Currently, CWE-1007 is a child of UI misrepresentation. However, source code
can be maliciously injected using bidi and Unicode homoglyphs as well (see
https://www.swatips.com/articles/20211129.html and
https://arxiv.org/abs/2111.00169 and the examples under
https://github.com/nickboucher/troja
Jon,
We are aware of this new discovery but haven't researched it closely enough
from a CWE perspective. It's slated to be addressed in CWE 4.7 (around
January/February 2022). In my informal consideration of the problem when it
first came out, there seem to be some challenges with respect to CW