loader
+Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
+Improper Removal of Sensitive Information Before Storage or Transfer
+Improper Neutralization of Multiple Internal Special Elements
+Inappropriate Whitespace Style
+Missing Synchronization
+Integer Overflow or Wraparound
+Improper Validation of Specified Type of Input
+Multiple Binds to the Same Port
+Use of NullPointerException Catch to Detect NULL Pointer Dereference
+Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
+Memory Allocation with Excessive Size Value
+Use of Same Invokable Control Element in Multiple Architectural Layers
+Use of Insufficiently Random Values
 Divide By Zero
-Path Traversal: '/absolute/pathname/here'
-Missing Check for Certificate Revocation after Initial Check
-Incomplete Internal State Distinction
-Passing Mutable Objects to an Untrusted Method
-Returning a Mutable Object to an Untrusted Caller
-Insecure Temporary File
-Creation of Temporary File With Insecure Permissions
-Creation of Temporary File in Directory with Insecure Permissions
-Path Traversal: '\absolute\pathname\here'
-J2EE Bad Practices: Use of System.exit()
-J2EE Bad Practices: Direct Use of Threads
-Session Fixation
-Covert Timing Channel
-Symbolic Name not Mapping to Correct Object
-Path Traversal: 'C:dirname'
+Improper Encoding or Escaping of Output
+Improper Handling of Syntactically Invalid Structure
+Out-of-bounds Write
+Use of a Non-reentrant Function in a Concurrent Context
+Direct Use of Unsafe JNI
+Inclusion of Web Functionality from an Untrusted Source
+Storage of File with Sensitive Data Under Web Root
+Direct Request ('Forced Browsing')
+Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
+J2EE Misconfiguration: Entity Bean Declared Remote
+Incorrect Implementation of Authentication Algorithm
+Overly Restrictive Account Lockout Mechanism
+Irrelevant Code
+Trapdoor
+Insufficient Control of Network Message Volume (Network Amplification)
+Allocation of Resources Without Limits or Throttling
+Struts: Validator Without Form Field
 Detection of Error Condition Without Action
-Unchecked Error Condition
-Missing Report of Error Condition
-Return of Wrong Status Code
-Unexpected Status Code or Return Value
-Use of NullPointerException Catch to Detect NULL Pointer Dereference
+Race Condition Enabling Link Following
 Declaration of Catch for Generic Exception
-Declaration of Throws for Generic Exception
-Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
-Uncontrolled Resource Consumption
-Missing Release of Memory after Effective Lifetime
-Transmission of Private Resources into a New Sphere ('Resource Leak')
-Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
+Download of Code Without Integrity Check
+Externally Controlled Reference to a Resource in Another Sphere
+Public cloneable() Method Without Final ('Object Hijack')
+Covert Timing Channel
+Uncaught Exception
+Out-of-bounds Read
+Excessive Index Range Scan for a Data Resource
+Improper Access Control
+Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
+Uncaught Exception in Servlet 
+Reliance on Cookies without Validation and Integrity Checking in a Security Decision
+Improper Handling of Windows ::DATA Alternate Data Stream
+UI Discrepancy for Security Feature
+Improper Handling of Unicode Encoding
+ASP.NET Misconfiguration: Not Using Input Validation Framework
+Insertion of Sensitive Information Into Debugging Code
+Cleartext Transmission of Sensitive Information
+Power-On of Untrusted Execution Core Before Enabling Fabric Access Control
+Improper Authorization in Handler for Custom URL Scheme
+Improper Isolation of Shared Resources in Network On Chip (NoC)
+Excessively Complex Data Representation
+Exposed Unsafe ActiveX Method
+Observable Behavioral Discrepancy
+Use of Inner Class Containing Sensitive Data
+Parent Class with References to Child Class
+Incorrect Privilege Assignment
+Unconditional Control Flow Transfer outside of Switch Block
+Missing Immutable Root of Trust in Hardware
+Improper Protection of Physical Side Channels
+Expected Behavior Violation
+Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
+Improper Cleanup on Thrown Exception
+Unexpected Status Code or Return Value
+Expression is Always True
+Improper Handling of File Names that Identify Virtual Resources
+Incorrect Selection of Fuse Values
+Missing Validation of OpenSSL Certificate
+Obsolete Feature in UI
+Improper Neutralization of Script in an Error Message Web Page
+Symbolic Name not Mapping to Correct Object
+Inclusion of Sensitive Information in Test Code
+EJB Bad Practices: Use of Synchronization Primitives
+Incomplete Model of Endpoint Features
+Inappropriate Source Code Style or Formatting
+External Control of File Name or Path
+UNIX Symbolic Link (Symlink) Following
+Incorrect Permission Assignment for Critical Resource
+Improper Validation of Array Index
+Use of Platform-Dependent Third Party Components
+Use of Redundant Code
+Improper Neutralization of Variable Name Delimiters
+Declaration of Variable with Unnecessarily Wide Scope
+Exposure of Private Personal Information to an Unauthorized Actor
+Interpretation Conflict
+Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
+Incorrect Initialization of Resource
+Context Switching Race Condition
+Runtime Resource Management Control Element in a Component Built to Run on Application Servers
+Incomplete I/O Documentation
+Cryptographic Operations are run Before Supporting Units are Ready
+Permissive Regular Expression
 Improper Resource Shutdown or Release
-Asymmetric Resource Consumption (Amplification)
-Insufficient Control of Network Message Volume (Network Amplification)
-Inefficient Algorithmic Complexity
-Incorrect Behavior Order: Early Amplification
-Improper Handling of Highly Compressed Data (Data Amplification)
-Improper Resolution of Path Equivalence
-Insufficient Resource Pool
-Unrestricted Externally Accessible Lock
-Improper Resource Locking
-Missing Lock Check
-Double Free
-Use After Free
