|
CWE-79
|
Cross-site Scripting (XSS)
|
10065
|
|
CWE-862
|
Missing Authorization
|
3268
|
|
CWE-74
|
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
|
2979
|
|
CWE-89
|
SQL Injection
|
2802
|
|
CWE-352
|
Cross-Site Request Forgery (CSRF)
|
2195
|
|
CWE-22
|
Path Traversal
|
1816
|
|
CWE-284
|
Improper Access Control
|
1385
|
|
CWE-416
|
Use After Free
|
1361
|
|
CWE-119
|
Buffer Overflow
|
1268
|
|
CWE-125
|
Out-of-bounds Read
|
1224
|
|
CWE-78
|
OS Command Injection
|
1176
|
|
CWE-476
|
NULL Pointer Dereference
|
1168
|
|
CWE-200
|
Information Exposure
|
1136
|
|
CWE-20
|
Improper Input Validation
|
1094
|
|
CWE-918
|
Server-Side Request Forgery (SSRF)
|
1084
|
|
CWE-787
|
Out-of-bounds Write
|
1061
|
|
CWE-94
|
Code Injection
|
910
|
|
CWE-98
|
PHP Remote File Inclusion
|
894
|
|
CWE-77
|
Command Injection
|
837
|
|
CWE-863
|
Incorrect Authorization
|
822
|
|
CWE-502
|
Deserialization of Untrusted Data
|
819
|
|
CWE-121
|
Stack-based Buffer Overflow
|
765
|
|
CWE-122
|
Heap-based Buffer Overflow
|
749
|
|
CWE-434
|
Unrestricted Upload of File with Dangerous Type
|
728
|
|
CWE-639
|
Authorization Bypass Through User-Controlled Key
|
703
|
|
CWE-400
|
Uncontrolled Resource Consumption
|
673
|
|
CWE-120
|
Classic Buffer Overflow
|
626
|
|
CWE-306
|
Missing Authentication for Critical Function
|
606
|
|
CWE-770
|
Allocation of Resources Without Limits or Throttling
|
583
|
|
CWE-266
|
Incorrect Privilege Assignment
|
554
|
|
CWE-287
|
Improper Authentication
|
518
|
|
CWE-269
|
Improper Privilege Management
|
465
|
|
CWE-362
|
Race Condition
|
459
|
|
CWE-401
|
Memory Leak
|
410
|
|
CWE-190
|
Integer Overflow or Wraparound
|
375
|
|
CWE-601
|
URL Redirection to Untrusted Site (Open Redirect)
|
345
|
|
CWE-285
|
Improper Authorization
|
302
|
|
CWE-288
|
Authentication Bypass Using an Alternate Path or Channel
|
268
|
|
CWE-295
|
Improper Certificate Validation
|
258
|
|
CWE-276
|
Incorrect Default Permissions
|
252
|
|
CWE-427
|
Uncontrolled Search Path Element
|
249
|
|
CWE-404
|
Improper Resource Shutdown or Release
|
248
|
|
CWE-732
|
Incorrect Permission Assignment for Critical Resource
|
230
|
|
CWE-798
|
Use of Hard-coded Credentials
|
221
|
|
CWE-532
|
Insertion of Sensitive Information into Log File
|
218
|
|
CWE-59
|
Improper Link Resolution Before File Access
|
204
|
|
CWE-201
|
Insertion of Sensitive Information Into Sent Data
|
193
|
|
CWE-497
|
Exposure of Sensitive System Information to an Unauthorized Control Sphere
|
193
|
|
CWE-367
|
Time-of-check Time-of-use (TOCTOU) Race Condition
|
191
|
|
CWE-428
|
Unquoted Search Path or Element
|
189
|
|
CWE-667
|
Improper Locking
|
186
|
|
CWE-73
|
External Control of File Name or Path
|
186
|
|
CWE-693
|
Protection Mechanism Failure
|
179
|
|
CWE-290
|
Authentication Bypass by Spoofing
|
159
|
|
CWE-843
|
Access of Resource Using Incompatible Type (Type Confusion)
|
157
|
|
CWE-522
|
Insufficiently Protected Credentials
|
155
|
|
CWE-307
|
Improper Restriction of Excessive Authentication Attempts
|
154
|
|
CWE-80
|
Basic XSS
|
152
|
|
CWE-908
|
Use of Uninitialized Resource
|
149
|
|
CWE-617
|
Reachable Assertion
|
146
|
|
CWE-415
|
Double Free
|
145
|
|
CWE-347
|
Improper Verification of Cryptographic Signature
|
144
|
|
CWE-754
|
Improper Check for Unusual or Exceptional Conditions
|
143
|
|
CWE-835
|
Loop with Unreachable Exit Condition (Infinite Loop)
|
143
|
|
CWE-23
|
Relative Path Traversal
|
143
|
|
CWE-346
|
Origin Validation Error
|
139
|
|
CWE-319
|
Cleartext Transmission of Sensitive Information
|
138
|
|
CWE-126
|
Buffer Over-read
|
136
|
|
CWE-209
|
Error Message Information Leak
|
131
|
|
CWE-613
|
Insufficient Session Expiration
|
130
|
|
CWE-611
|
Improper Restriction of XML External Entity Reference
|
124
|
|
CWE-451
|
User Interface (UI) Misrepresentation of Critical Information
|
120
|
|
CWE-1321
|
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
|
119
|
|
CWE-674
|
Uncontrolled Recursion
|
117
|
|
CWE-312
|
Cleartext Storage of Sensitive Information
|
114
|
|
CWE-321
|
Use of Hard-coded Cryptographic Key
|
111
|
|
CWE-345
|
Insufficient Verification of Data Authenticity
|
109
|
|
CWE-327
|
Use of a Broken or Risky Cryptographic Algorithm
|
108
|
|
CWE-191
|
Integer Underflow
|
107
|
|
CWE-426
|
Untrusted Search Path
|
105
|
|
CWE-1284
|
Improper Validation of Specified Quantity in Input
|
103
|
|
CWE-250
|
Execution with Unnecessary Privileges
|
101
|
|
CWE-88
|
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
|
100
|
|
CWE-1333
|
Inefficient Regular Expression Complexity (ReDoS)
|
99
|
|
CWE-129
|
Improper Validation of Array Index
|
92
|
|
CWE-35
|
Path Traversal: '.../...//'
|
86
|
|
CWE-248
