Skip to main content

CWE Weaknesses

756 weakness types across all published CVEs

CWE ID Weakness Name CVEs
CWE-79 Cross-site Scripting (XSS) 36055
CWE-89 SQL Injection 12032
CWE-119 Buffer Overflow 8986
CWE-20 Improper Input Validation 8652
CWE-787 Out-of-bounds Write 8538
CWE-352 Cross-Site Request Forgery (CSRF) 7688
CWE-200 Information Exposure 7501
CWE-862 Missing Authorization 7214
CWE-125 Out-of-bounds Read 6959
CWE-22 Path Traversal 6416
CWE-416 Use After Free 6120
CWE-78 OS Command Injection 4502
CWE-284 Improper Access Control 4250
CWE-476 NULL Pointer Dereference 4114
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 3935
CWE-264 Permissions, Privileges, and Access Controls 3307
CWE-94 Code Injection 3137
CWE-434 Unrestricted Upload of File with Dangerous Type 3047
CWE-287 Improper Authentication 2774
CWE-120 Classic Buffer Overflow 2747
CWE-77 Command Injection 2477
CWE-400 Uncontrolled Resource Consumption 2441
CWE-918 Server-Side Request Forgery (SSRF) 2420
CWE-190 Integer Overflow or Wraparound 2407
CWE-502 Deserialization of Untrusted Data 2321
CWE-863 Incorrect Authorization 2262
CWE-121 Stack-based Buffer Overflow 2210
CWE-269 Improper Privilege Management 2030
CWE-122 Heap-based Buffer Overflow 2007
CWE-310 Cryptographic Issues 1970
CWE-306 Missing Authentication for Critical Function 1793
CWE-362 Race Condition 1767
CWE-639 Authorization Bypass Through User-Controlled Key 1590
CWE-401 Memory Leak 1408
CWE-770 Allocation of Resources Without Limits or Throttling 1402
CWE-399 Resource Management Errors 1380
CWE-601 URL Redirection to Untrusted Site (Open Redirect) 1250
CWE-98 PHP Remote File Inclusion 1162
CWE-798 Use of Hard-coded Credentials 1151
CWE-732 Incorrect Permission Assignment for Critical Resource 1132
CWE-295 Improper Certificate Validation 1083
CWE-276 Incorrect Default Permissions 1081
CWE-611 Improper Restriction of XML External Entity Reference 981
CWE-285 Improper Authorization 979
CWE-59 Improper Link Resolution Before File Access 920
CWE-427 Uncontrolled Search Path Element 886
CWE-532 Insertion of Sensitive Information into Log File 866
CWE-522 Insufficiently Protected Credentials 857
CWE-266 Incorrect Privilege Assignment 805
CWE-835 Loop with Unreachable Exit Condition (Infinite Loop) 657
CWE-319 Cleartext Transmission of Sensitive Information 645
CWE-843 Access of Resource Using Incompatible Type (Type Confusion) 643
CWE-415 Double Free 617
CWE-404 Improper Resource Shutdown or Release 596
CWE-908 Use of Uninitialized Resource 556
CWE-617 Reachable Assertion 547
CWE-426 Untrusted Search Path 544
CWE-347 Improper Verification of Cryptographic Signature 542
CWE-312 Cleartext Storage of Sensitive Information 531
CWE-288 Authentication Bypass Using an Alternate Path or Channel 526
CWE-667 Improper Locking 520
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition 512
CWE-189 Numeric Errors 511
CWE-693 Protection Mechanism Failure 499
CWE-290 Authentication Bypass by Spoofing 485
CWE-203 Observable Discrepancy 476
CWE-307 Improper Restriction of Excessive Authentication Attempts 475
CWE-327 Use of a Broken or Risky Cryptographic Algorithm 457
CWE-345 Insufficient Verification of Data Authenticity 445
CWE-346 Origin Validation Error 442
CWE-754 Improper Check for Unusual or Exceptional Conditions 441
CWE-209 Error Message Information Leak 441
CWE-613 Insufficient Session Expiration 437
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution) 415
CWE-255 Credentials Management Errors 407
CWE-73 External Control of File Name or Path 394
CWE-129 Improper Validation of Array Index 387
CWE-428 Unquoted Search Path or Element 374
CWE-369 Divide By Zero 373
CWE-126 Buffer Over-read 370
CWE-23 Relative Path Traversal 362
CWE-772 Missing Release of Resource after Effective Lifetime 355
CWE-668 Exposure of Resource to Wrong Sphere 348
CWE-191 Integer Underflow 348
CWE-80 Basic XSS 338
CWE-674 Uncontrolled Recursion 336
CWE-755 Improper Handling of Exceptional Conditions 333
CWE-254 7PK - Security Features 330
CWE-201 Insertion of Sensitive Information Into Sent Data 313
CWE-552 Files or Directories Accessible to External Parties 313
CWE-1021 Improper Restriction of Rendered UI Layers or Frames 308
CWE-384 Session Fixation 306
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere 284
CWE-326 Inadequate Encryption Strength 283
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') 280
CWE-1333 Inefficient Regular Expression Complexity (ReDoS) 278
CWE-451 User Interface (UI) Misrepresentation of Critical Information 274
CWE-281 Improper Preservation of Permissions 271
CWE-444 HTTP Request/Response Smuggling 268
CWE-250 Execution with Unnecessary Privileges 259
CWE-1236 Improper Neutralization of Formula Elements in a CSV File 238
CWE-330 Use of Insufficiently Random Values 237
CWE-116 Improper Encoding or Escaping of Output 235
CWE-922 Insecure Storage of Sensitive Information 234
CWE-665 Improper Initialization 233
CWE-321 Use of Hard-coded Cryptographic Key 232