-Unprotected Primary Channel
-Path Equivalence: 'filename.' (Trailing Dot)
-Unprotected Alternate Channel
-Race Condition During Access to Alternate Channel
+Failure to Sanitize Paired Delimiters
+Missing Release of Memory after Effective Lifetime
+Reliance on Package-level Scope
+Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
 Unprotected Windows Messaging Channel ('Shatter')
-Improper Protection of Alternate Path
-Direct Request ('Forced Browsing')
-Untrusted Search Path
-Uncontrolled Search Path Element
-Unquoted Search Path or Element
-Path Equivalence: 'filename....' (Multiple Trailing Dot)
-Deployment of Wrong Handler
+Unverified Ownership
+Signal Handler Use of a Non-reentrant Function
+Active Debug Code
+Allocation of File Descriptors or Handles Without Limits or Throttling
+Improper Check for Certificate Revocation
+Architecture with Number of Horizontal Layers Outside of Expected Range
+Semiconductor Defects in Hardware Logic with Security-Sensitive Implications
+Path Equivalence: ' filename' (Leading Space)
+Logging of Excessive Data
+URL Redirection to Untrusted Site ('Open Redirect')
+Servlet Runtime Error Message Containing Sensitive Information
+Use of Default Cryptographic Key
+Method Containing Access of a Member Element from Another Class
+Wrap-around Error
+Placement of User into Incorrect Group
+Improper Restriction of Power Consumption
+Function Call With Incorrect Argument Type
+Incorrect Block Delimitation
 Missing Handler
-Dangerous Signal Handler not Disabled During Sensitive Operations
-Unparsed Raw Web Content Delivery
-Unrestricted Upload of File with Dangerous Type
-Improper Interaction Between Multiple Correctly-Behaving Entities
-Interpretation Conflict
-Incomplete Model of Endpoint Features
-Behavioral Change in New Version or Environment
-Path Equivalence: 'file.name' (Internal Dot)
-Expected Behavior Violation
-Unintended Proxy or Intermediary ('Confused Deputy')
-Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
-UI Discrepancy for Security Feature
-Unimplemented or Unsupported Feature in UI
-Obsolete Feature in UI
-The UI Performs the Wrong Action
-Path Equivalence: 'file...name' (Multiple Internal Dot)
-Multiple Interpretations of UI Input
-User Interface (UI) Misrepresentation of Critical Information
+Guessable CAPTCHA
+Use of Password Hash Instead of Password for Authentication
+Path Traversal: '/absolute/pathname/here'
+Insertion of Sensitive Information Into Sent Data
+Insufficient UI Warning of Dangerous Operations
+Insecure Security Identifier Mechanism
+Access to Critical Private Variable via Public Method
+Insufficient Session Expiration
+Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
+Insufficient Entropy in PRNG
+Generation of Error Message Containing Sensitive Information
+Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
+Unauthorized Error Injection Can Degrade Hardware Redundancy
+Improper Validation of Consistency within Input
+Improper Validation of Unsafe Equivalence in Input
+Privilege Defined With Unsafe Actions
+Improper Verification of Intent by Broadcast Receiver
+Loop Condition Value Update within the Loop
+Deserialization of Untrusted Data
+Returning a Mutable Object to an Untrusted Caller
+Missing Protection for Mirrored Regions in On-Chip Fabric Firewall
+Generation of Predictable IV with CBC Mode
 Insecure Default Variable Initialization
-External Initialization of Trusted Variables or Data Stores
-Non-exit on Failed Initialization
-Missing Initialization of a Variable
-Use of Uninitialized Variable
-Incomplete Cleanup
-Path Equivalence: 'filename ' (Trailing Space)
-Improper Cleanup on Thrown Exception
-Duplicate Key in Associative List (Alist)
-Deletion of Data Structure Sentinel
-Addition of Data Structure Sentinel
-Return of Pointer Value Outside of Expected Range
-Use of sizeof() on a Pointer Type
-Incorrect Pointer Scaling
-Use of Pointer Subtraction to Determine Size
-Path Equivalence: ' filename' (Leading Space)
-Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
-Modification of Assumed-Immutable Data (MAID)
-External Control of Assumed-Immutable Web Parameter
-PHP External Variable Modification
-Use of Function with Inconsistent Implementations
-Undefined Behavior for Input to API
-NULL Pointer Dereference
-Use of Obsolete Function
-Missing Default Case in Multiple Condition Expression
-Signal Handler Use of a Non-reentrant Function
+Authentication Bypass by Spoofing
+Missing Lock Check
+Improper Neutralization of Record Delimiters
+Struts: Form Bean Does Not Extend Validation Class
+Use of Weak Credentials
+Exposure of Information Through Directory Listing
+Client-Side Enforcement of Server-Side Security
+Excessive Code Complexity
+Missing Documentation for Design
+Improper Validation of Specified Index, Position, or Offset in Input
+Improper Protections Against Hardware Overheating
+Use of Potentially Dangerous Function
+Improper Access Control in Fabric Bridge
+ASP.NET Misconfiguration: Missing Custom Error Page
+Incomplete List of Disallowed Inputs
+Exposure of Sensitive System Information Due to Uncleared Debug Information
 Path Equivalence: 'file name' (Internal Whitespace)
-Use of Incorrect Operator
-Assigning instead of Comparing
+Generation of Predictable Numbers or Identifiers
+Improper Validation of Specified Quantity in Input
+Improper Zeroization of Hardware Register
+Assumed-Immutable Data is Stored in Writable Memory
+Signed to Unsigned Conversion Error
+Incomplete Denylist to Cross-Site Scripting
 Comparing instead of Assigning
-Incorrect Block Delimitation
-Omitted Break Statement in Switch
-Comparison of Classes by Name
-Reliance on Package-level Scope
-Exposure of Data Element to Wrong Session
-Active Debug Code
-Path Equivalence: 'filename/' (Trailing Slash)
-Public cloneable() Method Without Final ('Object Hijack')
-Use of Inner Class Containing Sensitive Data
-Critical Public Variable Without Final Modifier
-Download of Code Without Integrity Check
