Common Weakness Enumeration

CWE-639

Allowed

Authorization Bypass Through User-Controlled Key

Abstraction: Base · Status: Incomplete

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

3251 vulnerabilities reference this CWE, most recent first.

GHSA-23M2-3G75-JVC8

Vulnerability from github – Published: 2026-04-16 15:31 – Updated: 2026-04-16 15:31
VLAI
Details

The Fluent Forms – Customizable Contact Forms, Survey, Quiz, & Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the 'submission_id' parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to "failed").

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-4160"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-04-16T14:16:18Z",
    "severity": "MODERATE"
  },
  "details": "The Fluent Forms \u2013 Customizable Contact Forms, Survey, Quiz, \u0026 Conversational Form Builder plugin for WordPress is vulnerable to Insecure Direct Object Reference via the \u0027submission_id\u0027 parameter in versions up to, and including, 6.1.21. This is due to missing authorization and ownership validation on a user controlled key in the Stripe SCA confirmation AJAX endpoint. This makes it possible for unauthenticated attackers to modify payment status of targeted pending submissions (for example, setting the status to \"failed\").",
  "id": "GHSA-23m2-3g75-jvc8",
  "modified": "2026-04-16T15:31:32Z",
  "published": "2026-04-16T15:31:32Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4160"
    },
    {
      "type": "WEB",
      "url": "https://plugins.trac.wordpress.org/changeset/3496638/fluentform"
    },
    {
      "type": "WEB",
      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/154fc656-3a33-4783-a941-10bb848244b3?source=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23M9-RR4P-XPWH

Vulnerability from github – Published: 2026-05-14 21:30 – Updated: 2026-05-14 21:30
VLAI
Details

Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2026-8629"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-05-14T20:17:21Z",
    "severity": "HIGH"
  },
  "details": "Crabbox prior to v0.12.0 contains a privilege escalation vulnerability that allows users with shared visibility-only access to obtain Code, WebVNC, and Egress agent tickets by sending POST requests to ticket endpoints. Attackers can exploit insufficient access control checks on the /v1/leases/:id/code/ticket, /v1/leases/:id/webvnc/ticket, and /v1/leases/:id/egress/ticket endpoints to obtain bridge-agent tickets and impersonate trusted lease-side bridges despite having only visibility permissions.",
  "id": "GHSA-23m9-rr4p-xpwh",
  "modified": "2026-05-14T21:30:47Z",
  "published": "2026-05-14T21:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8629"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/crabbox/pull/71"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/crabbox/commit/95cb30dc7dbaa1fef690a42ef6ac1cb6e307a191"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/crabbox/releases/tag/v0.12.0"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/crabbox-privilege-escalation-via-agent-ticket-endpoints"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-23PM-FV72-XCR5

Vulnerability from github – Published: 2025-04-17 18:31 – Updated: 2026-04-01 18:34
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-39434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-17T16:15:53Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Scott Taylor Avatar allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Avatar: from n/a through 0.1.4.",
  "id": "GHSA-23pm-fv72-xcr5",
  "modified": "2026-04-01T18:34:52Z",
  "published": "2025-04-17T18:31:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-39434"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/wordpress/plugin/avatar/vulnerability/wordpress-avatar-plugin-0-1-4-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-23XF-GC3R-V6RR

Vulnerability from github – Published: 2023-07-11 00:33 – Updated: 2024-04-04 05:54
VLAI
Details

A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-30956"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-10T22:15:09Z",
    "severity": "MODERATE"
  },
  "details": "A security defect was identified in Foundry Comments that enabled a user to discover the contents of an attachment submitted to another comment if they knew the internal UUID of the target attachment. This defect was resolved with the release of Foundry Comments 2.267.0.\n",
  "id": "GHSA-23xf-gc3r-v6rr",
  "modified": "2024-04-04T05:54:15Z",
  "published": "2023-07-11T00:33:19Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-30956"
    },
    {
      "type": "WEB",
      "url": "https://palantir.safebase.us/?tcuUid=40367943-738c-4e69-b852-4a503c77478a"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-2439-66F5-GJJR

