| HasMember | Allowed | B | 1021 | Improper Restriction of Rendered UI Layers or Frames |
| HasMember | Allowed | V | 113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') |
| HasMember | Allowed-with-Review | C | 116 | Improper Encoding or Escaping of Output |
| HasMember | Allowed | B | 117 | Improper Output Neutralization for Logs |
| HasMember | Allowed | B | 1191 | On-Chip Debug and Test Interface With Improper Access Control |
| HasMember | Allowed | V | 1255 | Comparison Logic is Vulnerable to Power Side-Channel Attacks |
| HasMember | Allowed | B | 1256 | Improper Restriction of Software Interfaces to Hardware Features |
| HasMember | Allowed | B | 1262 | Improper Access Control for Register Interface |
| HasMember | Allowed | B | 1273 | Device Unlock Credential Sharing |
| HasMember | Allowed | V | 1275 | Sensitive Cookie with Improper SameSite Attribute |
| HasMember | Allowed | B | 1280 | Access Control Check Implemented After Asset is Accessed |
| HasMember | Allowed | B | 1293 | Missing Source Correlation of Multiple Independent Data |
| HasMember | Allowed | V | 1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
| HasMember | Allowed | B | 1339 | Insufficient Precision or Accuracy of a Real Number |
| HasMember | Allowed | V | 1385 | Missing Origin Validation in WebSockets |
| HasMember | Allowed | B | 1427 | Improper Neutralization of Input Used for LLM Prompting |
| HasMember | Allowed | B | 1428 | Reliance on HTTP instead of HTTPS |
| HasMember | Allowed | B | 276 | Incorrect Default Permissions |
| HasMember | Allowed | V | 277 | Insecure Inherited Permissions |
| HasMember | Allowed | V | 278 | Insecure Preserved Inherited Permissions |
| HasMember | Allowed | V | 279 | Incorrect Execution-Assigned Permissions |
| HasMember | Allowed | B | 281 | Improper Preservation of Permissions |
| HasMember | Discouraged | C | 285 | Improper Authorization |
| HasMember | Discouraged | C | 300 | Channel Accessible by Non-Endpoint |
| HasMember | Discouraged | C | 311 | Missing Encryption of Sensitive Data |
| HasMember | Allowed | B | 325 | Missing Cryptographic Step |
| HasMember | Allowed-with-Review | C | 327 | Use of a Broken or Risky Cryptographic Algorithm |
| HasMember | Allowed | B | 347 | Improper Verification of Cryptographic Signature |
| HasMember | Allowed | B | 349 | Acceptance of Extraneous Untrusted Data With Trusted Data |
| HasMember | Allowed | C | 352 | Cross-Site Request Forgery (CSRF) |
| HasMember | Allowed | B | 354 | Improper Validation of Integrity Check Value |
| HasMember | Allowed | B | 364 | Signal Handler Race Condition |
| HasMember | Allowed | B | 367 | Time-of-check Time-of-use (TOCTOU) Race Condition |
| HasMember | Allowed | B | 368 | Context Switching Race Condition |
| HasMember | Allowed | V | 370 | Missing Check for Certificate Revocation after Initial Check |
| HasMember | Allowed | B | 386 | Symbolic Name not Mapping to Correct Object |
| HasMember | Allowed | B | 403 | Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') |
| HasMember | Allowed | B | 413 | Improper Resource Locking |
| HasMember | Allowed | B | 414 | Missing Lock Check |
| HasMember | Allowed | B | 425 | Direct Request ('Forced Browsing') |
| HasMember | Allowed | B | 432 | Dangerous Signal Handler not Disabled During Sensitive Operations |
| HasMember | Allowed | V | 453 | Insecure Default Variable Initialization |
| HasMember | Allowed | B | 454 | External Initialization of Trusted Variables or Data Stores |
| HasMember | Allowed | B | 455 | Non-exit on Failed Initialization |
| HasMember | Allowed | B | 459 | Incomplete Cleanup |
| HasMember | Allowed | B | 464 | Addition of Data Structure Sentinel |
| HasMember | Allowed | B | 471 | Modification of Assumed-Immutable Data (MAID) |
| HasMember | Allowed | B | 472 | External Control of Assumed-Immutable Web Parameter |
| HasMember | Allowed | V | 473 | PHP External Variable Modification |
| HasMember | Allowed | V | 479 | Signal Handler Use of a Non-reentrant Function |
| HasMember | Allowed | B | 487 | Reliance on Package-level Scope |
| HasMember | Allowed | V | 493 | Critical Public Variable Without Final Modifier |
| HasMember | Allowed | V | 495 | Private Data Structure Returned From A Public Method |
| HasMember | Allowed | V | 496 | Public Data Assigned to Private Array-Typed Field |
| HasMember | Allowed | V | 5 | J2EE Misconfiguration: Data Transmission Without Encryption |