-Private Data Structure Returned From A Public Method
-Public Data Assigned to Private Array-Typed Field
-Exposure of Sensitive System Information to an Unauthorized Control Sphere
-Cloneable Class Containing Sensitive Information
-Serializable Class Containing Sensitive Data
-J2EE Misconfiguration: Data Transmission Without Encryption
-Path Equivalence: '//multiple/leading/slash'
-Public Static Field Not Marked Final
-Trust Boundary Violation
-Deserialization of Untrusted Data
-Embedded Malicious Code
-Trojan Horse
-Non-Replicating Malicious Code
-Replicating Malicious Code (Virus or Worm)
-Path Equivalence: '/multiple//internal/slash'
-Trapdoor
-Logic/Time Bomb
-Spyware
-Covert Channel
-Covert Storage Channel
-Path Equivalence: '/multiple/trailing/slash//'
-.NET Misconfiguration: Use of Impersonation
-Weak Password Requirements
-Insufficiently Protected Credentials
-Unprotected Transport of Credentials
-Use of Cache Containing Sensitive Information
-Use of Web Browser Cache Containing Sensitive Information
-Cleartext Storage of Sensitive Information in an Environment Variable
-Exposure of Version-Control Repository to an Unauthorized Control Sphere
+Initialization of a Resource with an Insecure Default
+Return of Stack Variable Address
+Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
+Obscured Security-relevant Information by Alternate Name
+Path Traversal: '\absolute\pathname\here'
+Exposure of Sensitive Information during Transient Execution
+Internal Asset Exposed to Unsafe Debug Access Level or State
+Missing XML Validation
+Incorrect Decoding of Security Identifiers 
+Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
+Invokable Control Element with Excessive Volume of Commented-out Code
+Signal Handler with Functionality that is not Asynchronous-Safe
+Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
+Missing Support for Integrity Check
+Comparison of Incompatible Types
+Sequence of Processor Instructions Leads to Unexpected Behavior
+Use of Prohibited Code
+Multiple Operations on Resource in Single-Operation Context
 Exposure of Core Dump File to an Unauthorized Control Sphere
-Exposure of Access Control List Files to an Unauthorized Control Sphere
-Path Equivalence: '\multiple\\internal\backslash'
-Exposure of Backup File to an Unauthorized Control Sphere
-Inclusion of Sensitive Information in Test Code
-Insertion of Sensitive Information into Log File
-Exposure of Information Through Shell Error Message
-Servlet Runtime Error Message Containing Sensitive Information
-Java Runtime Error Message Containing Sensitive Information
-Insertion of Sensitive Information into Externally-Accessible File or Directory
-Use of Persistent Cookies Containing Sensitive Information
-Path Equivalence: 'filedir\' (Trailing Backslash)
-Inclusion of Sensitive Information in Source Code
-Inclusion of Sensitive Information in an Include File
-Use of Singleton Pattern Without Synchronization in a Multithreaded Context
-Missing Standardized Error Handling Mechanism
-Suspicious Comment
-Use of Hard-coded, Security-relevant Constants
-Exposure of Information Through Directory Listing
-Missing Password Field Masking
+Improper Handling of Invalid Use of Special Elements
+Improper Neutralization of Alternate XSS Syntax
+Function Call With Incorrect Number of Arguments
+Function Call With Incorrectly Specified Argument Value
 Path Equivalence: '/./' (Single Dot Directory)
-Server-generated Error Message Containing Sensitive Information
-Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
-Files or Directories Accessible to External Parties
-Command Shell in Externally Accessible Directory
-ASP.NET Misconfiguration: Not Using Input Validation Framework
-J2EE Misconfiguration: Plaintext Password in Configuration File
-ASP.NET Misconfiguration: Use of Identity Impersonation
-Use of getlogin() in Multithreaded Application
-Path Equivalence: 'filedir*' (Wildcard)
-Use of umask() with chmod-style Argument
-Dead Code
-Return of Stack Variable Address
-Assignment to Variable without Use
+Improper Write Handling in Limited-write Non-Volatile Memories
+Improper Protection for Outbound Error Messages and Alert Signals
 SQL Injection: Hibernate
-Reliance on Cookies without Validation and Integrity Checking
-Authorization Bypass Through User-Controlled SQL Primary Key
-Unsynchronized Access to Shared Data in a Multithreaded Context
-finalize() Method Without super.finalize()
-Path Equivalence: 'fakedir/../realdir/filename'
-Expression is Always False
-Expression is Always True
-Call to Thread run() instead of start()
+Unimplemented or Unsupported Feature in UI
+Predictable Value Range from Previous Values
+Improper Prevention of Lock Bit Modification
+Unchecked Return Value to NULL Pointer Dereference
+Improper Neutralization of Input Leaders
+Insufficient Isolation of System-Dependent Functions
 Improper Following of Specification by Caller
-EJB Bad Practices: Use of Synchronization Primitives
-EJB Bad Practices: Use of AWT Swing
-EJB Bad Practices: Use of Java I/O
-EJB Bad Practices: Use of Sockets
-EJB Bad Practices: Use of Class Loader
-J2EE Bad Practices: Non-serializable Object Stored in Session
-Path Equivalence: Windows 8.3 Filename
-clone() Method Without super.clone()
-Object Model Violation: Just One of Equals and Hashcode Defined
-Array Declared Public, Final, and Static
-finalize() Method Declared Public
-Return Inside Finally Block
-Empty Synchronized Block
-Explicit Call to Finalize()
-Assignment of a Fixed Address to a Pointer
+Improper Handling of Missing Values
+Improper Neutralization of HTTP Headers for Scripting Syntax
+Insufficient or Incomplete Data Removal within Hardware Component
+CPU Hardware Not Configured to Support Exclusivity of Write and Execute Operations
+Unintended Proxy or Intermediary ('Confused Deputy')
+Data Element Aggregating an Excessively Large Number of Non-Primitive Elements
+Relative Path Traversal
+Insufficient Psychological Acceptability
