CWE-1395 – Dependency on Vulnerable Third-Party Component | Common Weakness Enumeration (CWE)

Overview

CWE-1395 (Dependency on Vulnerable Third-Party Component) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.

Security impact: Security impact: Depends on product and context; use CVE records, severity scores, and MITRE guidance to prioritize.

Description

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

Applicable platforms

Kind	Name	Class	Prevalence	OS / CPE
language	—	Not Language-Specific	Undetermined	—
operating_system	—	Not OS-Specific	Undetermined	—
architecture	—	Not Architecture-Specific	Undetermined	—
technology	—	Not Technology-Specific	Undetermined	—

Content submission

Name: CWE Content Team
Organization: MITRE
Date: 2023-01-25
Version: 4.10

Content modifications

Date	Name	Version	Importance	Comment
2023-04-27	CWE Content Team	4.11	—	updated References, Relationships
2023-06-29	CWE Content Team	4.12	—	updated Mapping_Notes, Taxonomy_Mappings
2023-10-26	CWE Content Team	4.13	—	updated Demonstrative_Examples
2025-04-03	CWE Content Team	4.17	—	updated Mapping_Notes
2025-09-09	CWE Content Team	4.18	—	updated References
2025-12-11	CWE Content Team	4.19	—	updated Observed_Examples, Relationships, Weakness_Ordinalities
2026-04-30	CWE Content Team	4.20	—	updated Description, Relationships

Contributions

Type	Name	Date	Comment
Feedback	Samreen Arshad	2022-04-18	Submitted a request for coverage of "Vulnerable and Outdated Components"
Content	"Mapping CWE to 62443" Sub-Working Group	2023-06-29	Suggested mappings to ISA/IEC 62443.