| HasMember | Allowed | V | 500 | Public Static Field Not Marked Final |
| HasMember | Allowed | B | 502 | Deserialization of Untrusted Data |
| HasMember | Allowed | V | 543 | Use of Singleton Pattern Without Synchronization in a Multithreaded Context |
| HasMember | Allowed | V | 558 | Use of getlogin() in Multithreaded Application |
| HasMember | Allowed | V | 564 | SQL Injection: Hibernate |
| HasMember | Allowed | B | 565 | Reliance on Cookies without Validation and Integrity Checking |
| HasMember | Allowed | V | 566 | Authorization Bypass Through User-Controlled SQL Primary Key |
| HasMember | Allowed | B | 567 | Unsynchronized Access to Shared Data in a Multithreaded Context |
| HasMember | Allowed | V | 582 | Array Declared Public, Final, and Static |
| HasMember | Allowed | V | 583 | finalize() Method Declared Public |
| HasMember | Allowed | V | 594 | J2EE Framework: Saving Unserializable Objects to Disk |
| HasMember | Allowed | V | 607 | Public Static Final Field References Mutable Object |
| HasMember | Allowed | V | 608 | Struts: Non-private Field in ActionForm Class |
| HasMember | Allowed | B | 609 | Double-Checked Locking |
| HasMember | Discouraged | C | 610 | Externally Controlled Reference to a Resource in Another Sphere |
| HasMember | Allowed | B | 619 | Dangling Database Cursor ('Cursor Injection') |
| HasMember | Allowed | V | 621 | Variable Extraction Error |
| HasMember | Allowed | V | 627 | Dynamic Variable Evaluation |
| HasMember | Allowed | V | 650 | Trusting HTTP Permission Methods on the Server Side |
| HasMember | Discouraged | C | 662 | Improper Synchronization |
| HasMember | Allowed | B | 663 | Use of a Non-reentrant Function in a Concurrent Context |
| HasMember | Discouraged | C | 668 | Exposure of Resource to Wrong Sphere |
| HasMember | Allowed-with-Review | C | 669 | Incorrect Resource Transfer Between Spheres |
| HasMember | Allowed-with-Review | C | 672 | Operation on a Resource after Expiration or Release |
| HasMember | Allowed | C | 689 | Permission Race Condition During Resource Copy |
| HasMember | Allowed-with-Review | C | 706 | Use of Incorrectly-Resolved Name or Reference |
| HasMember | Allowed | B | 708 | Incorrect Ownership Assignment |
| HasMember | Allowed-with-Review | C | 732 | Incorrect Permission Assignment for Critical Resource |
| HasMember | Allowed | B | 749 | Exposed Dangerous Method or Function |
| HasMember | Discouraged | C | 75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| HasMember | Allowed | B | 766 | Critical Data Element Declared Public |
| HasMember | Allowed | B | 767 | Access to Critical Private Variable via Public Method |
| HasMember | Allowed | B | 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| HasMember | Allowed | V | 8 | J2EE Misconfiguration: Entity Bean Declared Remote |
| HasMember | Allowed | B | 820 | Missing Synchronization |
| HasMember | Allowed | B | 821 | Incorrect Synchronization |
| HasMember | Allowed | B | 826 | Premature Release of Resource During Expected Lifetime |
| HasMember | Allowed | B | 838 | Inappropriate Encoding for Output Context |
| HasMember | Allowed | B | 839 | Numeric Range Comparison Without Minimum Check |
| HasMember | Allowed-with-Review | C | 862 | Missing Authorization |
| HasMember | Allowed-with-Review | C | 863 | Incorrect Authorization |
| HasMember | Allowed | B | 88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
| HasMember | Allowed | B | 89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| HasMember | Allowed | B | 90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
| HasMember | Allowed | B | 91 | XML Injection (aka Blind XPath Injection) |
| HasMember | Allowed | B | 914 | Improper Control of Dynamically-Identified Variables |
| HasMember | Allowed | B | 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes |
| HasMember | Allowed | B | 921 | Storage of Sensitive Data in a Mechanism without Access Control |
| HasMember | Allowed-with-Review | C | 922 | Insecure Storage of Sensitive Information |
| HasMember | Allowed | V | 926 | Improper Export of Android Application Components |
| HasMember | Allowed | B | 93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') |
| HasMember | Allowed-with-Review | C | 943 | Improper Neutralization of Special Elements in Data Query Logic |
| HasMember | Allowed-with-Review | C | 99 | Improper Control of Resource Identifiers ('Resource Injection') |