Base weakness

Incomplete

CWE-356: Product UI does not Warn User of Unsafe Actions

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

Last updated May 1, 2026

30

Recorded CVEs

With this primary weakness

0

KEVs

In the CISA KEV catalog

Not rated

Likelihood of exploit

Per MITRE

Base

Abstraction

MITRE classification

Overview

Product systems should warn users that a potentially dangerous action may occur if the user proceeds. For example, if the user downloads a file from an unknown source and attempts to execute the file on their machine, then the application's GUI can indicate that the file is unsafe.

Real-world CVEs

30 recorded CVEs are caused by CWE-356 (Product UI does not Warn User of Unsafe Actions). The highest-severity and most recent are shown first. 3 new CWE-356 CVEs have been recorded so far in 2026 (12 in 2025).

CVE-2019-6738

High · CVSS 8.8

2019-06-03

CVE-2025-3909

JavaScript Execution via Spoofed PDF Attachment and file:/// Link

High · CVSS 8.1

2025-05-14

CVE-2025-3839

Epiphany: insecure external protocol invocation in epiphany

High · CVSS 8.0

2026-01-23

CVE-2026-0777

Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability

High · CVSS 7.8

2026-02-20

CVE-2025-14414

Soda PDF Desktop Word File Insufficient UI Warning Remote Code Execution Vulnerability

High · CVSS 7.8

2025-12-23

CVE-2025-14412

Soda PDF Desktop XLS File Insufficient UI Warning Remote Code Execution Vulnerability

High · CVSS 7.8

2025-12-23

CVE-2025-14417

pdfforge PDF Architect Launch Insufficient UI Warning Remote Code Execution Vulnerability

High · CVSS 7.8

2025-12-23

CVE-2025-14403

PDFsam Enhanced Launch Insufficient UI Warning Remote Code Execution Vulnerability

High · CVSS 7.8

2025-12-23

CVE-2025-2450

NI Vision Builder AI VBAI File Processing Missing Warning Remote Code Execution Vulnerability

High · CVSS 7.8

2025-03-18

Showing 12 of 30 recorded CWE-356 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-356 vulnerabilities

Common consequences

What can happen when CWE-356 is exploited.

Hide Activities

Affects: Non-Repudiation

How it happens

When it is introduced

Typically introduced during these phases of the software lifecycle.

Architecture and Design

Implementation

Illustrative examples

Real CVEs that MITRE cites as examples of this weakness.

CVE-1999-1055 — Product does not warn user when document contains certain dangerous functions or macros.
CVE-1999-0794 — Product does not warn user when document contains certain dangerous functions or macros.
CVE-2000-0277 — Product does not warn user when document contains certain dangerous functions or macros.
CVE-2000-0517 — Product does not warn user about a certificate if it has already been accepted for a different site. Possibly resultant.
CVE-2005-0602 — File extractor does not warn user if setuid/setgid files could be extracted. Overlaps privileges/permissions.
CVE-2000-0342 — E-mail client allows bypass of warning for dangerous attachments via a Windows .LNK file that refers to the attachment.

Terminology & mappings

Mapped taxonomies

PLOVER: Product UI does not warn user of unsafe actions

Frequently asked questions

Common questions about CWE-356.

What is CWE-356?

The product's user interface does not warn the user before undertaking an unsafe action on behalf of that user. This makes it easier for attackers to trick users into inflicting damage to their system.

What CVEs are caused by CWE-356?

30 recorded CVEs are attributed to CWE-356, including CVE-2022-39362, CVE-2019-6736, CVE-2019-6737.

What are the consequences of CWE-356?

Exploiting CWE-356 can lead to: Hide Activities.

Is CWE-356 actively exploited?

30 recorded CVEs are caused by CWE-356; none are currently in CISA's KEV catalog of actively exploited flaws.

References

Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.

Stay ahead of CWE-356

Get alerted the moment a new CWE-356 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.

Start free See pricing

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

Illustrative examples

Related weaknesses

Parent

Terminology & mappings

Mapped taxonomies

Frequently asked questions

What is CWE-356?

What CVEs are caused by CWE-356?

What are the consequences of CWE-356?

Is CWE-356 actively exploited?

References

Stay ahead of CWE-356