|
Uncaught Exception
|
86
|
|
CWE-369
|
Divide By Zero
|
82
|
|
CWE-116
|
Improper Encoding or Escaping of Output
|
80
|
|
CWE-552
|
Files or Directories Accessible to External Parties
|
78
|
|
CWE-444
|
HTTP Request/Response Smuggling
|
74
|
|
CWE-359
|
Exposure of Private Personal Information to an Unauthorized Actor
|
74
|
|
CWE-1336
|
Improper Neutralization of Special Elements Used in a Template Engine
|
72
|
|
CWE-93
|
Improper Neutralization of CRLF Sequences ('CRLF Injection')
|
71
|
|
CWE-822
|
Untrusted Pointer Dereference
|
71
|
|
CWE-204
|
Observable Response Discrepancy
|
68
|
|
CWE-203
|
Observable Discrepancy
|
67
|
|
CWE-256
|
Plaintext Storage of a Password
|
65
|
|
CWE-829
|
Inclusion of Functionality from Untrusted Control Sphere
|
64
|
|
CWE-472
|
External Control of Assumed-Immutable Web Parameter
|
62
|
|
CWE-1287
|
Improper Validation of Specified Type of Input
|
62
|
|
CWE-1021
|
Improper Restriction of Rendered UI Layers or Frames
|
62
|
|
CWE-1188
|
Initialization of a Resource with an Insecure Default
|
61
|
|
CWE-384
|
Session Fixation
|
60
|
|
CWE-61
|
UNIX Symbolic Link (Symlink) Following
|
59
|
|
CWE-208
|
Observable Timing Discrepancy
|
59
|
|
CWE-640
|
Weak Password Recovery Mechanism for Forgotten Password
|
57
|
|
CWE-36
|
Absolute Path Traversal
|
57
|
|
CWE-281
|
Improper Preservation of Permissions
|
57
|
|
CWE-280
|
Improper Handling of Insufficient Permissions or Privileges
|
56
|
|
CWE-305
|
Authentication Bypass by Primary Weakness
|
55
|
|
CWE-184
|
Incomplete List of Disallowed Inputs
|
53
|
|
CWE-259
|
Use of Hard-coded Password
|
53
|
|
CWE-789
|
Memory Allocation with Excessive Size Value
|
53
|
|
CWE-1392
|
Use of Default Credentials
|
51
|
|
CWE-457
|
Use of Uninitialized Variable
|
50
|
|
CWE-441
|
Unintended Proxy or Intermediary ('Confused Deputy')
|
49
|
|
CWE-922
|
Insecure Storage of Sensitive Information
|
49
|
|
CWE-926
|
Improper Export of Android Application Components
|
49
|
|
CWE-668
|
Exposure of Resource to Wrong Sphere
|
46
|
|
CWE-494
|
Download of Code Without Integrity Check
|
46
|
|
CWE-1390
|
Weak Authentication
|
45
|
|
CWE-521
|
Weak Password Requirements
|
44
|
|
CWE-915
|
Improperly Controlled Modification of Dynamically-Determined Object Attributes
|
43
|
|
CWE-602
|
Client-Side Enforcement of Server-Side Security
|
43
|
|
CWE-407
|
Inefficient Algorithmic Complexity
|
42
|
|
CWE-1220
|
Insufficient Granularity of Access Control
|
41
|
|
CWE-598
|
Use of GET Request Method With Sensitive Query Strings
|
41
|
|
CWE-824
|
Access of Uninitialized Pointer
|
40
|
|
CWE-338
|
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
|
40
|
|
CWE-95
|
Eval Injection
|
40
|
|
CWE-193
|
Off-by-one Error
|
40
|
|
CWE-620
|
Unverified Password Change
|
39
|
|
CWE-942
|
Permissive Cross-domain Security Policy with Untrusted Domains
|
39
|
|
CWE-294
|
Authentication Bypass by Capture-replay
|
38
|
|
CWE-749
|
Exposed Dangerous Method or Function
|
37
|
|
CWE-755
|
Improper Handling of Exceptional Conditions
|
37
|
|
CWE-330
|
Use of Insufficiently Random Values
|
37
|
|
CWE-15
|
External Control of System or Configuration Setting
|
37
|
|
CWE-331
|
Insufficient Entropy
|
36
|
|
CWE-326
|
Inadequate Encryption Strength
|
36
|
|
CWE-610
|
Externally Controlled Reference to a Resource in Another Sphere
|
36
|
|
CWE-653
|
Improper Isolation or Compartmentalization
|
35
|
|
CWE-24
|
Path Traversal: '../filedir'
|
35
|
|
CWE-807
|
Reliance on Untrusted Inputs in a Security Decision
|
35
|
|
CWE-264
|
Permissions, Privileges, and Access Controls
|
34
|
|
CWE-538
|
Insertion of Sensitive Information into Externally-Accessible File
|
33
|
|
CWE-459
|
Incomplete Cleanup
|
33
|
|
CWE-425
|
Direct Request ('Forced Browsing')
|
32
|
|
CWE-117
|
Improper Output Neutralization for Logs
|
32
|
|
CWE-1286
|
Improper Validation of Syntactic Correctness of Input
|
32
|
|
CWE-131
|
Incorrect Calculation of Buffer Size
|
32
|
|
CWE-90
|
LDAP Injection
|
31
|
|
CWE-943
|
Improper Neutralization of Special Elements in Data Query Logic
|
31
|
|
CWE-840
|
Business Logic Errors
|
31
|
|
CWE-409
|
Improper Handling of Highly Compressed Data (Data Amplification)
|
31
|
|
CWE-506
|
Embedded Malicious Code
|
30
|
|
CWE-669
|
Incorrect Resource Transfer Between Spheres
|
29
|
|
CWE-703
|
Improper Check or Handling of Exceptional Conditions
|
29
|
|
CWE-358
|
Improperly Implemented Security Check for Standard
|
29
|
|
CWE-670
|
Always-Incorrect Control Flow Implementation
|
29
|
|
CWE-1236
|
Improper Neutralization of Formula Elements in a CSV File
|
29
|
|
CWE-823
|
Use of Out-of-range Pointer Offset
|
28
|
|
CWE-328
|
Use of Weak Hash
|
28
|
|
CWE-311
|