+External Control of System or Configuration Setting
+Incorrect Calculation of Buffer Size
 Attempt to Access Child of a Non-structure Pointer
-Call to Non-ubiquitous API
-Improper Link Resolution Before File Access ('Link Following')
-Free of Memory not on the Heap
-Sensitive Data Storage in Improperly Locked Memory
-Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
-J2EE Framework: Saving Unserializable Objects to Disk
-Comparison of Object References Instead of Object Contents
-Use of Wrong Operator in String Comparison
-Use of GET Request Method With Sensitive Query Strings
-Missing Validation of OpenSSL Certificate
-J2EE Misconfiguration: Insufficient Session-ID Length
-Uncaught Exception in Servlet 
-URL Redirection to Untrusted Site ('Open Redirect')
-Client-Side Enforcement of Server-Side Security
-Use of Client-Side Authentication
-Multiple Binds to the Same Port
-Unchecked Input for Loop Condition
-Public Static Final Field References Mutable Object
-Struts: Non-private Field in ActionForm Class
-Double-Checked Locking
-UNIX Symbolic Link (Symlink) Following
-Externally Controlled Reference to a Resource in Another Sphere
-Improper Restriction of XML External Entity Reference
-Improper Authorization of Index Containing Sensitive Information
-Insufficient Session Expiration
-Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
-Inclusion of Sensitive Information in Source Code Comments
-Incomplete Identification of Uploaded File Variables (PHP)
-Reachable Assertion
-Exposed Unsafe ActiveX Method
+Java Runtime Error Message Containing Sensitive Information
+Use of Web Link to Untrusted Target with window.opener Access
+Incorrect Behavior Order: Early Validation
+Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
+Improper Control of a Resource Through its Lifetime
+Improper Lock Behavior After Power State Transition
+Use of Path Manipulation Function without Maximum-sized Buffer
+Cloneable Class Containing Sensitive Information
+Insufficient Visual Distinction of Homoglyphs Presented to User
+Incorrect Resource Transfer Between Spheres
+Stack-based Buffer Overflow
+Insecure Setting of Generative AI/ML Model Inference Parameters
+Mismatched Memory Management Routines
+Inappropriate Encoding for Output Context
+Improper Neutralization of Line Delimiters
+Improper Adherence to Coding Standards
+Hidden Functionality
+Non-SQL Invokable Control Element with Excessive Number of Data Resource Accesses
+Improper Enforcement of Behavioral Workflow
+Creation of Class Instance within a Static Code Block
+Inaccurate Comments
+Addition of Data Structure Sentinel
+Generation of Incorrect Security Tokens
+Inappropriate Comment Style
+Improper Handling of Mixed Encoding
+Struts: Form Field Without Validator
+Execution with Unnecessary Privileges
+Buffer Underwrite ('Buffer Underflow')
+Only Filtering Special Elements at an Absolute Position
+Improper Handling of Undefined Values
+Public Data Assigned to Private Array-Typed Field
+Insufficient Technical Documentation
+Inconsistent Naming Conventions for Identifiers
+Always-Incorrect Control Flow Implementation
+Explicit Call to Finalize()
+Improper Preservation of Permissions
 Dangling Database Cursor ('Cursor Injection')
-UNIX Hard Link
-Unverified Password Change
-Variable Extraction Error
-Improper Validation of Function Hook Arguments
-Unsafe ActiveX Control Marked Safe For Scripting
-Executable Regular Expression Error
-Permissive Regular Expression
-Null Byte Interaction Error (Poison Null Byte)
-Dynamic Variable Evaluation
-Function Call with Incorrectly Specified Arguments
-Not Failing Securely ('Failing Open')
-Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
-Not Using Complete Mediation
 Authorization Bypass Through User-Controlled Key
-Windows Shortcut Following (.LNK)
-Weak Password Recovery Mechanism for Forgotten Password
-Improper Restriction of Names for Files and Other Resources
-External Control of Critical State Data
-Improper Neutralization of Data within XPath Expressions ('XPath Injection')
-Improper Neutralization of HTTP Headers for Scripting Syntax
-Overly Restrictive Account Lockout Mechanism
-Reliance on File Name or Extension of Externally-Supplied File
-Use of Non-Canonical URL Paths for Authorization Decisions
+Improper Ownership Management
+Insecure Temporary File
+J2EE Bad Practices: Direct Use of Sockets
+Use of Incorrectly-Resolved Name or Reference
+Improper Handling of Faults that Lead to Instruction Skips
+Improper Handling of Insufficient Entropy in TRNG
+Trust Boundary Violation
+Process Control
+Compilation with Insufficient Warnings or Errors
+Weak Authentication
+Policy Uses Obsolete Encoding
+Missing Custom Error Page
+Path Traversal: '....' (Multiple Dot)
+Time-of-check Time-of-use (TOCTOU) Race Condition
+Data Element containing Pointer Item without Proper Copy Control Element
+Excessively Deep Nesting
+Improper Handling of Insufficient Privileges
+Information Exposure through Microarchitectural State after Transient Execution
 Incorrect Use of Privileged APIs
-Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
-Windows Hard Link
-Trusting HTTP Permission Methods on the Server Side
-Exposure of WSDL File Containing Sensitive Information
-Improper Neutralization of Data within XQuery Expressions ('XQuery Injection')
-Improper Isolation or Compartmentalization
-Reliance on a Single Factor in a Security Decision
-Insufficient Psychological Acceptability
-Reliance on Security Through Obscurity
-Violation of Secure Design Principles
-Improper Handling of File Names that Identify Virtual Resources
-Improper Synchronization
-Use of a Non-reentrant Function in a Concurrent Context
-Improper Control of a Resource Through its Lifetime
+Use of Externally-Controlled Format String
+Variable Extraction Error
+Exposure of Sensitive Information Due to Incompatible Policies
+Declaration of Throws for Generic Exception
+Hardware Allows Activation of Test or Debug Logic at Runtime