CWE-311 Missing Encryption of Sensitive Data 230
CWE-824 Access of Uninitialized Pointer 217
CWE-1284 Improper Validation of Specified Quantity in Input 215
CWE-640 Weak Password Recovery Mechanism for Forgotten Password 211
CWE-19 Data Processing Errors 209
CWE-134 Use of Externally-Controlled Format String 204
CWE-1188 Initialization of a Resource with an Insecure Default 199
CWE-248 Uncaught Exception 196
CWE-521 Weak Password Requirements 193
CWE-294 Authentication Bypass by Capture-replay 185
CWE-256 Plaintext Storage of a Password 175
CWE-707 Improper Neutralization 171
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement 167
CWE-822 Untrusted Pointer Dereference 161
CWE-457 Use of Uninitialized Variable 161
CWE-829 Inclusion of Functionality from Untrusted Control Sphere 161
CWE-17 DEPRECATED: Code 158
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor 157
CWE-425 Direct Request ('Forced Browsing') 151
CWE-259 Use of Hard-coded Password 150
CWE-494 Download of Code Without Integrity Check 150
CWE-35 Path Traversal: '.../...//' 149
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') 149
CWE-704 Incorrect Type Conversion or Cast 139
CWE-610 Externally Controlled Reference to a Resource in Another Sphere 136
CWE-193 Off-by-one Error 135
CWE-280 Improper Handling of Insufficient Permissions or Privileges 132
CWE-459 Incomplete Cleanup 131
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) 128
CWE-789 Memory Allocation with Excessive Size Value 127
CWE-204 Observable Response Discrepancy 126
CWE-472 External Control of Assumed-Immutable Web Parameter 125
CWE-354 Improper Validation of Integrity Check Value 125
CWE-208 Observable Timing Discrepancy 121
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine 120
CWE-305 Authentication Bypass by Primary Weakness 119
CWE-131 Incorrect Calculation of Buffer Size 118
CWE-184 Incomplete List of Disallowed Inputs 116
CWE-602 Client-Side Enforcement of Server-Side Security 116
CWE-670 Always-Incorrect Control Flow Implementation 114
CWE-788 Access of Memory Location After End of Buffer 111
CWE-36 Absolute Path Traversal 111
CWE-703 Improper Check or Handling of Exceptional Conditions 110
CWE-95 Eval Injection 109
CWE-1287 Improper Validation of Specified Type of Input 105
CWE-61 UNIX Symbolic Link (Symlink) Following 104
CWE-252 Unchecked Return Value 103
CWE-749 Exposed Dangerous Method or Function 103
CWE-91 XML Injection (aka Blind XPath Injection) 96
CWE-682 Incorrect Calculation 90
CWE-331 Insufficient Entropy 90
CWE-407 Inefficient Algorithmic Complexity 86
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes 86
CWE-16 Configuration 85
CWE-1392 Use of Default Credentials 85
CWE-680 Integer Overflow to Buffer Overflow 84
CWE-697 Incorrect Comparison 84
CWE-358 Improperly Implemented Security Check for Standard 83
CWE-840 Business Logic Errors 81
CWE-117 Improper Output Neutralization for Logs 81
CWE-834 Excessive Iteration 79
CWE-706 Use of Incorrectly-Resolved Name or Reference 76
CWE-24 Path Traversal: '../filedir' 76
CWE-620 Unverified Password Change 76
CWE-1220 Insufficient Granularity of Access Control 74
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') 73
CWE-1390 Weak Authentication 73
CWE-113 HTTP Response Splitting 72
CWE-823 Use of Out-of-range Pointer Offset 71
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains 70
CWE-538 Insertion of Sensitive Information into Externally-Accessible File 70
CWE-130 Improper Handling of Length Parameter Inconsistency 70
CWE-926 Improper Export of Android Application Components 69
CWE-275 Permission Issues 67
CWE-328 Use of Weak Hash 67
CWE-669 Incorrect Resource Transfer Between Spheres 67
CWE-303 Incorrect Implementation of Authentication Algorithm 66
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) 65
CWE-591 Sensitive Data Storage in Improperly Locked Memory 65
CWE-436 Interpretation Conflict 65
CWE-377 Insecure Temporary File 64
CWE-598 Use of GET Request Method With Sensitive Query Strings 64
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer 64
CWE-1286 Improper Validation of Syntactic Correctness of Input 63
CWE-916 Use of Password Hash With Insufficient Computational Effort 63
CWE-681 Incorrect Conversion between Numeric Types 62
CWE-489 Active Debug Code 61
CWE-90 LDAP Injection 61
CWE-763 Release of Invalid Pointer or Reference 61
CWE-15 External Control of System or Configuration Setting 61
CWE-29 Path Traversal: '\\..\\filename' 60
CWE-909 Missing Initialization of Resource 59
CWE-913 Improper Control of Dynamically-Managed Code Resources 57
CWE-277 Insecure Inherited Permissions 57
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 56
CWE-320 Key Management Errors 55
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') 54
CWE-178 Improper Handling of Case Sensitivity 53
CWE-912 Hidden Functionality 53
CWE-648 Incorrect Use of Privileged APIs 53
CWE-257 Storing Passwords in a Recoverable Format 53
CWE-807 Reliance on Untrusted Inputs in a Security Decision 52
