CWE-506: Embedded Malicious Code
The product contains code that appears to be malicious in nature.
Last updated
Overview
Malicious flaws have acquired colorful names, including Trojan horse, trapdoor, timebomb, and logic-bomb. A developer might insert malicious code with the intent to subvert the security of a product or its host system at some time in the future. It generally refers to a program that performs a useful service but exploits rights of the program's user in a way the user does not intend.
Real-world CVEs
86 recorded CVEs are caused by CWE-506 (Embedded Malicious Code), including 9 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 13 new CWE-506 CVEs have been recorded so far in 2026 (24 in 2025).