 Improper Initialization
-Operation on Resource in Wrong Phase of Lifetime
-Improper Locking
+Serializable Class Containing Sensitive Data
+Data Resource Access without Use of Connection Pooling
+Insufficient Adherence to Expected Conventions
+Improper Setting of Bus Controlling Capability in Fabric End-point
+Hardware Internal or Debug Modes Allow Override of Locks
+Improper Authentication
+Use of Password Hash With Insufficient Computational Effort
 Exposure of Resource to Wrong Sphere
-Incorrect Resource Transfer Between Spheres
-Improper Handling of Windows Device Names
-Always-Incorrect Control Flow Implementation
-Lack of Administrator Control over Security
-Operation on a Resource after Expiration or Release
-External Influence of Sphere Definition
-Uncontrolled Recursion
-Multiple Operations on Resource in Single-Operation Context
-Use of Potentially Dangerous Function
-Integer Overflow to Buffer Overflow
-Incorrect Conversion between Numeric Types
-Incorrect Calculation
-Function Call With Incorrect Order of Arguments
-Incorrect Provision of Specified Functionality
-Function Call With Incorrect Number of Arguments
-Function Call With Incorrect Argument Type
-Function Call With Incorrectly Specified Argument Value
-Function Call With Incorrect Variable or Reference as Argument
-Permission Race Condition During Resource Copy
-Improper Handling of Windows ::DATA Alternate Data Stream
-Unchecked Return Value to NULL Pointer Dereference
-Insufficient Control Flow Management
-Incomplete Denylist to Cross-Site Scripting
-Protection Mechanism Failure
+Improperly Controlled Sequential Memory Allocation
+Use of Persistent Cookies Containing Sensitive Information
+Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
+Hardware Logic Contains Race Conditions
+Incorrect Comparison Logic Granularity
+Use of Incorrect Operator
+Cleartext Storage of Sensitive Information in Memory
+Improper Check for Dropped Privileges
+Numeric Range Comparison Without Minimum Check
+Improper Neutralization of Internal Special Elements
+Improper Handling of Values
+Improper Certificate Validation
+Truncation of Security-relevant Information
+Double-Checked Locking
+Only Filtering Special Elements at a Specified Location
+Improper Access Control for Volatile Memory Containing Boot Code
+Comparison Using Wrong Factors
+Missing Default Case in Multiple Condition Expression
+Insecure Inherited Permissions
+Improperly Controlled Modification of Dynamically-Determined Object Attributes
+Path Traversal: 'dir\..\..\filename'
+Generation of Weak Initialization Vector (IV)
+Improper Handling of Additional Special Element
+Improper Neutralization
+Observable Discrepancy
+Use of Uninitialized Variable
+Self-generated Error Message Containing Sensitive Information
+finalize() Method Without super.finalize()
+Struts: Duplicate Validation Forms
+Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
+Exposure of Sensitive Information Through Data Queries
+Insufficient Documentation of Error Handling Techniques
+Channel Accessible by Non-Endpoint
+Path Equivalence: 'file.name' (Internal Dot)
+Improper Handling of Parameters
+Struts: Non-private Field in ActionForm Class
+Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
+Improper Authorization of Index Containing Sensitive Information
+Improper Use of Validation Framework
 Use of Multiple Resources with Duplicate Identifier
-Use of Low-Level Functionality
-Incorrect Behavior Order
-Incorrect Comparison
+Use of a Broken or Risky Cryptographic Algorithm
+Uninitialized Value on Reset for Registers Holding Security Settings
+Improper Output Neutralization for Logs
+Insufficient Encapsulation
+Unprotected Confidential Information on Device is Accessible by OSAT Vendors
+Excessive Use of Unconditional Branching
+Use of Predictable Algorithm in Random Number Generator
+Improper Restriction of Security Token Assignment
+Improper Neutralization of Delimiters
+Regular Expression without Anchors
+Improper Handling of Hardware Behavior in Exceptionally Cold Environments
+Improper Neutralization of Macro Symbols
+Unchecked Input for Loop Condition
+Use of Cache Containing Sensitive Information
+Improper Neutralization of Whitespace
+Integer Overflow to Buffer Overflow
+.NET Misconfiguration: Use of Impersonation
+Improper Neutralization of Section Delimiters
+Unsynchronized Access to Shared Data in a Multithreaded Context
+Missing Write Protection for Parametric Data Values
+Missing Ability to Patch ROM Code
+Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
+Cleartext Storage of Sensitive Information
+Access of Uninitialized Pointer
+Insufficient Verification of Data Authenticity
+Use of a Cryptographic Primitive with a Risky Implementation
+Improper Export of Android Application Components
+Improper Neutralization of Substitution Characters
+Behavioral Change in New Version or Environment
+Passing Mutable Objects to an Untrusted Method
+Use of Uninitialized Resource
+Acceptance of Extraneous Untrusted Data With Trusted Data
+Incorrect Chaining or Granularity of Debug Components
+Compiler Optimization Removal or Modification of Security-critical Code
+Improper Validation of Integrity Check Value
+Multiple Inheritance from Concrete Classes
+Serializable Data Element Containing non-Serializable Item Elements
+Improper Neutralization of Quoting Syntax
+Command Shell in Externally Accessible Directory
+User Interface (UI) Misrepresentation of Critical Information
+Path Traversal: '\dir\..\filename'
+Comparison of Object References Instead of Object Contents
 Execution After Redirect (EAR)
-J2EE Misconfiguration: Missing Custom Error Page
-Improper Check or Handling of Exceptional Conditions
+Incorrectly Specified Destination in a Communication Channel
+Function Call with Incorrectly Specified Arguments
+Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
+Plaintext Storage of a Password
+Security-Sensitive Hardware Controls with Missing Lock Bit Protection