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints 51
CWE-653 Improper Isolation or Compartmentalization 50
CWE-943 Improper Neutralization of Special Elements in Data Query Logic 50
CWE-776 Improper Restriction of Recursive Entity References in DTDs 47
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute 47
CWE-524 Use of Cache Containing Sensitive Information 45
CWE-348 Use of Less Trusted Source 45
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax 45
CWE-565 Reliance on Cookies without Validation and Integrity Checking 45
CWE-297 Improper Validation of Certificate with Host Mismatch 44
CWE-123 Write-what-where Condition 44
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences 44
CWE-197 Numeric Truncation Error 44
CWE-672 Operation on a Resource after Expiration or Release 43
CWE-825 Expired Pointer Dereference 41
CWE-1391 Use of Weak Credentials 41
CWE-799 Improper Control of Interaction Frequency 41
CWE-940 Improper Verification of Source of a Communication Channel 41
CWE-300 Channel Accessible by Non-Endpoint 41
CWE-548 Exposure of Information Through Directory Listing 40
CWE-325 Missing Cryptographic Step 40
CWE-378 Creation of Temporary File With Insecure Permissions 40
CWE-267 Privilege Defined With Unsafe Actions 39
CWE-379 Creation of Temporary File in Directory with Insecure Permissions 38
CWE-440 Expected Behavior Violation 37
CWE-841 Improper Enforcement of Behavioral Workflow 37
CWE-805 Buffer Access with Incorrect Length Value 37
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input 37
CWE-664 Improper Control of a Resource Through its Lifetime 36
CWE-170 Improper Null Termination 36
CWE-323 Reusing a Nonce, Key Pair in Encryption 36
CWE-782 Exposed IOCTL with Insufficient Access Control 34
CWE-506 Embedded Malicious Code 34
CWE-261 Weak Encoding for Password 33
CWE-405 Asymmetric Resource Consumption (Amplification) 32
CWE-302 Authentication Bypass by Assumed-Immutable Data 32
CWE-316 Cleartext Storage of Sensitive Information in Memory 31
CWE-1393 Use of Default Password 31
CWE-87 Improper Neutralization of Alternate XSS Syntax 31
CWE-183 Permissive List of Allowed Inputs 31
CWE-471 Modification of Assumed-Immutable Data (MAID) 31
CWE-274 Improper Handling of Insufficient Privileges 31
CWE-696 Incorrect Behavior Order 30
CWE-353 Missing Support for Integrity Check 29
CWE-124 Buffer Underwrite ('Buffer Underflow') 29
CWE-226 Sensitive Information in Resource Not Removed Before Reuse 29
CWE-185 Incorrect Regular Expression 28
CWE-202 Exposure of Sensitive Information Through Data Queries 28
CWE-340 Generation of Predictable Numbers or Identifiers 28
CWE-388 7PK - Errors 28
CWE-424 Improper Protection of Alternate Path 28
CWE-420 Unprotected Alternate Channel 28
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) 27
CWE-636 Not Failing Securely ('Failing Open') 27
CWE-241 Improper Handling of Unexpected Data Type 26
CWE-1385 Missing Origin Validation in WebSockets 26
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data 26
CWE-304 Missing Critical Step in Authentication 26
CWE-282 Improper Ownership Management 26
CWE-289 Authentication Bypass by Alternate Name 26
CWE-540 Inclusion of Sensitive Information in Source Code 25
CWE-1230 Exposure of Sensitive Information Through Metadata 25
CWE-213 Exposure of Sensitive Information Due to Incompatible Policies 25
CWE-286 Incorrect User Management 24
CWE-691 Insufficient Control Flow Management 24
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) 24
CWE-41 Improper Resolution of Path Equivalence 24
CWE-791 Incomplete Filtering of Special Elements 24
CWE-488 Exposure of Data Element to Wrong Session 24
CWE-525 Use of Web Browser Cache Containing Sensitive Information 24
CWE-272 Least Privilege Violation 23
CWE-176 Improper Handling of Unicode Encoding 23
CWE-233 Improper Handling of Parameters 23
CWE-924 Improper Enforcement of Message Integrity During Transmission 23
CWE-158 Improper Neutralization of Null Byte or NUL Character 22
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag 22
CWE-273 Improper Check for Dropped Privileges 22
CWE-115 Misinterpretation of Input 22
CWE-684 Incorrect Provision of Specified Functionality 22
CWE-385 Covert Timing Channel 22
CWE-939 Improper Authorization in Handler for Custom URL Scheme 21
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') 21
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') 21
CWE-606 Unchecked Input for Loop Condition 21
CWE-1300 Improper Protection of Physical Side Channels 21
CWE-778 Insufficient Logging 21
CWE-662 Improper Synchronization 21
CWE-270 Privilege Context Switching Error 20
CWE-114 Process Control 20
CWE-283 Unverified Ownership 20
CWE-1289 Improper Validation of Unsafe Equivalence in Input 20
CWE-313 Cleartext Storage in a File or on Disk 20
CWE-253 Incorrect Check of Function Return Value 19
CWE-279 Incorrect Execution-Assigned Permissions 19
CWE-260 Password in Configuration File 19
CWE-268 Privilege Chaining 19