Vulnerability from github – Published: 2024-08-19 00:31 – Updated: 2026-04-01 18:31
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-43239"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-08-18T22:15:08Z",
    "severity": "MODERATE"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in Masteriyo Masteriyo - LMS.This issue affects Masteriyo - LMS: from n/a through 1.11.4.",
  "id": "GHSA-2439-66f5-gjjr",
  "modified": "2026-04-01T18:31:53Z",
  "published": "2024-08-19T00:31:08Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43239"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/Wordpress/Plugin/learning-management-system/vulnerability/wordpress-masteriyo-lms-plugin-1-11-4-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/learning-management-system/wordpress-masteriyo-lms-plugin-1-11-4-insecure-direct-object-reference-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-243R-XRW9-VFHW

Vulnerability from github – Published: 2023-12-20 15:30 – Updated: 2026-04-28 21:33
VLAI
Details

Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-35876"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-12-20T15:15:08Z",
    "severity": "HIGH"
  },
  "details": "Authorization Bypass Through User-Controlled Key vulnerability in WooCommerce WooCommerce Square.This issue affects WooCommerce Square: from n/a through 3.8.1.",
  "id": "GHSA-243r-xrw9-vfhw",
  "modified": "2026-04-28T21:33:28Z",
  "published": "2023-12-20T15:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-35876"
    },
    {
      "type": "WEB",
      "url": "https://patchstack.com/database/vulnerability/woocommerce-square/wordpress-woocommerce-square-plugin-3-8-1-insecure-direct-object-references-idor-vulnerability?_s_id=cve"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:H",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-246P-XMG8-WMCQ

Vulnerability from github – Published: 2024-03-25 19:37 – Updated: 2024-03-25 19:37
VLAI
Summary
OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation
Details

Summary

A security vulnerability exists in oneuptime's local storage handling, where a regular user can escalate privileges by modifying the is_master_admin key to true. This allows unauthorized access to administrative functionalities.

Details

The vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the is_master_admin key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation.

POC

(I am using Firefox Developer to demonstrate this vulnerability) Log in as a normal user. Open developer tools (hit F12), click Storage, then Local Storage. Modify the is_master_admin key from false to true.

Impact

This vulnerability represents a high security risk as it allows any authenticated user to gain administrative privileges through client-side manipulation. Most of the admin previlages were disabled except the user list. Where an attacker could see all the list of users who signed up to OneUptome.

Patch

This has been patched in 7.0.1815

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/model"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.1815"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@oneuptime/common-server"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "7.0.1815"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-29194"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-03-25T19:37:27Z",
    "nvd_published_at": "2024-03-24T19:15:07Z",
    "severity": "HIGH"
  },
  "details": "## Summary\nA security vulnerability exists in oneuptime\u0027s local storage handling, where a regular user can escalate privileges by modifying the `is_master_admin` key to `true`. This allows unauthorized access to administrative functionalities.\n\n## Details\nThe vulnerability lies in the improper validation of client-side stored data within the web application. Specifically, the `is_master_admin` key, stored in the local storage of the browser, can be manipulated by an attacker. By changing this key from false to true, the application grants administrative privileges to the user, without proper server-side validation. \n\n## POC\n(I am using Firefox Developer to demonstrate this vulnerability)\nLog in as a normal user. Open developer tools (hit F12), click Storage, then Local Storage. Modify the `is_master_admin` key from `false` to `true`.\n\n## Impact\nThis vulnerability represents a high security risk as it allows any authenticated user to gain administrative privileges through client-side manipulation. Most of the admin previlages were disabled except the user list. Where an attacker could see all the list of users who signed up to OneUptome. \n\n\n## Patch\nThis has been patched in 7.0.1815",
  "id": "GHSA-246p-xmg8-wmcq",
  "modified": "2024-03-25T19:37:27Z",
  "published": "2024-03-25T19:37:27Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/security/advisories/GHSA-246p-xmg8-wmcq"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-29194"
    },
    {
      "type": "WEB",
      "url": "https://github.com/OneUptime/oneuptime/commit/14016d23d834038dd65d3a96cf71af04b556a32c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/OneUptime/oneuptime"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "OneUptime Vulnerable to a Privilege Escalation via Local Storage Key Manipulation"
}

GHSA-256M-J5QW-38F4

Vulnerability from github – Published: 2023-08-25 18:41 – Updated: 2023-08-25 18:41
VLAI
Summary
Netmaker IDOR Allows User to Update Other User's Password
Details

Impact

An IDOR vulnerability was found in the user update function. By specifying another user's username it is possible to update the other user's password.