+Use of Hard-coded Password
+Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element
+Improper Management of Sensitive Trace Data
+Logic/Time Bomb
+Improper Control of Generation of Code ('Code Injection')
+Improper Restriction of Rendered UI Layers or Frames
+Security Version Number Mutable to Older Versions
+Cleartext Storage of Sensitive Information in an Environment Variable
+Numeric Truncation Error
+Improper Handling of Windows Device Names
+Class with Excessively Deep Inheritance
+Authentication Bypass by Assumed-Immutable Data
+Access Control Check Implemented After Asset is Accessed
+Incorrect Default Permissions
+Race Condition for Write-Once Attributes
+Struts: Unvalidated Action Form
+Incomplete Filtering of Special Elements
+Creation of Temporary File in Directory with Insecure Permissions
 Incorrect Type Conversion or Cast
-Incorrect Control Flow Scoping
-Use of Incorrectly-Resolved Name or Reference
-Improper Neutralization
+Privilege Context Switching Error
+Inconsistency Between Implementation and Documented Design
+Incomplete Comparison with Missing Factors
+Path Equivalence: '/multiple/trailing/slash//'
+Exposure of Sensitive Information to an Unauthorized Actor
+Weak Password Recovery Mechanism for Forgotten Password
+Improper Neutralization of Formula Elements in a CSV File
 Incorrect Ownership Assignment
-Improper Adherence to Coding Standards
+Missing Standardized Error Handling Mechanism
+clone() Method Without super.clone()
+Insufficient Precision or Accuracy of a Real Number
+Non-Replicating Malicious Code
+Authentication Bypass by Alternate Name
+Public Static Final Field References Mutable Object
+Insufficient Type Distinction
+Multiple Locks of a Critical Resource
+Improper Neutralization of Expression/Command Delimiters
+Reliance on Component That is Not Updateable
+Incorrect Calculation of Multi-Byte String Length
+Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
+Improper Neutralization of CRLF Sequences ('CRLF Injection')
+Insufficient Granularity of Access Control
+Sensitive Cookie with Improper SameSite Attribute
+Improper Handling of Missing Special Element
+Predictable from Observable State
+Class with Excessive Number of Child Classes
+Use of Same Variable for Multiple Purposes
+Improper Control of Resource Identifiers ('Resource Injection')
+Incorrect Execution-Assigned Permissions
+Observable Response Discrepancy
+Improper Handling of Insufficient Permissions or Privileges 
+Incorrect Register Defaults or Module Parameters
+Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
+Authentication Bypass by Primary Weakness
+Insecure Storage of Sensitive Information
+Improper Validation of Certificate with Host Mismatch
 Improper Handling of Apple HFS+ Alternate Data Stream Path
-External Control of File Name or Path
-Incorrect Permission Assignment for Critical Resource
-Compiler Optimization Removal or Modification of Security-critical Code
-Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
-Exposed Dangerous Method or Function
-Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
+Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls
+Return Inside Finally Block
+Incorrect Use of Autoboxing and Unboxing for Performance Critical Operations
+Unchecked Return Value
+Incorrect Provision of Specified Functionality
+Storing Passwords in a Recoverable Format
+Return of Pointer Value Outside of Expected Range
+Improperly Implemented Security Check for Standard
+Deployment of Wrong Handler
+Sensitive Data Storage in Improperly Locked Memory
+Sensitive Non-Volatile Information Not Protected During Debug
+Improper Control of Dynamically-Identified Variables
+Executable Regular Expression Error
+Firmware Not Updateable
+Access of Memory Location After End of Buffer
+Deadlock
+Authentication Bypass: OpenSSL CTX Object Modified after SSL Objects are Created
 Improper Check for Unusual or Exceptional Conditions
+On-Chip Debug and Test Interface With Improper Access Control
+Mirrored Regions with Different Values
+Trojan Horse
+Initialization with Hard-Coded Network Resource Configuration Data
+Improper Check or Handling of Exceptional Conditions
+Exposure of Access Control List Files to an Unauthorized Control Sphere
+Reliance on Runtime Component in Generated Code
+Use of Default Credentials
+External Initialization of Trusted Variables or Data Stores
+Improper Restriction of Software Interfaces to Hardware Features
+Small Seed Space in PRNG
+Exposure of Sensitive Information caused by Incorrect Data Forwarding during Transient Execution
+The UI Performs the Wrong Action
+Public Key Re-Use for Signing both Debug and Production Code
+Collapse of Data into Unsafe Value
+Path Equivalence: Windows 8.3 Filename
 Improper Handling of Exceptional Conditions
-Missing Custom Error Page
-Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
-Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
-Use of a One-Way Hash without a Salt
-Improper Neutralization of Equivalent Special Elements
-Use of a One-Way Hash with a Predictable Salt
-Free of Pointer not at Start of Buffer
-Mismatched Memory Management Routines
-Release of Invalid Pointer or Reference
-Multiple Locks of a Critical Resource
-Multiple Unlocks of a Critical Resource
-Critical Data Element Declared Public
-Access to Critical Private Variable via Public Method
-Incorrect Short Circuit Evaluation
+Undefined Behavior for Input to API
+Improper Protection against Electromagnetic Fault Injection (EM-FI)
+Improper Neutralization of Input Used for LLM Prompting
+Missing Report of Error Condition
+Insufficiently Protected Credentials
+Buffer Under-read
+Asymmetric Resource Consumption (Amplification)
+Suspicious Comment
+Cleartext Storage of Sensitive Information in Executable
+Data Access from Outside Expected Data Manager Component
+Improper Handling of Single Event Upsets
+Excessive Execution of Sequential Searches of Data Resource
+Incorrect Comparison