CWE-357 Insufficient UI Warning of Dangerous Operations 18
CWE-523 Unprotected Transport of Credentials 18
CWE-603 Use of Client-Side Authentication 18
CWE-501 Trust Boundary Violation 18
CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable 18
CWE-83 Improper Neutralization of Script in Attributes in a Web Page 17
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action 17
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') 17
CWE-324 Use of a Key Past its Expiration Date 17
CWE-783 Operator Precedence Logic Error 17
CWE-410 Insufficient Resource Pool 17
CWE-356 Product UI does not Warn User of Unsafe Actions 17
CWE-690 Unchecked Return Value to NULL Pointer Dereference 17
CWE-1288 Improper Validation of Consistency within Input 17
CWE-27 Path Traversal: 'dir/../../filename' 17
CWE-140 Improper Neutralization of Delimiters 17
CWE-390 Detection of Error Condition Without Action 16
CWE-1295 Debug Messages Revealing Unnecessary Information 16
CWE-590 Free of Memory not on the Heap 16
CWE-1394 Use of Default Cryptographic Key 16
CWE-477 Use of Obsolete Function 16
CWE-118 Incorrect Access of Indexable Resource ('Range Error') 16
CWE-460 Improper Cleanup on Thrown Exception 16
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') 16
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page 16
CWE-779 Logging of Excessive Data 15
CWE-1327 Binding to an Unrestricted IP Address 15
CWE-366 Race Condition within a Thread 15
CWE-228 Improper Handling of Syntactically Invalid Structure 15
CWE-698 Execution After Redirect (EAR) 15
CWE-215 Insertion of Sensitive Information Into Debugging Code 15
CWE-833 Deadlock 15
CWE-708 Incorrect Ownership Assignment 15
CWE-172 Encoding Error 15
CWE-1325 Improperly Controlled Sequential Memory Allocation 14
CWE-1104 Use of Unmaintained Third Party Components 14
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control 14
CWE-229 Improper Handling of Values 14
CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior 14
CWE-322 Key Exchange without Entity Authentication 14
CWE-449 The UI Performs the Wrong Action 14
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize 14
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges 14
CWE-214 Invocation of Process Using Visible Sensitive Information 13
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation 13
CWE-657 Violation of Secure Design Principles 13
CWE-790 Improper Filtering of Special Elements 13
CWE-820 Missing Synchronization 13
CWE-549 Missing Password Field Masking 13
CWE-155 Improper Neutralization of Wildcards or Matching Symbols 13
CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters 12
CWE-364 Signal Handler Race Condition 12
CWE-1259 Improper Restriction of Security Token Assignment 12
CWE-641 Improper Restriction of Names for Files and Other Resources 12
CWE-821 Incorrect Synchronization 12
CWE-592 DEPRECATED: Authentication Bypass Issues 12
CWE-1386 Insecure Operation on Windows Junction / Mount Point 12
CWE-230 Improper Handling of Missing Values 12
CWE-804 Guessable CAPTCHA 11
CWE-1395 Dependency on Vulnerable Third-Party Component 11
CWE-195 Signed to Unsigned Conversion Error 11
CWE-26 Path Traversal: '/dir/../filename' 11
CWE-413 Improper Resource Locking 11
CWE-1242 Inclusion of Undocumented Features or Chicken Bits 11
CWE-453 Insecure Default Variable Initialization 11
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') 11
CWE-76 Improper Neutralization of Equivalent Special Elements 11
CWE-836 Use of Password Hash Instead of Password for Authentication 11
CWE-837 Improper Enforcement of a Single, Unique Action 11
CWE-838 Inappropriate Encoding for Output Context 11
CWE-911 Improper Update of Reference Count 11
CWE-927 Use of Implicit Intent for Sensitive Communication 11
CWE-1050 Excessive Platform Resource Consumption within a Loop 10
CWE-177 Improper Handling of URL Encoding (Hex Encoding) 10
CWE-232 Improper Handling of Undefined Values 10
CWE-656 Reliance on Security Through Obscurity 10
CWE-296 Improper Following of a Certificate's Chain of Trust 10
CWE-417 Communication Channel Errors 10
CWE-351 Insufficient Type Distinction 10
CWE-475 Undefined Behavior for Input to API 10
CWE-341 Predictable from Observable State 10
CWE-159 Improper Handling of Invalid Use of Special Elements 10
CWE-14 Compiler Removal of Code to Clear Buffers 10
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State 10
CWE-830 Inclusion of Web Functionality from an Untrusted Source 10
CWE-1258 Exposure of Sensitive System Information Due to Uncleared Debug Information 10
CWE-612 Improper Authorization of Index Containing Sensitive Information 10
CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference 10
CWE-394 Unexpected Status Code or Return Value 9
CWE-561 Dead Code 9
CWE-334 Small Space of Random Values 9
CWE-419 Unprotected Primary Channel 9
CWE-308 Use of Single-factor Authentication 9
CWE-299 Improper Check for Certificate Revocation 9
CWE-64 Windows Shortcut Following (.LNK) 9
CWE-138 Improper Neutralization of Special Elements 9
