CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > CWE- Individual Dictionary Definition (4.20)  
ID
  • Home
  • Who We Are User Stories History Documents Videos
  • Basics
    Root Cause Mapping   ►
    Guidance Quick Tips Examples
    How to Contribute Weakness Content FAQs Glossary
  • Top-N Lists   ►
    Top 25 Software Top Hardware Top 10 KEV Weaknesses
    CWE List   ►
    Current Version Reports Visualizations Releases Archive
    Downloads REST API
  • News   ►
    Current News Blog Podcast News Archive
    CWE Board Working Groups & Special Interest Groups Email Lists
    • Search CWE List Search Website

    CWE CATEGORY: OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures

    Category ID: 1443
    Vulnerability Mapping: PROHIBITED This CWE ID must not be used to map to real-world vulnerabilities
    + Summary
    Weaknesses in this category are related to the A08 category "Software or Data Integrity Failures" in the OWASP Top Ten 2025.
    + Membership
    Nature Type ID Name
    MemberOf ViewView - a subset of CWE entries that provides a way of examining CWE content. The two main view structures are Slices (flat lists) and Graphs (containing relationships between entries). 1450 Weaknesses in OWASP Top Ten RC1 (2025)
    HasMember ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 345 Insufficient Verification of Data Authenticity
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 353 Missing Support for Integrity Check
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 426 Untrusted Search Path
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 427 Uncontrolled Search Path Element
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 494 Download of Code Without Integrity Check
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 502 Deserialization of Untrusted Data
    HasMember ClassClass - a weakness that is described in a very abstract fashion, typically independent of any specific language or technology. More specific than a Pillar Weakness, but more general than a Base Weakness. Class level weaknesses typically describe issues in terms of 1 or 2 of the following dimensions: behavior, property, and resource. 506 Embedded Malicious Code
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 509 Replicating Malicious Code (Virus or Worm)
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 565 Reliance on Cookies without Validation and Integrity Checking
    HasMember VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 829 Inclusion of Functionality from Untrusted Control Sphere
    HasMember VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 830 Inclusion of Web Functionality from an Untrusted Source
    HasMember BaseBase - a weakness that is still mostly independent of a resource or technology, but with sufficient details to provide specific methods for detection and prevention. Base level weaknesses typically describe issues in terms of 2 or 3 of the following dimensions: behavior, property, technology, language, and resource. 915 Improperly Controlled Modification of Dynamically-Determined Object Attributes
    HasMember VariantVariant - a weakness that is linked to a certain type of product, typically involving a specific language or technology. More specific than a Base weakness. Variant level weaknesses typically describe issues in terms of 3 to 5 of the following dimensions: behavior, property, technology, language, and resource. 926 Improper Export of Android Application Components
    + Vulnerability Mapping Notes

    Usage: PROHIBITED

    (this CWE ID must not be used to map to real-world vulnerabilities)

    Reason: Category

    Rationale:

    This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves.

    Comments:

    See member weaknesses of this category.
    + Notes

    Maintenance

    As of CWE 4.19, the relationships in this category were pulled directly from the CWE mappings cited in the 2025 OWASP Top Ten. These mappings include categories, which are discouraged for mapping, as well as high-level weaknesses such as Pillars. The CWE Program will work with OWASP to improve these mappings, possibly requiring modifications to CWE itself.
    + References
    [REF-1500] "OWASP Top 10:2025 RC1". OWASP. 2025-11-06. <https://owasp.org/Top10/2025/0x00_2025-Introduction/>. URL validated: 2025-12-01.
    [REF-1508] OWASP. "A08:2025 - Software or Data Integrity Failures". 2025-11-06. <https://owasp.org/Top10/2025/A08_2025-Software_or_Data_Integrity_Failures/>. URL validated: 2025-12-01.
    + Content History
    + Submissions
    Submission Date Submitter Organization
    2025-12-01
    (CWE 4.19, 2025-12-11)     		CWE Content Team MITRE
    Page Last Updated: April 30, 2026
     

    Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.