Missing Encryption of Sensitive Data
|
28
|
|
CWE-134
|
Use of Externally-Controlled Format String
|
27
|
|
CWE-150
|
Improper Neutralization of Escape, Meta, or Control Sequences
|
27
|
|
CWE-303
|
Incorrect Implementation of Authentication Algorithm
|
27
|
|
CWE-310
|
Cryptographic Issues
|
27
|
|
CWE-113
|
HTTP Response Splitting
|
26
|
|
CWE-354
|
Improper Validation of Integrity Check Value
|
26
|
|
CWE-320
|
Key Management Errors
|
25
|
|
CWE-644
|
Improper Neutralization of HTTP Headers for Scripting Syntax
|
25
|
|
CWE-99
|
Improper Control of Resource Identifiers ('Resource Injection')
|
25
|
|
CWE-252
|
Unchecked Return Value
|
25
|
|
CWE-130
|
Improper Handling of Length Parameter Inconsistency
|
25
|
|
CWE-704
|
Incorrect Type Conversion or Cast
|
24
|
|
CWE-805
|
Buffer Access with Incorrect Length Value
|
24
|
|
CWE-91
|
XML Injection (aka Blind XPath Injection)
|
23
|
|
CWE-348
|
Use of Less Trusted Source
|
23
|
|
CWE-665
|
Improper Initialization
|
23
|
|
CWE-912
|
Hidden Functionality
|
23
|
|
CWE-923
|
Improper Restriction of Communication Channel to Intended Endpoints
|
23
|
|
CWE-772
|
Missing Release of Resource after Effective Lifetime
|
23
|
|
CWE-436
|
Interpretation Conflict
|
22
|
|
CWE-706
|
Use of Incorrectly-Resolved Name or Reference
|
22
|
|
CWE-1391
|
Use of Weak Credentials
|
22
|
|
CWE-277
|
Insecure Inherited Permissions
|
22
|
|
CWE-1393
|
Use of Default Password
|
21
|
|
CWE-257
|
Storing Passwords in a Recoverable Format
|
21
|
|
CWE-212
|
Improper Removal of Sensitive Information Before Storage or Transfer
|
21
|
|
CWE-178
|
Improper Handling of Case Sensitivity
|
20
|
|
CWE-470
|
Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
|
20
|
|
CWE-799
|
Improper Control of Interaction Frequency
|
19
|
|
CWE-940
|
Improper Verification of Source of a Communication Channel
|
19
|
|
CWE-405
|
Asymmetric Resource Consumption (Amplification)
|
19
|
|
CWE-680
|
Integer Overflow to Buffer Overflow
|
19
|
|
CWE-913
|
Improper Control of Dynamically-Managed Code Resources
|
19
|
|
CWE-696
|
Incorrect Behavior Order
|
18
|
|
CWE-841
|
Improper Enforcement of Behavioral Workflow
|
18
|
|
CWE-29
|
Path Traversal: '\\..\\filename'
|
18
|
|
CWE-548
|
Exposure of Information Through Directory Listing
|
18
|
|
CWE-614
|
Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
|
18
|
|
CWE-255
|
Credentials Management Errors
|
18
|
|
CWE-267
|
Privilege Defined With Unsafe Actions
|
18
|
|
CWE-41
|
Improper Resolution of Path Equivalence
|
17
|
|
CWE-1285
|
Improper Validation of Specified Index, Position, or Offset in Input
|
17
|
|
CWE-917
|
Improper Neutralization of Special Elements used in an Expression Language Statement
|
17
|
|
CWE-524
|
Use of Cache Containing Sensitive Information
|
17
|
|
CWE-124
|
Buffer Underwrite ('Buffer Underflow')
|
17
|
|
CWE-377
|
Insecure Temporary File
|
17
|
|
CWE-1385
|
Missing Origin Validation in WebSockets
|
16
|
|
CWE-1230
|
Exposure of Sensitive Information Through Metadata
|
16
|
|
CWE-297
|
Improper Validation of Certificate with Host Mismatch
|
16
|
|
CWE-825
|
Expired Pointer Dereference
|
16
|
|
CWE-791
|
Incomplete Filtering of Special Elements
|
16
|
|
CWE-183
|
Permissive List of Allowed Inputs
|
15
|
|
CWE-340
|
Generation of Predictable Numbers or Identifiers
|
15
|
|
CWE-672
|
Operation on a Resource after Expiration or Release
|
15
|
|
CWE-648
|
Incorrect Use of Privileged APIs
|
15
|
|
CWE-591
|
Sensitive Data Storage in Improperly Locked Memory
|
15
|
|
CWE-420
|
Unprotected Alternate Channel
|
15
|
|
CWE-189
|
Numeric Errors
|
15
|
|
CWE-525
|
Use of Web Browser Cache Containing Sensitive Information
|
15
|
|
CWE-489
|
Active Debug Code
|
15
|
|
CWE-289
|
Authentication Bypass by Alternate Name
|
14
|
|
CWE-636
|
Not Failing Securely ('Failing Open')
|
14
|
|
CWE-304
|
Missing Critical Step in Authentication
|
14
|
|
CWE-325
|
Missing Cryptographic Step
|
14
|
|
CWE-185
|
Incorrect Regular Expression
|
13
|
|
CWE-282
|
Improper Ownership Management
|
13
|
|
CWE-697
|
Incorrect Comparison
|
13
|
|
CWE-440
|
Expected Behavior Violation
|
13
|
|
CWE-378
|
Creation of Temporary File With Insecure Permissions
|
13
|
|
CWE-283
|
Unverified Ownership
|
12
|
|
CWE-776
|
Improper Restriction of Recursive Entity References in DTDs
|
12
|
|
CWE-176
|
Improper Handling of Unicode Encoding
|
12
|
|
CWE-300
|
Channel Accessible by Non-Endpoint
|
12
|
|
CWE-226
|
Sensitive Information in Resource Not Removed Before Reuse
|
12
|
|
CWE-158
|
Improper Neutralization of Null Byte or NUL Character
|
12
|
|
CWE-353
|
Missing Support for Integrity Check
|
12
|
|
CWE-682
|
Incorrect Calculation
|
11
|
|
CWE-244
|