CWE-599 Missing Validation of OpenSSL Certificate 9
CWE-146 Improper Neutralization of Expression/Command Delimiters 9
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere 9
CWE-1025 Comparison Using Wrong Factors 9
CWE-86 Improper Neutralization of Invalid Characters in Identifiers in Web Pages 9
CWE-759 Use of a One-Way Hash without a Salt 9
CWE-265 Privilege Issues 9
CWE-291 Reliance on IP Address for Authentication 9
CWE-650 Trusting HTTP Permission Methods on the Server Side 9
CWE-474 Use of Function with Inconsistent Implementations 9
CWE-223 Omission of Security-relevant Information 8
CWE-760 Use of a One-Way Hash with a Predictable Salt 8
CWE-1023 Incomplete Comparison with Missing Factors 8
CWE-564 SQL Injection: Hibernate 8
CWE-332 Insufficient Entropy in PRNG 8
CWE-466 Return of Pointer Value Outside of Expected Range 8
CWE-242 Use of Inherently Dangerous Function 8
CWE-391 Unchecked Error Condition 8
CWE-392 Missing Report of Error Condition 8
CWE-547 Use of Hard-coded, Security-relevant Constants 8
CWE-271 Privilege Dropping / Lowering Errors 8
CWE-1275 Sensitive Cookie with Improper SameSite Attribute 8
CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG) 8
CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions 8
CWE-258 Empty Password in Configuration File 8
CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface 8
CWE-701 Weaknesses Introduced During Design 8
CWE-646 Reliance on File Name or Extension of Externally-Supplied File 7
CWE-539 Use of Persistent Cookies Containing Sensitive Information 7
CWE-762 Mismatched Memory Management Routines 7
CWE-141 Improper Neutralization of Parameter/Argument Delimiters 7
CWE-371 State Issues 7
CWE-1282 Assumed-Immutable Data is Stored in Writable Memory 7
CWE-642 External Control of Critical State Data 7
CWE-199 Information Management Errors 7
CWE-480 Use of Incorrect Operator 7
CWE-372 Incomplete Internal State Distinction 7
CWE-187 Partial String Comparison 7
CWE-1262 Improper Access Control for Register Interface 7
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization 7
CWE-1022 Use of Web Link to Untrusted Target with window.opener Access 7
CWE-18 DEPRECATED: Source Code 6
CWE-566 Authorization Bypass Through User-Controlled SQL Primary Key 6
CWE-625 Permissive Regular Expression 6
CWE-616 Incomplete Identification of Uploaded File Variables (PHP) 6
CWE-25 Path Traversal: '/../filedir' 6
CWE-1326 Missing Immutable Root of Trust in Hardware 6
CWE-1320 Improper Protection for Outbound Error Messages and Alert Signals 6
CWE-921 Storage of Sensitive Data in a Mechanism without Access Control 6
CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code 6
CWE-393 Return of Wrong Status Code 6
CWE-329 Generation of Predictable IV with CBC Mode 6
CWE-408 Incorrect Behavior Order: Early Amplification 6
CWE-1038 Insecure Automated Optimizations 6
CWE-941 Incorrectly Specified Destination in a Communication Channel 6
CWE-421 Race Condition During Access to Alternate Channel 6
CWE-842 Placement of User into Incorrect Group 6
CWE-1241 Use of Predictable Algorithm in Random Number Generator 6
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page 6
CWE-826 Premature Release of Resource During Expected Lifetime 6
CWE-31 Path Traversal: 'dir\..\..\filename' 6
CWE-82 Improper Neutralization of Script in Attributes of IMG Tags in a Web Page 6
CWE-1384 Improper Handling of Physical or Environmental Conditions 6
CWE-456 Missing Initialization of a Variable 6
CWE-37 Path Traversal: '/absolute/pathname/here' 6
CWE-771 Missing Reference to Active Allocated Resource 6
CWE-298 Improper Validation of Certificate Expiration 6
CWE-694 Use of Multiple Resources with Duplicate Identifier 6
CWE-676 Use of Potentially Dangerous Function 6
CWE-278 Insecure Preserved Inherited Permissions 6
CWE-65 Windows Hard Link 6
CWE-645 Overly Restrictive Account Lockout Mechanism 6
CWE-562 Return of Stack Variable Address 6
CWE-1125 Excessive Attack Surface 5
CWE-1037 Processor Optimization Removal or Modification of Security-critical Code 5
CWE-1263 Improper Physical Access Control 5
CWE-315 Cleartext Storage of Sensitive Information in a Cookie 5
CWE-839 Numeric Range Comparison Without Minimum Check 5
CWE-179 Incorrect Behavior Order: Early Validation 5
CWE-710 Improper Adherence to Coding Standards 5
CWE-361 7PK - Time and State 5
CWE-127 Buffer Under-read 5
CWE-342 Predictable Exact Value from Previous Values 5
CWE-544 Missing Standardized Error Handling Mechanism 5
CWE-153 Improper Neutralization of Substitution Characters 5
CWE-627 Dynamic Variable Evaluation 5
CWE-156 Improper Neutralization of Whitespace 5
CWE-573 Improper Following of Specification by Caller 5
CWE-1173 Improper Use of Validation Framework 5
CWE-317 Cleartext Storage of Sensitive Information in GUI 5
CWE-167 Improper Handling of Additional Special Element 5
CWE-112 Missing XML Validation 5
CWE-67 Improper Handling of Windows Device Names 5
CWE-1088 Synchronous Access of Remote Resource without Timeout 5
