CWE-394 (Unexpected Status Code or Return Value) documents a weakness type used across vulnerability databases and security assessments. Use the sections below for definition, context, and mapped CVEs.
The product does not properly check when a function or operation returns a value that is legitimate for the function, but is not expected by the product.
| Kind | Name | Class | Prevalence | OS / CPE |
|---|---|---|---|---|
| language | — | Not Language-Specific | Undetermined | — |
These CVEs are mapped to this weakness in this database and kept for traceability and search.
| CVE | Published | Summary |
|---|---|---|
| CVE-2026-25085 | 2026-02-27 | A vulnerability exists in Copeland XWEB Pro version 1.12.1 and prior, in which an unexpected return value from the authentication routine is later on processed as a legitimate value, resulting in an… |
| CVE-2025-48510 | 2025-11-24 | Improper return value within AMD uProf can allow a local attacker to bypass KSLR, potentially resulting in loss of confidentiality or availability. |
| CVE-2025-12516 | 2025-10-30 | Lack of Graceful Error Handling - HTTP 5xx ErrorThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . |
| CVE-2025-12515 | 2025-10-30 | Systemic Internal Server Errors - HTTP 500 ResponseThis issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 . |
| CVE-2025-22854 | 2025-06-15 | Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions. |
| CVE-2025-23013 | 2025-01-15 | In Yubico pam-u2f before 1.3.1, local privilege escalation can sometimes occur. This product implements a Pluggable Authentication Module (PAM) that can be deployed to support authentication using a Y… |
| CVE-2024-1713 | 2024-03-14 | A user who can create objects in a database with plv8 3.2.1 installed is able to cause deferred triggers to execute as the Superuser during autovacuum. |
| CVE-2023-48429 | 2023-12-12 | A vulnerability has been identified in SINEC INS (All versions < V1.0 SP2 Update 2). The Web UI of affected devices does not check the length of parameters in certain conditions. This allows a malicio… |
| CVE-2023-25948 | 2023-07-13 | Server information leak of configuration data when an error is generated in response to a specially crafted message. See Honeywell Security Notification for recommendations on upgrading and versioning… |
| CVE-2023-28975 | 2023-04-17 | An Unexpected Status Code or Return Value vulnerability in the kernel of Juniper Networks Junos OS allows an unauthenticated attacker with physical access to the device to cause a Denial of Service (D… |
| CVE-2022-24880 | 2022-04-25 | flask-session-captcha is a package which allows users to extend Flask by adding an image based captcha stored in a server side session. In versions prior to 1.2.1, he `captcha.validate()` function wou… |
| CVE-2019-20924 | 2020-11-23 | A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries which trigger an invariant in the IndexBoundsBuilder. This issue affects MongoDB Server… |
| CVE-2018-20802 | 2020-11-23 | A user authorized to perform database queries may trigger denial of service by issuing specially crafted queries with compound indexes affecting QueryPlanner. This issue affects MongoDB Server v3.6 ve… |
| CVE-2019-0066 | 2019-10-09 | An unexpected status return value weakness in the Next-Generation Multicast VPN (NG-mVPN) service of Juniper Networks Junos OS allows attacker to cause a Denial of Service (DoS) condition and core the… |
| Date | Name | Version | Importance | Comment |
|---|---|---|---|---|
| 2008-07-01 | Eric Dalci | 1.0 | — | updated Time_of_Introduction |
| 2008-09-08 | CWE Content Team | 1.0 | — | updated Relationships, Other_Notes, Taxonomy_Mappings |
| 2009-03-10 | CWE Content Team | 1.3 | — | updated Relationships |
| 2009-12-28 | CWE Content Team | 1.7 | — | updated Other_Notes, Relationship_Notes |
| 2011-06-01 | CWE Content Team | 1.13 | — | updated Common_Consequences |
| 2011-06-27 | CWE Content Team | 2.0 | — | updated Common_Consequences |
| 2012-05-11 | CWE Content Team | 2.2 | — | updated Relationships |
| 2014-07-30 | CWE Content Team | 2.8 | — | updated Relationships, Taxonomy_Mappings |
| 2017-11-08 | CWE Content Team | 3.0 | — | updated Applicable_Platforms, Taxonomy_Mappings |
| 2019-01-03 | CWE Content Team | 3.2 | — | updated Taxonomy_Mappings |
| 2020-08-20 | CWE Content Team | 4.2 | — | updated Relationships |
| 2021-03-15 | CWE Content Team | 4.4 | — | updated Relationships |
| 2023-01-31 | CWE Content Team | 4.10 | — | updated Description |
| 2023-04-27 | CWE Content Team | 4.11 | — | updated Relationships, Time_of_Introduction |
| 2023-06-29 | CWE Content Team | 4.12 | — | updated Mapping_Notes |
| 2025-12-11 | CWE Content Team | 4.19 | — | updated Detection_Factors, Relationships, Weakness_Ordinalities |