+Empty Code Block
+EJB Bad Practices: Use of Java I/O
+Path Equivalence: 'filename....' (Multiple Trailing Dot)
+Missing Authentication for Critical Function
+Unverified Password Change
+Missing Cryptographic Step
+Doubled Character XSS Manipulations
+Cross-Site Request Forgery (CSRF)
+Use of Unmaintained Third Party Components
+Use of Client-Side Authentication
+Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
+Path Equivalence: '//multiple/leading/slash'
+Observable Timing Discrepancy
+Improper Validation of Generative AI Output
+Cleartext Storage of Sensitive Information in a Cookie
+Use of a Key Past its Expiration Date
 Improper Neutralization of Special Elements used in a Command ('Command Injection')
-Allocation of Resources Without Limits or Throttling
-Missing Reference to Active Allocated Resource
-Missing Release of Resource after Effective Lifetime
-Missing Reference to Active File Descriptor or Handle
-Allocation of File Descriptors or Handles Without Limits or Throttling
-Missing Release of File Descriptor or Handle after Effective Lifetime
-Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
-Regular Expression without Anchors
-Insufficient Logging
-Logging of Excessive Data
-Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
-Use of RSA Algorithm without OAEP
-Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
-Exposed IOCTL with Insufficient Access Control
+Loop with Unreachable Exit Condition ('Infinite Loop')
+Untrusted Search Path
+Assignment to Variable without Use
+Unrestricted Externally Accessible Lock
+Embedded Malicious Code
+Path Equivalence: 'filedir*' (Wildcard)
+Use of Hard-coded, Security-relevant Constants
+Information Loss or Omission
+Improper Neutralization of Special Elements Used in a Template Engine
+Incomplete Documentation of Program Execution
+Weak Password Requirements
+External Control of Assumed-Immutable Web Parameter
+Untrusted Pointer Dereference
+Use of Web Browser Cache Containing Sensitive Information
+Integer Underflow (Wrap or Wraparound)
+Insufficient Entropy
+Trusting HTTP Permission Methods on the Server Side
+EJB Bad Practices: Use of Sockets
+Improper Control of Dynamically-Managed Code Resources
+Unsafe ActiveX Control Marked Safe For Scripting
+Improper Update of Reference Count
+J2EE Bad Practices: Use of System.exit()
+Improper Input Validation
+Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
+Use of Obsolete Function
+Reliance on File Name or Extension of Externally-Supplied File
+Operation on a Resource after Expiration or Release
+Insertion of Sensitive Information into Log File
+Assignment of a Fixed Address to a Pointer
+Use of Singleton Pattern Without Synchronization in a Multithreaded Context
+Password Aging with Long Expiration
+Cleartext Storage in the Registry
+Missing Authorization
+Overly Restrictive Regular Expression
+Operation on Resource in Wrong Phase of Lifetime
+J2EE Framework: Saving Unserializable Objects to Disk
 Operator Precedence Logic Error
-Reliance on Cookies without Validation and Integrity Checking in a Security Decision
-Use of Path Manipulation Function without Maximum-sized Buffer
-Access of Memory Location Before Start of Buffer
-Out-of-bounds Write
-Access of Memory Location After End of Buffer
-Memory Allocation with Excessive Size Value
-Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
-Improper Filtering of Special Elements
-Incomplete Filtering of Special Elements
+Unexpected Sign Extension
+Improper Neutralization of Special Elements in Data Query Logic
+Race Condition within a Thread
+Call to Non-ubiquitous API
+Missing Origin Validation in WebSockets
+Permissive Cross-domain Security Policy with Untrusted Domains
+Incomplete Design Documentation
+Cleartext Storage in a File or on Disk
+Improper Handling of Extra Parameters
+Integer Coercion Error
+J2EE Misconfiguration: Insufficient Session-ID Length
+Unprotected Transport of Credentials
+Reliance on Insufficiently Trustworthy Component
+Privilege Chaining
+Path Equivalence: 'filename.' (Trailing Dot)
+Product Released in Non-Release Configuration
+Race Condition During Access to Alternate Channel
+Improper Neutralization of Parameter/Argument Delimiters
+Exposure of Sensitive System Information to an Unauthorized Control Sphere
+Inclusion of Undocumented Features or Chicken Bits
 Incomplete Filtering of One or More Instances of Special Elements
-Only Filtering One Instance of a Special Element
+Insufficient Granularity of Address Regions Protected by Register Locks
+Use of Implicit Intent for Sensitive Communication
+Excessive Platform Resource Consumption within a Loop
+Password in Configuration File
+Improper Following of a Certificate's Chain of Trust
+EJB Bad Practices: Use of AWT Swing
+Path Traversal: '....//'
+Use of Object without Invoking Destructor Method
+Unquoted Search Path or Element
+Improper Identifier for IP Block used in System-On-Chip (SOC)
+Weak Encoding for Password
+Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
+Improper Handling of Alternate Encoding
+Assigning instead of Comparing
+Path Traversal: 'dir/../../filename'
+Critical Data Element Declared Public
+Violation of Secure Design Principles
+Improper Privilege Management
+Incorrect Bitwise Shift of Integer
 Incomplete Filtering of Multiple Instances of Special Elements
-Only Filtering Special Elements at a Specified Location
-Only Filtering Special Elements Relative to a Marker
-Only Filtering Special Elements at an Absolute Position
-Use of Hard-coded Credentials
-Improper Control of Interaction Frequency
-J2EE Misconfiguration: Entity Bean Declared Remote
-Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
-Guessable CAPTCHA
-Buffer Access with Incorrect Length Value
-Buffer Access Using Size of Source Buffer
-Reliance on Untrusted Inputs in a Security Decision
-Improper Neutralization of Script in an Error Message Web Page
-Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
-Missing Synchronization