CWE-262 Not Using Password Aging 5
CWE-786 Access of Memory Location Before Start of Buffer 5
CWE-1329 Reliance on Component That is Not Updateable 5
CWE-649 Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking 4
CWE-194 Unexpected Sign Extension 4
CWE-1357 Reliance on Insufficiently Trustworthy Component 4
CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime 4
CWE-468 Incorrect Pointer Scaling 4
CWE-1077 Floating Point Comparison with Incorrect Operator 4
CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC) 4
CWE-454 External Initialization of Trusted Variables or Data Stores 4
CWE-794 Incomplete Filtering of Multiple Instances of Special Elements 4
CWE-196 Unsigned to Signed Conversion Error 4
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection 4
CWE-1234 Hardware Internal or Debug Modes Allow Override of Locks 4
CWE-1281 Sequence of Processor Instructions Leads to Unexpected Behavior 4
CWE-733 Compiler Optimization Removal or Modification of Security-critical Code 4
CWE-1341 Multiple Releases of Same Resource or Handle 4
CWE-628 Function Call with Incorrectly Specified Arguments 4
CWE-692 Incomplete Denylist to Cross-Site Scripting 4
CWE-1270 Generation of Incorrect Security Tokens 4
CWE-414 Missing Lock Check 4
CWE-21 DEPRECATED: Pathname Traversal and Equivalence Errors 4
CWE-216 DEPRECATED: Containment Errors (Container Errors) 4
CWE-671 Lack of Administrator Control over Security 4
CWE-249 DEPRECATED: Often Misused: Path Manipulation 4
CWE-231 Improper Handling of Extra Values 4
CWE-406 Insufficient Control of Network Message Volume (Network Amplification) 4
CWE-534 DEPRECATED: Information Exposure Through Debug Log Files 4
CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State 4
CWE-1032 OWASP Top Ten 2017 Category A6 - Security Misconfiguration 4
CWE-343 Predictable Value Range from Previous Values 4
CWE-149 Improper Neutralization of Quoting Syntax 4
CWE-69 Improper Handling of Windows ::DATA Alternate Data Stream 3
CWE-368 Context Switching Race Condition 3
CWE-1257 Improper Access Control Applied to Mirrored or Aliased Memory Regions 3
CWE-40 Path Traversal: '\\UNC\share\name\' (Windows UNC Share) 3
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') 3
CWE-1247 Improper Protection Against Voltage and Clock Glitches 3
CWE-412 Unrestricted Externally Accessible Lock 3
CWE-128 Wrap-around Error 3
CWE-435 Improper Interaction Between Multiple Correctly-Behaving Entities 3
CWE-437 Incomplete Model of Endpoint Features 3
CWE-447 Unimplemented or Unsupported Feature in UI 3
CWE-450 Multiple Interpretations of UI Input 3
CWE-463 Deletion of Data Structure Sentinel 3
CWE-473 PHP External Variable Modification 3
CWE-491 Public cloneable() Method Without Final ('Object Hijack') 3
CWE-520 .NET Misconfiguration: Use of Impersonation 3
CWE-1204 Generation of Weak Initialization Vector (IV) 3
CWE-1319 Improper Protection against Electromagnetic Fault Injection (EM-FI) 3
CWE-605 Multiple Binds to the Same Port 3
CWE-626 Null Byte Interaction Error (Poison Null Byte) 3
CWE-240 Improper Handling of Inconsistent Structural Elements 3
CWE-235 Improper Handling of Extra Parameters 3
CWE-1328 Security Version Number Mutable to Older Versions 3
CWE-219 Storage of File with Sensitive Data Under Web Root 3
CWE-683 Function Call With Incorrect Order of Arguments 3
CWE-686 Function Call With Incorrect Argument Type 3
CWE-688 Function Call With Incorrect Variable or Reference as Argument 3
CWE-1332 Improper Handling of Faults that Lead to Instruction Skips 3
CWE-1335 Incorrect Bitwise Shift of Integer 3
CWE-705 Incorrect Control Flow Scoping 3
CWE-767 Access to Critical Private Variable via Public Method 3
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision 3
CWE-792 Incomplete Filtering of One or More Instances of Special Elements 3
CWE-81 Improper Neutralization of Script in an Error Message Web Page 3
CWE-1059 Insufficient Technical Documentation 3
CWE-173 Improper Handling of Alternate Encoding 3
CWE-1049 Excessive Data Query Operations in a Large Data Table 3
CWE-1039 Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism 3
CWE-914 Improper Control of Dynamically-Identified Variables 3
CWE-144 Improper Neutralization of Line Delimiters 3
CWE-925 Improper Verification of Intent by Broadcast Receiver 3
CWE-1427 Improper Neutralization of Input Used for LLM Prompting 3
CWE-1264 Hardware Logic with Insecure De-Synchronization between Control and Data Channels 3
CWE-422 Unprotected Windows Messaging Channel ('Shatter') 2
CWE-239 Failure to Handle Incomplete Element 2
CWE-237 Improper Handling of Structural Elements 2
CWE-236 Improper Handling of Undefined Parameters 2
CWE-1007 Insufficient Visual Distinction of Homoglyphs Presented to User 2
CWE-920 Improper Restriction of Power Consumption 2
CWE-234 Failure to Handle Missing Parameter 2
CWE-550 Server-generated Error Message Containing Sensitive Information 2
CWE-386 Symbolic Name not Mapping to Correct Object 2