Improper Clearing of Heap Memory Before Release ('Heap Inspection')
|
11
|
|
CWE-488
|
Exposure of Data Element to Wrong Session
|
11
|
|
CWE-691
|
Insufficient Control Flow Management
|
11
|
|
CWE-123
|
Write-what-where Condition
|
11
|
|
CWE-84
|
Improper Neutralization of Encoded URI Schemes in a Web Page
|
11
|
|
CWE-349
|
Acceptance of Extraneous Untrusted Data With Trusted Data
|
11
|
|
CWE-316
|
Cleartext Storage of Sensitive Information in Memory
|
11
|
|
CWE-424
|
Improper Protection of Alternate Path
|
11
|
|
CWE-402
|
Transmission of Private Resources into a New Sphere ('Resource Leak')
|
10
|
|
CWE-526
|
Cleartext Storage of Sensitive Information in an Environment Variable
|
10
|
|
CWE-87
|
Improper Neutralization of Alternate XSS Syntax
|
10
|
|
CWE-279
|
Incorrect Execution-Assigned Permissions
|
10
|
|
CWE-684
|
Incorrect Provision of Specified Functionality
|
10
|
|
CWE-180
|
Incorrect Behavior Order: Validate Before Canonicalize
|
10
|
|
CWE-202
|
Exposure of Sensitive Information Through Data Queries
|
10
|
|
CWE-778
|
Insufficient Logging
|
10
|
|
CWE-260
|
Password in Configuration File
|
10
|
|
CWE-302
|
Authentication Bypass by Assumed-Immutable Data
|
10
|
|
CWE-758
|
Reliance on Undefined, Unspecified, or Implementation-Defined Behavior
|
10
|
|
CWE-540
|
Inclusion of Sensitive Information in Source Code
|
10
|
|
CWE-763
|
Release of Invalid Pointer or Reference
|
10
|
|
CWE-261
|
Weak Encoding for Password
|
10
|
|
CWE-603
|
Use of Client-Side Authentication
|
10
|
|
CWE-681
|
Incorrect Conversion between Numeric Types
|
10
|
|
CWE-1300
|
Improper Protection of Physical Side Channels
|
10
|
|
CWE-1394
|
Use of Default Cryptographic Key
|
10
|
|
CWE-1191
|
On-Chip Debug and Test Interface With Improper Access Control
|
10
|
|
CWE-1289
|
Improper Validation of Unsafe Equivalence in Input
|
10
|
|
CWE-664
|
Improper Control of a Resource Through its Lifetime
|
9
|
|
CWE-1325
|
Improperly Controlled Sequential Memory Allocation
|
9
|
|
CWE-1295
|
Debug Messages Revealing Unnecessary Information
|
9
|
|
CWE-114
|
Process Control
|
9
|
|
CWE-323
|
Reusing a Nonce, Key Pair in Encryption
|
9
|
|
CWE-197
|
Numeric Truncation Error
|
9
|
|
CWE-1240
|
Use of a Cryptographic Primitive with a Risky Implementation
|
9
|
|
CWE-96
|
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
|
9
|
|
CWE-140
|
Improper Neutralization of Delimiters
|
9
|
|
CWE-606
|
Unchecked Input for Loop Condition
|
9
|
|
CWE-1004
|
Sensitive Cookie Without 'HttpOnly' Flag
|
8
|
|
CWE-410
|
Insufficient Resource Pool
|
8
|
|
CWE-385
|
Covert Timing Channel
|
8
|
|
CWE-460
|
Improper Cleanup on Thrown Exception
|
8
|
|
CWE-268
|
Privilege Chaining
|
8
|
|
CWE-286
|
Incorrect User Management
|
8
|
|
CWE-83
|
Improper Neutralization of Script in Attributes in a Web Page
|
8
|
|
CWE-270
|
Privilege Context Switching Error
|
8
|
|
CWE-565
|
Reliance on Cookies without Validation and Integrity Checking
|
8
|
|
CWE-228
|
Improper Handling of Syntactically Invalid Structure
|
8
|
|
CWE-379
|
Creation of Temporary File in Directory with Insecure Permissions
|
8
|
|
CWE-272
|
Least Privilege Violation
|
8
|
|
CWE-782
|
Exposed IOCTL with Insufficient Access Control
|
8
|
|
CWE-477
|
Use of Obsolete Function
|
8
|
|
CWE-356
|
Product UI does not Warn User of Unsafe Actions
|
7
|
|
CWE-215
|
Insertion of Sensitive Information Into Debugging Code
|
7
|
|
CWE-322
|
Key Exchange without Entity Authentication
|
7
|
|
CWE-909
|
Missing Initialization of Resource
|
7
|
|
CWE-757
|
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
|
7
|
|
CWE-471
|
Modification of Assumed-Immutable Data (MAID)
|
7
|
|
CWE-1104
|
Use of Unmaintained Third Party Components
|
7
|
|
CWE-1259
|
Improper Restriction of Security Token Assignment
|
7
|
|
CWE-170
|
Improper Null Termination
|
7
|
|
CWE-1244
|
Internal Asset Exposed to Unsafe Debug Access Level or State
|
7
|
|
CWE-564
|
SQL Injection: Hibernate
|
7
|
|
CWE-590
|
Free of Memory not on the Heap
|
7
|
|
CWE-350
|
Reliance on Reverse DNS Resolution for a Security-Critical Action
|
7
|
|
CWE-939
|
Improper Authorization in Handler for Custom URL Scheme
|
7
|
|
CWE-1327
|
Binding to an Unrestricted IP Address
|
7
|
|
CWE-1050
|
Excessive Platform Resource Consumption within a Loop
|
7
|
|
CWE-708
|
Incorrect Ownership Assignment
|
7
|
|
CWE-357
|
Insufficient UI Warning of Dangerous Operations
|
7
|
|
CWE-390
|
Detection of Error Condition Without Action
|
7
|
|
CWE-64
|
Windows Shortcut Following (.LNK)
|
7
|
|
CWE-1242
|
Inclusion of Undocumented Features or Chicken Bits
|
6
|
|
CWE-364
|
Signal Handler Race Condition
|
6
|
|
CWE-549
|
Missing Password Field Masking
|
6
|
|
CWE-834
|
Excessive Iteration
|
6