Patches

Issue is patched in 0.17.1, and fixed in 0.18.6+.

If Users are using 0.17.1, they should run "docker pull gravitl/netmaker:v0.17.1" and "docker-compose up -d". This will switch them to the patched users

If users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.

Workarounds

If using 0.17.1, can just pull the latest docker image of backend and restart server.

References

Credit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.17.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "github.com/gravitl/netmaker"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.18.0"
            },
            {
              "fixed": "0.18.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-32078"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-25T18:41:16Z",
    "nvd_published_at": "2023-08-24T22:15:10Z",
    "severity": "HIGH"
  },
  "details": "### Impact\nAn IDOR vulnerability was found in the user update function. By specifying another user\u0027s username it is possible to update the other user\u0027s password.\n\n### Patches\nIssue is patched in 0.17.1, and fixed in 0.18.6+.\n\nIf Users are using 0.17.1, they should run \"docker pull gravitl/netmaker:v0.17.1\" and \"docker-compose up -d\". This will switch them to the patched users\n\nIf users are using v0.18.0-0.18.5, they should upgrade to v0.18.6 or later.\n\n### Workarounds\nIf using 0.17.1, can just pull the latest docker image of backend and restart server.\n\n### References\nCredit to Project Discovery, and in particular https://github.com/rootxharsh , https://github.com/iamnoooob, and https://github.com/projectdiscovery",
  "id": "GHSA-256m-j5qw-38f4",
  "modified": "2023-08-25T18:41:16Z",
  "published": "2023-08-25T18:41:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/security/advisories/GHSA-256m-j5qw-38f4"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-32078"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/pull/2158"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gravitl/netmaker/commit/b3be57c65bf0bbfab43b66853c8e3637a43e2839"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gravitl/netmaker"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Netmaker IDOR Allows User to Update Other User\u0027s Password"
}

GHSA-257P-QFC7-7FF5

Vulnerability from github – Published: 2024-01-29 15:30 – Updated: 2025-06-20 21:31
VLAI
Details

The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system's handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2024-23747"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2024-01-29T14:15:09Z",
    "severity": "HIGH"
  },
  "details": "The Moderna Sistemas ModernaNet Hospital Management System 2024 is susceptible to an Insecure Direct Object Reference (IDOR) vulnerability. This vulnerability resides in the system\u0027s handling of user data access through a /Modernanet/LAUDO/LAU0000100/Laudo?id= URI. By manipulating this id parameter, an attacker can gain access to sensitive medical information.",
  "id": "GHSA-257p-qfc7-7ff5",
  "modified": "2025-06-20T21:31:55Z",
  "published": "2024-01-29T15:30:29Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-23747"
    },
    {
      "type": "WEB",
      "url": "https://github.com/louiselalanne/CVE-2024-23747"
    },
    {
      "type": "WEB",
      "url": "https://modernasistemas.com.br/sitems"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-258V-VRH7-JGJ2

Vulnerability from github – Published: 2023-07-13 03:30 – Updated: 2024-04-04 06:05
VLAI
Details

An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2023-2190"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-639"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2023-07-13T02:15:09Z",
    "severity": "MODERATE"
  },
  "details": "An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.10 before 15.11.10, all versions starting from 16.0 before 16.0.6, all versions starting from 16.1 before 16.1.1. It may be possible for users to view new commits to private projects in a fork created while the project was public.",
  "id": "GHSA-258v-vrh7-jgj2",
  "modified": "2024-04-04T06:05:50Z",
  "published": "2023-07-13T03:30:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2190"
    },
    {
      "type": "WEB",
      "url": "https://hackerone.com/reports/1944500"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.com/gitlab-org/gitlab/-/issues/408137"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

Mitigation
Architecture and Design

For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.

Mitigation
Architecture and Design Implementation

Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Mitigation
Architecture and Design

Use encryption in order to make it more difficult to guess other legitimate values of the key or associate a digital signature with the key so that the server can verify that there has been no tampering.

No CAPEC attack patterns related to this CWE.