CWE-227 7PK - API Abuse 2
CWE-531 Inclusion of Sensitive Information in Test Code 2
CWE-528 Exposure of Core Dump File to an Unauthorized Control Sphere 2
CWE-1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation 2
CWE-1256 Improper Restriction of Software Interfaces to Hardware Features 2
CWE-1303 Non-Transparent Sharing of Microarchitectural Resources 2
CWE-210 Self-generated Error Message Containing Sensitive Information 2
CWE-344 Use of Invariant Value in Dynamically Changing Context 2
CWE-687 Function Call With Incorrectly Specified Argument Value 2
CWE-689 Permission Race Condition During Resource Copy 2
CWE-1428 Reliance on HTTP instead of HTTPS 2
CWE-205 Observable Behavioral Discrepancy 2
CWE-1112 Incomplete Documentation of Program Execution 2
CWE-1108 Excessive Reliance on Global Variables 2
CWE-1221 Incorrect Register Defaults or Module Parameters 2
CWE-1107 Insufficient Isolation of Symbolic Constant Definitions 2
CWE-730 OWASP Top Ten 2004 Category A9 - Denial of Service 2
CWE-1103 Use of Platform-Dependent Third Party Components 2
CWE-1100 Insufficient Isolation of System-Dependent Functions 2
CWE-756 Missing Custom Error Page 2
CWE-761 Free of Pointer not at Start of Buffer 2
CWE-1223 Race Condition for Write-Once Attributes 2
CWE-769 DEPRECATED: Uncontrolled File Descriptor Consumption 2
CWE-11 ASP.NET Misconfiguration: Creating Debug Binary 2
CWE-774 Allocation of File Descriptors or Handles Without Limits or Throttling 2
CWE-467 Use of sizeof() on a Pointer Type 2
CWE-780 Use of RSA Algorithm without OAEP 2
CWE-1283 Mutable Attestation or Measurement Reporting Data 2
CWE-1018 Manage User Sessions 2
CWE-1231 Improper Prevention of Lock Bit Modification 2
CWE-142 Improper Neutralization of Value Delimiters 2
CWE-1068 Inconsistency Between Implementation and Documented Design 2
CWE-182 Collapse of Data into Unsafe Value 2
CWE-815 OWASP Top Ten 2010 Category A6 - Security Misconfiguration 2
CWE-446 UI Discrepancy for Security Feature 2
CWE-1389 Incorrect Parsing of Numbers with Different Radices 2
CWE-828 Signal Handler with Functionality that is not Asynchronous-Safe 2
CWE-168 Improper Handling of Inconsistent Special Elements 2
CWE-431 Missing Handler 2
CWE-166 Improper Handling of Missing Special Element 2
CWE-164 Improper Neutralization of Internal Special Elements 2
CWE-1 DEPRECATED: Location 2
CWE-147 Improper Neutralization of Input Terminators 2
CWE-85 Doubled Character XSS Manipulations 2
CWE-1245 Improper Finite State Machines (FSMs) in Hardware Logic 2
CWE-1046 Creation of Immutable Text Using String Concatenation 2
CWE-1246 Improper Write Handling in Limited-write Non-Volatile Memories 2
CWE-882 CERT C++ Secure Coding Section 14 - Concurrency (CON) 2
CWE-32 Path Traversal: '...' (Triple Dot) 2
CWE-910 Use of Expired File Descriptor 2
CWE-1254 Incorrect Comparison Logic Granularity 2
CWE-1255 Comparison Logic is Vulnerable to Power Side-Channel Attacks 2
CWE-396 Declaration of Catch for Generic Exception 2
CWE-1027 OWASP Top Ten 2017 Category A1 - Injection 2
CWE-148 Improper Neutralization of Input Leaders 2
CWE-1187 DEPRECATED: Use of Uninitialized Resource 2
CWE-1323 Improper Management of Sensitive Trace Data 2
CWE-597 Use of Wrong Operator in String Comparison 2
CWE-62 UNIX Hard Link 2
CWE-622 Improper Validation of Function Hook Arguments 2
CWE-623 Unsafe ActiveX Control Marked Safe For Scripting 2
CWE-624 Executable Regular Expression Error 2
CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context 2
CWE-563 Assignment to Variable without Use 2
CWE-198 Use of Incorrect Byte Ordering 1
CWE-293 Using Referer Field for Authentication 1
CWE-952 SFP Secondary Cluster: Missing Authentication 1
CWE-485 7PK - Encapsulation 1
CWE-1176 Inefficient CPU Computation 1
CWE-484 Omitted Break Statement in Switch 1
CWE-374 Passing Mutable Objects to an Untrusted Method 1
CWE-765 Multiple Unlocks of a Critical Resource 1
CWE-360 Trust of System Event Data 1
CWE-768 Incorrect Short Circuit Evaluation 1
CWE-1174 ASP.NET Misconfiguration: Improper Model Validation 1
CWE-1316 Fabric-Address Map Allows Programming of Unwarranted Overlaps of Protected and Unprotected Ranges 1
CWE-1091 Use of Object without Invoking Destructor Method 1
CWE-301 Reflection Attack in an Authentication Protocol 1
CWE-469 Use of Pointer Subtraction to Determine Size 1
CWE-363 Race Condition Enabling Link Following 1
CWE-588 Attempt to Access Child of a Non-structure Pointer 1
CWE-465 Pointer Issues 1
CWE-777 Regular Expression without Anchors 1
CWE-462 Duplicate Key in Associative List (Alist) 1
CWE-192 Integer Coercion Error 1
CWE-1083 Data Access from Outside Expected Data Manager Component 1
CWE-587 Assignment of a Fixed Address to a Pointer 1
CWE-1366 ICS Communications: Frail Security in Protocols 1
CWE-895 SFP Primary Cluster: Information Leak 1
CWE-1279 Cryptographic Operations are run Before Supporting Units are Ready 1
CWE-46 Path Equivalence: 'filename ' (Trailing Space) 1