|
|
CWE-523
|
Unprotected Transport of Credentials
|
6
|
|
CWE-296
|
Improper Following of a Certificate's Chain of Trust
|
6
|
|
CWE-641
|
Improper Restriction of Names for Files and Other Resources
|
6
|
|
CWE-253
|
Incorrect Check of Function Return Value
|
6
|
|
CWE-366
|
Race Condition within a Thread
|
6
|
|
CWE-1395
|
Dependency on Vulnerable Third-Party Component
|
6
|
|
CWE-27
|
Path Traversal: 'dir/../../filename'
|
6
|
|
CWE-830
|
Inclusion of Web Functionality from an Untrusted Source
|
6
|
|
CWE-698
|
Execution After Redirect (EAR)
|
6
|
|
CWE-656
|
Reliance on Security Through Obscurity
|
6
|
|
CWE-837
|
Improper Enforcement of a Single, Unique Action
|
6
|
|
CWE-783
|
Operator Precedence Logic Error
|
6
|
|
CWE-335
|
Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
|
6
|
|
CWE-1025
|
Comparison Using Wrong Factors
|
6
|
|
CWE-213
|
Exposure of Sensitive Information Due to Incompatible Policies
|
6
|
|
CWE-115
|
Misinterpretation of Input
|
6
|
|
CWE-392
|
Missing Report of Error Condition
|
6
|
|
CWE-804
|
Guessable CAPTCHA
|
5
|
|
CWE-155
|
Improper Neutralization of Wildcards or Matching Symbols
|
5
|
|
CWE-351
|
Insufficient Type Distinction
|
5
|
|
CWE-1384
|
Improper Handling of Physical or Environmental Conditions
|
5
|
|
CWE-337
|
Predictable Seed in Pseudo-Random Number Generator (PRNG)
|
5
|
|
CWE-599
|
Missing Validation of OpenSSL Certificate
|
5
|
|
CWE-274
|
Improper Handling of Insufficient Privileges
|
5
|
|
CWE-820
|
Missing Synchronization
|
5
|
|
CWE-1275
|
Sensitive Cookie with Improper SameSite Attribute
|
5
|
|
CWE-313
|
Cleartext Storage in a File or on Disk
|
5
|
|
CWE-547
|
Use of Hard-coded, Security-relevant Constants
|
5
|
|
CWE-647
|
Use of Non-Canonical URL Paths for Authorization Decisions
|
5
|
|
CWE-195
|
Signed to Unsigned Conversion Error
|
5
|
|
CWE-241
|
Improper Handling of Unexpected Data Type
|
5
|
|
CWE-233
|
Improper Handling of Parameters
|
5
|
|
CWE-156
|
Improper Neutralization of Whitespace
|
5
|
|
CWE-291
|
Reliance on IP Address for Authentication
|
5
|
|
CWE-779
|
Logging of Excessive Data
|
5
|
|
CWE-1258
|
Exposure of Sensitive System Information Due to Uncleared Debug Information
|
5
|
|
CWE-1262
|
Improper Access Control for Register Interface
|
5
|
|
CWE-501
|
Trust Boundary Violation
|
5
|
|
CWE-86
|
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
|
5
|
|
CWE-177
|
Improper Handling of URL Encoding (Hex Encoding)
|
5
|
|
CWE-762
|
Mismatched Memory Management Routines
|
5
|
|
CWE-449
|
The UI Performs the Wrong Action
|
5
|
|
CWE-214
|
Invocation of Process Using Visible Sensitive Information
|
5
|
|
CWE-916
|
Use of Password Hash With Insufficient Computational Effort
|
5
|
|
CWE-759
|
Use of a One-Way Hash without a Salt
|
5
|
|
CWE-275
|
Permission Issues
|
5
|
|
CWE-771
|
Missing Reference to Active Allocated Resource
|
4
|
|
CWE-1274
|
Improper Access Control for Volatile Memory Containing Boot Code
|
4
|
|
CWE-657
|
Violation of Secure Design Principles
|
4
|
|
CWE-1288
|
Improper Validation of Consistency within Input
|
4
|
|
CWE-821
|
Incorrect Synchronization
|
4
|
|
CWE-153
|
Improper Neutralization of Substitution Characters
|
4
|
|
CWE-229
|
Improper Handling of Values
|
4
|
|
CWE-790
|
Improper Filtering of Special Elements
|
4
|
|
CWE-138
|
Improper Neutralization of Special Elements
|
4
|
|
CWE-242
|
Use of Inherently Dangerous Function
|
4
|
|
CWE-19
|
Data Processing Errors
|
4
|
|
CWE-788
|
Access of Memory Location After End of Buffer
|
4
|
|
CWE-230
|
Improper Handling of Missing Values
|
4
|
|
CWE-646
|
Reliance on File Name or Extension of Externally-Supplied File
|
4
|
|
CWE-408
|
Incorrect Behavior Order: Early Amplification
|
4
|
|
CWE-1088
|
Synchronous Access of Remote Resource without Timeout
|
4
|
|
CWE-625
|
Permissive Regular Expression
|
4
|
|
CWE-1032
|
OWASP Top Ten 2017 Category A6 - Security Misconfiguration
|
4
|
|
CWE-271
|
Privilege Dropping / Lowering Errors
|
4
|
|
CWE-475
|
Undefined Behavior for Input to API
|
4
|
|
CWE-324
|
Use of a Key Past its Expiration Date
|
4
|
|
CWE-566
|
Authorization Bypass Through User-Controlled SQL Primary Key
|
4
|
|
CWE-75
|
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
|
4
|
|
CWE-573
|
Improper Following of Specification by Caller
|
4
|
|
CWE-707
|
Improper Neutralization
|
4
|
|
CWE-1260
|
Improper Handling of Overlap Between Protected Memory Ranges
|
4
|
|
CWE-1233
|
Security-Sensitive Hardware Controls with Missing Lock Bit Protection
|
4
|
|
CWE-127
|
Buffer Under-read
|
4
|
|
CWE-833
|
Deadlock
|
4
|
|
CWE-187
|
Partial String Comparison
|
4
|
|
CWE-394
|
Unexpected Status Code or Return Value
|
4
|
|
CWE-265
|
Privilege Issues