-Incorrect Synchronization
-Untrusted Pointer Dereference
-Use of Out-of-range Pointer Offset
-Access of Uninitialized Pointer
-Expired Pointer Dereference
-Premature Release of Resource During Expected Lifetime
-Improper Control of Document Type Definition
-Signal Handler with Functionality that is not Asynchronous-Safe
-Inclusion of Functionality from Untrusted Control Sphere
-Improper Neutralization of Script in Attributes in a Web Page
-Inclusion of Web Functionality from an Untrusted Source
+Call to Thread run() instead of start()
+Improper Resource Locking
+Signal Handler Race Condition
+Insecure Preserved Inherited Permissions
+Return of Wrong Status Code
+Creation of Temporary File With Insecure Permissions
+Improper Handling of Unexpected Data Type
+Invokable Control Element with Signature Containing an Excessive Number of Parameters
+Using Referer Field for Authentication
+Uncontrolled Search Path Element
+Cleartext Storage of Sensitive Information in GUI
+Source Code Element without Standard Prologue
+Use of RSA Algorithm without OAEP
+Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
+Private Data Structure Returned From A Public Method
+finalize() Method Declared Public
+Replicating Malicious Code (Virus or Worm)
 Signal Handler Function Associated with Multiple Signals
-Unlock of a Resource that is not Locked
-Deadlock
-Excessive Iteration
-Loop with Unreachable Exit Condition ('Infinite Loop')
-Use of Password Hash Instead of Password for Authentication
-Improper Enforcement of a Single, Unique Action
-Inappropriate Encoding for Output Context
-Numeric Range Comparison Without Minimum Check
-Improper Neutralization of Encoded URI Schemes in a Web Page
-Improper Enforcement of Behavioral Workflow
-Placement of User into Incorrect Group
-Access of Resource Using Incompatible Type ('Type Confusion')
-Doubled Character XSS Manipulations
-Improper Neutralization of Invalid Characters in Identifiers in Web Pages
-Missing Authorization
-Incorrect Authorization
-Improper Neutralization of Alternate XSS Syntax
-Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
-Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
-J2EE Misconfiguration: Weak Access Permissions for EJB Methods
-Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
-Use of Uninitialized Resource
-Missing Initialization of Resource
-XML Injection (aka Blind XPath Injection)
-Use of Expired File Descriptor
-Improper Update of Reference Count
-Hidden Functionality
-Improper Control of Dynamically-Managed Code Resources
-Improper Control of Dynamically-Identified Variables
-Improperly Controlled Modification of Dynamically-Determined Object Attributes
-Use of Password Hash With Insufficient Computational Effort
-Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')
-Server-Side Request Forgery (SSRF)
-Improper Restriction of Power Consumption
-Storage of Sensitive Data in a Mechanism without Access Control
-Insecure Storage of Sensitive Information
+Observable Internal Behavioral Discrepancy
+Device Unlock Credential Sharing
+Binding to an Unrestricted IP Address
+Reliance on Reverse DNS Resolution for a Security-Critical Action
+Class with Virtual Method without a Virtual Destructor
+Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
 Improper Restriction of Communication Channel to Intended Endpoints
-Improper Enforcement of Message Integrity During Transmission in a Communication Channel
-Improper Verification of Intent by Broadcast Receiver
-Improper Export of Android Application Components
-Use of Implicit Intent for Sensitive Communication
-Improper Neutralization of CRLF Sequences ('CRLF Injection')
-Improper Authorization in Handler for Custom URL Scheme
-Improper Control of Generation of Code ('Code Injection')
-Improper Verification of Source of a Communication Channel
-Incorrectly Specified Destination in a Communication Channel
-Permissive Cross-domain Policy with Untrusted Domains
-Improper Neutralization of Special Elements in Data Query Logic
-Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
-Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
-Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
-Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
-Improper Control of Resource Identifiers ('Resource Injection')
+Reliance on a Single Factor in a Security Decision
+Sensitive Cookie Without 'HttpOnly' Flag
+Storage of File With Sensitive Data Under FTP Root
+Improper Handling of Highly Compressed Data (Data Amplification)
+Incorrect Behavior Order: Early Amplification
+Invocation of Process Using Visible Sensitive Information
+Only Filtering One Instance of a Special Element
+Path Equivalence: 'filedir\' (Trailing Backslash)
+Path Traversal: '/dir/../filename'
+Comparison of Classes by Name
+Dead Code
+Buffer Over-read
+Improper Neutralization of Multiple Trailing Special Elements
+Dynamic Variable Evaluation
+Use of Password System for Primary Authentication
+Encoding Error
+Incorrect Check of Function Return Value
+Improper Physical Access Control
+Creation of Emergent Resource
+PHP External Variable Modification
+Reliance on Untrusted Inputs in a Security Decision
+Multiple Releases of Same Resource or Handle
+Hardware Child Block Incorrectly Connected to Parent System
+Failure to Handle Incomplete Element
+Improper Neutralization of Null Byte or NUL Character
+Sensitive Information Uncleared Before Debug/Power State Transition
+Floating Point Comparison with Incorrect Operator
+Release of Invalid Pointer or Reference
+Improper Handling of Case Sensitivity
+Omitted Break Statement in Switch
+J2EE Bad Practices: Direct Management of Connections
+Missing Serialization Control Element
+Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
+Use of Hard-coded Credentials
+Multiple Unlocks of a Critical Resource
+Insufficient Logging
+Missing Release of Resource after Effective Lifetime
+Improper Authorization
+Improper Handling of Inconsistent Structural Elements