CWE-1078 Inappropriate Source Code Style or Formatting 1
CWE-1278 Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techniques 1
CWE-1076 Insufficient Adherence to Expected Conventions 1
CWE-1072 Data Resource Access without Use of Connection Pooling 1
CWE-455 Non-exit on Failed Initialization 1
CWE-188 Reliance on Data/Memory Layout 1
CWE-1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution 1
CWE-154 Improper Neutralization of Variable Name Delimiters 1
CWE-1253 Incorrect Selection of Fuse Values 1
CWE-309 Use of Password System for Primary Authentication 1
CWE-1066 Missing Serialization Control Element 1
CWE-186 Overly Restrictive Regular Expression 1
CWE-571 Expression is Always True 1
CWE-448 Obsolete Feature in UI 1
CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') 1
CWE-638 Not Using Complete Mediation 1
CWE-1268 Policy Privileges are not Assigned Consistently Between Control and Data Agents 1
CWE-557 Concurrency Issues 1
CWE-615 Inclusion of Sensitive Information in Source Code Comments 1
CWE-570 Expression is Always False 1
CWE-556 ASP.NET Misconfiguration: Use of Identity Impersonation 1
CWE-443 DEPRECATED: HTTP response splitting 1
CWE-44 Path Equivalence: 'file.name' (Internal Dot) 1
CWE-555 J2EE Misconfiguration: Plaintext Password in Configuration File 1
CWE-553 Command Shell in Externally Accessible Directory 1
CWE-1314 Missing Write Protection for Parametric Data Values 1
CWE-1269 Product Released in Non-Release Configuration 1
CWE-1265 Unintended Reentrant Invocation of Non-reentrant Code Via Nested Calls 1
CWE-1313 Hardware Allows Activation of Test or Debug Logic at Runtime 1
CWE-1312 Missing Protection for Mirrored Regions in On-Chip Fabric Firewall 1
CWE-535 Exposure of Information Through Shell Error Message 1
CWE-533 DEPRECATED: Information Exposure Through Server Log Files 1
CWE-12 ASP.NET Misconfiguration: Missing Custom Error Page 1
CWE-66 Improper Handling of File Names that Identify Virtual Resources 1
CWE-1058 Invokable Control Element in Multi-Thread Context with non-Final Static Storable or Member Element 1
CWE-1164 Irrelevant Code 1
CWE-1280 Access Control Check Implemented After Asset is Accessed 1
CWE-529 Exposure of Access Control List Files to an Unauthorized Control Sphere 1
CWE-1124 Excessively Deep Nesting 1
CWE-34 Path Traversal: '....//' 1
CWE-527 Exposure of Version-Control Repository to an Unauthorized Control Sphere 1
CWE-1057 Data Access Operations Outside of Expected Data Manager Component 1
CWE-28 Path Traversal: '..\filedir' 1
CWE-618 Exposed Unsafe ActiveX Method 1
CWE-673 External Influence of Sphere Definition 1
CWE-1118 Insufficient Documentation of Error Handling Techniques 1
CWE-433 Unparsed Raw Web Content Delivery 1
CWE-1218 Memory Buffer Errors 1
CWE-832 Unlock of a Resource that is not Locked 1
CWE-1116 Inaccurate Source Code Comments 1
CWE-38 Path Traversal: '\absolute\pathname\here' 1
CWE-514 Covert Channel 1
CWE-263 Password Aging with Long Expiration 1
CWE-57 Path Equivalence: 'fakedir/../realdir/filename' 1
CWE-339 Small Seed Space in PRNG 1
CWE-1051 Initialization with Hard-Coded Network Resource Configuration Data 1
CWE-1301 Insufficient or Incomplete Data Removal within Hardware Component 1
CWE-1419 Incorrect Initialization of Resource 1
CWE-1334 Unauthorized Error Injection Can Degrade Hardware Redundancy 1
CWE-1291 Public Key Re-Use for Signing both Debug and Production Code 1
CWE-1113 Inappropriate Comment Style 1
CWE-50 Path Equivalence: '//multiple/leading/slash' 1
CWE-207 Observable Behavioral Discrepancy With Equivalent Products 1
CWE-962 SFP Secondary Cluster: Unchecked Status Condition 1
CWE-333 Improper Handling of Insufficient Entropy in TRNG 1
CWE-5 J2EE Misconfiguration: Data Transmission Without Encryption 1
CWE-702 Weaknesses Introduced During Implementation 1
CWE-430 Deployment of Wrong Handler 1
CWE-111 Direct Use of Unsafe JNI 1
CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG) 1
CWE-499 Serializable Class Containing Sensitive Data 1
CWE-1420 Exposure of Sensitive Information during Transient Execution 1
CWE-1342 Information Exposure through Microarchitectural State after Transient Execution 1
CWE-6 J2EE Misconfiguration: Insufficient Session-ID Length 1
CWE-714 OWASP Top Ten 2007 Category A3 - Malicious File Execution 1
CWE-162 Improper Neutralization of Trailing Special Elements 1
CWE-621 Variable Extraction Error 1
CWE-1106 Insufficient Use of Symbolic Constants 1
CWE-495 Private Data Structure Returned From A Public Method 1
CWE-135 Incorrect Calculation of Multi-Byte String Length 1
CWE-1026 Weaknesses in OWASP Top Ten (2017) 1
CWE-1352 OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components 1
CWE-1102 Reliance on Machine-Dependent Data Representation 1
CWE-42 Path Equivalence: 'filename.' (Trailing Dot) 1
CWE-1272 Sensitive Information Uncleared Before Debug/Power State Transition 1
CWE-1222 Insufficient Granularity of Address Regions Protected by Register Locks 1

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy