CWE-459: Incomplete Cleanup (Insufficient Cleanup)

Real-world CVEs

74 recorded CVEs are caused by CWE-459 (Incomplete Cleanup). The highest-severity and most recent are shown first. 8 new CWE-459 CVEs have been recorded so far in 2026 (22 in 2025).

CVE-2023-36468
Critical · CVSS 10.0
2023-06-29
CVE-2022-45347
Critical · CVSS 9.8
2022-12-22
CVE-2026-34263
Missing authentication check in SAP Commerce cloud configuration
Critical · CVSS 9.6
2026-05-12
CVE-2025-6338
Possible denial of service with multiple incoming connections to a Schannel based server with a TLS backend
Critical · CVSS 9.2
2025-10-16
CVE-2024-28265
Critical · CVSS 9.1
2024-11-01
CVE-2026-3304
Multer vulnerable to Denial of Service via incomplete cleanup
High · CVSS 8.7
2026-02-27
CVE-2025-59781
BIG-IP DNS cache vulnerability
High · CVSS 8.7
2025-10-15
CVE-2025-21609
SiYuan has an arbitrary file deletion vulnerability
High · CVSS 8.7
2025-01-03
CVE-2025-66675
Apache Struts: File leak in multipart request processing causes disk exhaustion (DoS) - version ranges fixed
High · CVSS 8.2
2025-12-10
CVE-2025-43711
High · CVSS 8.1
2025-07-04
CVE-2021-36205
High · CVSS 8.1
2022-04-15
CVE-2025-66467
Apache CloudStack: MinIO policy remains intact on bucket deletion
High · CVSS 8.0
2026-05-08

Showing 12 of 74 recorded CWE-459 CVEs. Track new ones as they are published and get AI-written analysis and fixes.

Monitor CWE-459 vulnerabilities

CWE-459: Incomplete Cleanup (Insufficient Cleanup)

Code examples

Illustrative examples from MITRE showing how the weakness appears in code.

Stream resources in a Java application should be released in a finally block, otherwise an exception thrown before the call to close() would result in an unreleased I/O resource. In the example below, the close() method is called in the try block (incorrect).

Vulnerable example

java

try {

Real-world CVEs

CWE-459: Incomplete Cleanup

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-459?

What CVEs are caused by CWE-459?

Is CWE-459 part of the OWASP Top 10?

How do you prevent CWE-459?

How is CWE-459 detected?

What are the consequences of CWE-459?

Is CWE-459 actively exploited?

References

Stay ahead of CWE-459

Real-world CVEs

Overview

Real-world CVEs

Common consequences

How it happens

When it is introduced

How to prevent it

How to detect it

Automated Static Analysis

Code examples

Illustrative examples

Related weaknesses

Parent

Child

Terminology & mappings

Alternate terms

Mapped taxonomies

Frequently asked questions

What is CWE-459?

What CVEs are caused by CWE-459?

Is CWE-459 part of the OWASP Top 10?

How do you prevent CWE-459?

How is CWE-459 detected?

What are the consequences of CWE-459?

Is CWE-459 actively exploited?

References

Stay ahead of CWE-459