|
4
|
|
CWE-539
|
Use of Persistent Cookies Containing Sensitive Information
|
4
|
|
CWE-273
|
Improper Check for Dropped Privileges
|
4
|
|
CWE-627
|
Dynamic Variable Evaluation
|
4
|
|
CWE-921
|
Storage of Sensitive Data in a Mechanism without Access Control
|
3
|
|
CWE-645
|
Overly Restrictive Account Lockout Mechanism
|
3
|
|
CWE-341
|
Predictable from Observable State
|
3
|
|
CWE-616
|
Incomplete Identification of Uploaded File Variables (PHP)
|
3
|
|
CWE-67
|
Improper Handling of Windows Device Names
|
3
|
|
CWE-1241
|
Use of Predictable Algorithm in Random Number Generator
|
3
|
|
CWE-1326
|
Missing Immutable Root of Trust in Hardware
|
3
|
|
CWE-1281
|
Sequence of Processor Instructions Leads to Unexpected Behavior
|
3
|
|
CWE-1023
|
Incomplete Comparison with Missing Factors
|
3
|
|
CWE-1328
|
Security Version Number Mutable to Older Versions
|
3
|
|
CWE-480
|
Use of Incorrect Operator
|
3
|
|
CWE-941
|
Incorrectly Specified Destination in a Communication Channel
|
3
|
|
CWE-551
|
Incorrect Behavior Order: Authorization Before Parsing and Canonicalization
|
3
|
|
CWE-393
|
Return of Wrong Status Code
|
3
|
|
CWE-149
|
Improper Neutralization of Quoting Syntax
|
3
|
|
CWE-643
|
Improper Neutralization of Data within XPath Expressions ('XPath Injection')
|
3
|
|
CWE-308
|
Use of Single-factor Authentication
|
3
|
|
CWE-159
|
Improper Handling of Invalid Use of Special Elements
|
3
|
|
CWE-299
|
Improper Check for Certificate Revocation
|
3
|
|
CWE-97
|
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
|
3
|
|
CWE-395
|
Use of NullPointerException Catch to Detect NULL Pointer Dereference
|
3
|
|
CWE-146
|
Improper Neutralization of Expression/Command Delimiters
|
3
|
|
CWE-1037
|
Processor Optimization Removal or Modification of Security-critical Code
|
3
|
|
CWE-232
|
Improper Handling of Undefined Values
|
3
|
|
CWE-612
|
Improper Authorization of Index Containing Sensitive Information
|
3
|
|
CWE-372
|
Incomplete Internal State Distinction
|
3
|
|
CWE-223
|
Omission of Security-relevant Information
|
3
|
|
CWE-453
|
Insecure Default Variable Initialization
|
3
|
|
CWE-413
|
Improper Resource Locking
|
3
|
|
CWE-733
|
Compiler Optimization Removal or Modification of Security-critical Code
|
3
|
|
CWE-760
|
Use of a One-Way Hash with a Predictable Salt
|
3
|
|
CWE-491
|
Public cloneable() Method Without Final ('Object Hijack')
|
2
|
|
CWE-530
|
Exposure of Backup File to an Unauthorized Control Sphere
|
2
|
|
CWE-1263
|
Improper Physical Access Control
|
2
|
|
CWE-1231
|
Improper Prevention of Lock Bit Modification
|
2
|
|
CWE-531
|
Inclusion of Sensitive Information in Test Code
|
2
|
|
CWE-235
|
Improper Handling of Extra Parameters
|
2
|
|
CWE-1068
|
Inconsistency Between Implementation and Documented Design
|
2
|
|
CWE-334
|
Small Space of Random Values
|
2
|
|
CWE-1299
|
Missing Protection Mechanism for Alternate Hardware Interface
|
2
|
|
CWE-141
|
Improper Neutralization of Parameter/Argument Delimiters
|
2
|
|
CWE-396
|
Declaration of Catch for Generic Exception
|
2
|
|
CWE-692
|
Incomplete Denylist to Cross-Site Scripting
|
2
|
|
CWE-650
|
Trusting HTTP Permission Methods on the Server Side
|
2
|
|
CWE-447
|
Unimplemented or Unsupported Feature in UI
|
2
|
|
CWE-1039
|
Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism
|
2
|
|
CWE-1257
|
Improper Access Control Applied to Mirrored or Aliased Memory Regions
|
2
|
|
CWE-1323
|
Improper Management of Sensitive Trace Data
|
2
|
|
CWE-1007
|
Insufficient Visual Distinction of Homoglyphs Presented to User
|
2
|
|
CWE-924
|
Improper Enforcement of Message Integrity During Transmission
|
2
|
|
CWE-676
|
Use of Potentially Dangerous Function
|
2
|
|
CWE-520
|
.NET Misconfiguration: Use of Impersonation
|
2
|
|
CWE-40
|
Path Traversal: '\\UNC\share\name\' (Windows UNC Share)
|
2
|
|
CWE-179
|
Incorrect Behavior Order: Early Validation
|
2
|
|
CWE-172
|
Encoding Error
|
2
|
|
CWE-690
|
Unchecked Return Value to NULL Pointer Dereference
|
2
|
|
CWE-258
|
Empty Password in Configuration File
|
2
|
|
CWE-705
|
Incorrect Control Flow Scoping
|
2
|
|
CWE-1022
|
Use of Web Link to Untrusted Target with window.opener Access
|
2
|
|
CWE-329
|
Generation of Predictable IV with CBC Mode
|
2
|
|
CWE-437
|
Incomplete Model of Endpoint Features
|
2
|
|
CWE-730
|
OWASP Top Ten 2004 Category A9 - Denial of Service
|
2
|
|
CWE-403
|
Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak')
|
2
|
|
CWE-683
|
Function Call With Incorrect Order of Arguments
|
2
|
|
CWE-1234
|
Hardware Internal or Debug Modes Allow Override of Locks
|
2
|
|
CWE-605
|
Multiple Binds to the Same Port
|
2
|
|
CWE-780
|
Use of RSA Algorithm without OAEP
|
2
|
|
CWE-118
|
Incorrect Access of Indexable Resource ('Range Error')
|
2
|
|
CWE-1256
|
Improper Restriction of Software Interfaces to Hardware Features
|
2
|
|
CWE-1329
|
Reliance on Component That is Not Updateable
|
2
|
|
CWE-836
|
Use of Password Hash Instead of Password for Authentication
|
2
|
|
CWE-422
|
Unprotected Windows Messaging Channel ('Shatter')
|
2
|
|
CWE-662
|
Improper Synchronization
|
2
|
|
CWE-388
|
7PK - Errors
|
2
|
|
CWE-399
|
Resource Management Errors
|
2
|
|
CWE-562
|
Return of Stack Variable Address
|
2
|
|
CWE-317
|
Cleartext Storage of Sensitive Information in GUI
|
2
|
|
CWE-142
|
Improper Neutralization of Value Delimiters
|
2
|
|
CWE-62
|
UNIX Hard Link
|
2
|
|
CWE-694
|
Use of Multiple Resources with Duplicate Identifier
|
2
|
|
CWE-1189
|
Improper Isolation of Shared Resources on System-on-a-Chip (SoC)
|
2
|
|
CWE-561
|
Dead Code
|
2
|
|
CWE-298
|
Improper Validation of Certificate Expiration
|
2
|
|
CWE-1250
|
Improper Preservation of Consistency Between Independent Representations of Shared State
|
2
|
|
CWE-1100
|
Insufficient Isolation of System-Dependent Functions
|
2
|
|
CWE-1173
|
Improper Use of Validation Framework
|
2
|
|
CWE-414
|
Missing Lock Check
|
2
|
|
CWE-1386
|
Insecure Operation on Windows Junction / Mount Point
|
2
|
|
CWE-1254
|
Incorrect Comparison Logic Granularity
|
2
|
|
CWE-167
|
Improper Handling of Additional Special Element
|
2
|
|
CWE-1245
|
Improper Finite State Machines (FSMs) in Hardware Logic
|
2
|
|
CWE-81
|
Improper Neutralization of Script in an Error Message Web Page
|
2
|
|
CWE-454
|
External Initialization of Trusted Variables or Data Stores
|
2
|
|
CWE-16
|
Configuration
|
2
|
|
CWE-278
|
Insecure Preserved Inherited Permissions
|
2
|
|
CWE-1427
|
Improper Neutralization of Input Used for LLM Prompting
|
2
|
|
CWE-826
|
Premature Release of Resource During Expected Lifetime
|
2
|
|
CWE-164
|
Improper Neutralization of Internal Special Elements
|
2
|
|
CWE-1282
|
Assumed-Immutable Data is Stored in Writable Memory
|
1
|
|
CWE-1018
|
Manage User Sessions
|
1
|
|
CWE-1314
|
Missing Write Protection for Parametric Data Values
|
1
|
|
CWE-592
|
DEPRECATED: Authentication Bypass Issues
|
1
|
|
CWE-1301
|
Insufficient or Incomplete Data Removal within Hardware Component
|
1
|
|
CWE-624
|
Executable Regular Expression Error
|
1
|
|
CWE-1222
|
Insufficient Granularity of Address Regions Protected by Register Locks
|
1
|
|
CWE-14
|
Compiler Removal of Code to Clear Buffers
|
1
|
|
CWE-1335
|
Incorrect Bitwise Shift of Integer
|
1
|
|
CWE-550
|
Server-generated Error Message Containing Sensitive Information
|
1
|
|
CWE-1049
|
Excessive Data Query Operations in a Large Data Table
|
1
|
|
CWE-618
|
Exposed Unsafe ActiveX Method
|
1
|
|
CWE-44
|
Path Equivalence: 'file.name' (Internal Dot)
|
1
|
|
CWE-363
|
Race Condition Enabling Link Following
|
1
|
|
CWE-1420
|
Exposure of Sensitive Information during Transient Execution
|
1
|
|
CWE-37
|
Path Traversal: '/absolute/pathname/here'
|
1
|
|
CWE-701
|
Weaknesses Introduced During Design
|
1
|
|
CWE-1125
|
Excessive Attack Surface
|
1
|
|
CWE-761
|
Free of Pointer not at Start of Buffer
|
1
|
|
CWE-649
|
Reliance on Obfuscation or Encryption of Security-Relevant Inputs without Integrity Checking
|
1
|
|
CWE-262
|
Not Using Password Aging
|
1
|
|
CWE-842
|
Placement of User into Incorrect Group
|
1
|
|
CWE-777
|
Regular Expression without Anchors
|
1
|
|
CWE-85
|
Doubled Character XSS Manipulations
|
1
|
|
CWE-227
|
7PK - API Abuse
|
1
|
|
CWE-1204
|
Generation of Weak Initialization Vector (IV)
|
1
|
|
CWE-194
|
Unexpected Sign Extension
|
1
|
|
CWE-343
|
Predictable Value Range from Previous Values
|
1
|
|
CWE-786
|
Access of Memory Location Before Start of Buffer
|
1
|
|
CWE-1366
|
ICS Communications: Frail Security in Protocols
|
1
|
|
CWE-553
|
Command Shell in Externally Accessible Directory
|
1
|
|
CWE-686
|
Function Call With Incorrect Argument Type
|
1
|
|
CWE-412
|
Unrestricted Externally Accessible Lock
|
1
|
|
CWE-768
|
Incorrect Short Circuit Evaluation
|
1
|
|
CWE-5
|
J2EE Misconfiguration: Data Transmission Without Encryption
|
1
|
|
CWE-1268
|
Policy Privileges are not Assigned Consistently Between Control and Data Agents
|
1
|
|
CWE-567
|
Unsynchronized Access to Shared Data in a Multithreaded Context
|
1
|
|
CWE-406
|
Insufficient Control of Network Message Volume (Network Amplification)
|
1
|
|
CWE-76
|
Improper Neutralization of Equivalent Special Elements
|
1
|
|
CWE-462
|
Duplicate Key in Associative List (Alist)
|
1
|
|
CWE-484
|
Omitted Break Statement in Switch
|
1
|
|
CWE-689
|
Permission Race Condition During Resource Copy
|
1
|
|
CWE-626
|
Null Byte Interaction Error (Poison Null Byte)
|
1
|
|
CWE-544
|
Missing Standardized Error Handling Mechanism
|
1
|
|
CWE-1164
|
Irrelevant Code
|
1
|
|
CWE-82
|
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
|
1
|
|
CWE-911
|
Improper Update of Reference Count
|
1
|
|
CWE-1038
|
Insecure Automated Optimizations
|
1
|
|
CWE-237
|
Improper Handling of Structural Elements
|
1
|
|
CWE-188
|
Reliance on Data/Memory Layout
|
1
|
|
CWE-1247
|
Improper Protection Against Voltage and Clock Glitches
|
1
|
|
CWE-112
|
Missing XML Validation
|
1
|
|
CWE-495
|
Private Data Structure Returned From A Public Method
|
1
|
|
CWE-468
|
Incorrect Pointer Scaling
|
1
|
|
CWE-1108
|
Excessive Reliance on Global Variables
|
1
|
|
CWE-430
|
Deployment of Wrong Handler
|
1
|
|
CWE-1334
|
Unauthorized Error Injection Can Degrade Hardware Redundancy
|
1
|
|
CWE-628
|
Function Call with Incorrectly Specified Arguments
|
1
|
|
CWE-673
|
External Influence of Sphere Definition
|
1
|
|
CWE-775
|
Missing Release of File Descriptor or Handle after Effective Lifetime
|
1
|
|
CWE-1102
|
Reliance on Machine-Dependent Data Representation
|
1
|
|
CWE-1072
|
Data Resource Access without Use of Connection Pooling
|
1
|
|
CWE-443
|
DEPRECATED: HTTP response splitting
|
1
|
|
CWE-419
|
Unprotected Primary Channel
|
1
|
|
CWE-1223
|
Race Condition for Write-Once Attributes
|
1
|
|
CWE-135
|
Incorrect Calculation of Multi-Byte String Length
|
1
|
|
CWE-1091
|
Use of Object without Invoking Destructor Method
|
1
|
|
CWE-446
|
UI Discrepancy for Security Feature
|
1
|
|
CWE-463
|
Deletion of Data Structure Sentinel
|
1
|
|
CWE-1255
|
Comparison Logic is Vulnerable to Power Side-Channel Attacks
|
1
|
|
CWE-710
|
Improper Adherence to Coding Standards
|
1
|
|
CWE-196
|
Unsigned to Signed Conversion Error
|
1
|
|
CWE-199
|
Information Management Errors
|
1
|
|
CWE-1423
|
Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution
|
1
|
|
CWE-962
|
SFP Secondary Cluster: Unchecked Status Condition
|
1
|
|
CWE-333
|
Improper Handling of Insufficient Entropy in TRNG
|
1
|
|
CWE-1116
|
Inaccurate Source Code Comments
|
1
|
|
CWE-1419
|
Incorrect Initialization of Resource
|
1
|
|
CWE-838
|
Inappropriate Encoding for Output Context
|
1
|
|
CWE-240
|
Improper Handling of Inconsistent Structural Elements
|
1
|
|
CWE-474
|
Use of Function with Inconsistent Implementations
|
1
|
|
CWE-637
|
Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')
|
1
|
|
CWE-166
|
Improper Handling of Missing Special Element
|
1
|
|
CWE-557
|
Concurrency Issues
|
1
|
|
CWE-344
|
Use of Invariant Value in Dynamically Changing Context
|
1
|
|
CWE-1046
|
Creation of Immutable Text Using String Concatenation
|
1
|
|
CWE-533
|
DEPRECATED: Information Exposure Through Server Log Files
|
1
|
|
CWE-336
|
Same Seed in Pseudo-Random Number Generator (PRNG)
|
1
|
|
CWE-642
|
External Control of Critical State Data
|
1
|
|
CWE-207
|
Observable Behavioral Discrepancy With Equivalent Products
|
1
|
|
CWE-792
|
Incomplete Filtering of One or More Instances of Special Elements
|
1
|
|
CWE-315
|
Cleartext Storage of Sensitive Information in a Cookie
|
1
|
|
CWE-1112
|
Incomplete Documentation of Program Execution
|
1
|
|
CWE-1174
|
ASP.NET Misconfiguration: Improper Model Validation
|
1
|
|
CWE-1357
|
Reliance on Insufficiently Trustworthy Component
|
1
|
|
CWE-1319
|
Improper Protection against Electromagnetic Fault Injection (EM-FI)
|
1
|
|
CWE-528
|
Exposure of Core Dump File to an Unauthorized Control Sphere
|
1
|
|
CWE-1113
|
Inappropriate Comment Style
|
1
|
|
CWE-925
|
Improper Verification of Intent by Broadcast Receiver
|
1
|
|
CWE-198
|
Use of Incorrect Byte Ordering
|
1
|
|
CWE-433
|
Unparsed Raw Web Content Delivery
|
1
|
|
CWE-186
|
Overly Restrictive Regular Expression
|
1
|
|
CWE-1176
|
Inefficient CPU Computation
|
1
|
|
CWE-688
|
Function Call With Incorrect Variable or Reference as Argument
|
1
|
|
CWE-144
|
Improper Neutralization of Line Delimiters
|
1
|
|
CWE-309
|
Use of Password System for Primary Authentication
|
1
|
|
CWE-774
|
Allocation of File Descriptors or Handles Without Limits or Throttling
|
1
|
|
CWE-69
|
Improper Handling of Windows ::DATA Alternate Data Stream
|
1
|
|
CWE-1270
|
Generation of Incorrect Security Tokens
|
1
|
|
CWE-927
|
Use of Implicit Intent for Sensitive Communication
|
1
|
|
CWE-231
|
Improper Handling of Extra Values
|
1
|
|
CWE-25
|
Path Traversal: '/../filedir'
|
1
|
|
CWE-1332
|
Improper Handling of Faults that Lead to Instruction Skips
|
1
|
|
CWE-332
|
Insufficient Entropy in PRNG
|
1
|
|
CWE-794
|
Incomplete Filtering of Multiple Instances of Special Elements
|
1
|
|
CWE-671
|
Lack of Administrator Control over Security
|
1
|