CWE Weakness Categories

CWE-79 High

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

43,789

CVEs

CWE-89 High

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

18,854

CVEs

CWE-787 High

Out-of-bounds Write

13,852

CVEs

CWE-119 High

Improper Restriction of Operations within the Bounds of a Memory Buffer

13,732

CVEs

CWE-20 High

Improper Input Validation

12,038

CVEs

CWE-200 High

Exposure of Sensitive Information to an Unauthorized Actor

9,867

CVEs

CWE-352 Medium

Cross-Site Request Forgery (CSRF)

9,119

CVEs

CWE-22 High

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8,743

CVEs

CWE-125

Out-of-bounds Read

8,471

CVEs

CWE-862 High

Missing Authorization

7,700

CVEs

CWE-416 High

Use After Free

6,899

CVEs

CWE-94 Medium

Improper Control of Generation of Code ('Code Injection')

6,182

CVEs

CWE-78 High

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

5,664

CVEs

CWE-476 Medium

NULL Pointer Dereference

5,028

CVEs

CWE-284

Improper Access Control

4,788

CVEs

CWE-74 High

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

4,513

CVEs

CWE-287 High

Improper Authentication

4,195

CVEs

CWE-120 High

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

4,085

CVEs

CWE-434 Medium

Unrestricted Upload of File with Dangerous Type

4,009

CVEs

CWE-77 High

Improper Neutralization of Special Elements used in a Command ('Command Injection')

3,329

CVEs

CWE-121 High

Stack-based Buffer Overflow

3,179

CVEs

CWE-190 Medium

Integer Overflow or Wraparound

3,064

CVEs

CWE-400 High

Uncontrolled Resource Consumption

2,909

CVEs

CWE-863 High

Incorrect Authorization

2,832

CVEs

CWE-269 Medium

Improper Privilege Management

2,642

CVEs

CWE-502 Medium

Deserialization of Untrusted Data

2,592

CVEs

CWE-918

Server-Side Request Forgery (SSRF)

2,437

CVEs

CWE-362 Medium

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

2,269

CVEs

CWE-306 High

Missing Authentication for Critical Function

2,205

CVEs

CWE-122 High

Heap-based Buffer Overflow

2,135

CVEs

CWE-770 High

Allocation of Resources Without Limits or Throttling

1,717

CVEs

CWE-798 High

Use of Hard-coded Credentials

1,663

CVEs

CWE-401 Medium

Missing Release of Memory after Effective Lifetime

1,641

CVEs

CWE-732 High

Incorrect Permission Assignment for Critical Resource

1,622

CVEs

CWE-639 High

Authorization Bypass Through User-Controlled Key

1,570

CVEs

CWE-276 Medium

Incorrect Default Permissions

1,487

CVEs

CWE-59 Medium

Improper Link Resolution Before File Access ('Link Following')

1,463

CVEs

CWE-601 Low

URL Redirection to Untrusted Site ('Open Redirect')

1,448

CVEs

CWE-295

Improper Certificate Validation

1,335

CVEs

CWE-522

Insufficiently Protected Credentials

1,323

CVEs

CWE-611

Improper Restriction of XML External Entity Reference

1,228

CVEs

CWE-285 High

Improper Authorization

1,213

CVEs

CWE-427

Uncontrolled Search Path Element

1,133

CVEs

CWE-98 High

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

1,114

CVEs

CWE-532 Medium

Insertion of Sensitive Information into Log File

1,099

CVEs

CWE-319 High

Cleartext Transmission of Sensitive Information

856

CVEs

CWE-266

Incorrect Privilege Assignment

814

CVEs

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

791

CVEs

CWE-312

Cleartext Storage of Sensitive Information

786

CVEs

CWE-415 High

Double Free

746

CVEs

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

745

CVEs

CWE-908 Medium

Use of Uninitialized Resource

731

CVEs

CWE-203

Observable Discrepancy

725

CVEs

CWE-668

Exposure of Resource to Wrong Sphere

704

CVEs

CWE-617

Reachable Assertion

703

CVEs

CWE-347

Improper Verification of Cryptographic Signature

651

CVEs

CWE-667

Improper Locking

650

CVEs

CWE-404 Medium

Improper Resource Shutdown or Release

642

CVEs

CWE-327 High

Use of a Broken or Risky Cryptographic Algorithm

636

CVEs

CWE-426 High

Untrusted Search Path

626

CVEs

CWE-367 Medium

Time-of-check Time-of-use (TOCTOU) Race Condition

589

CVEs

CWE-307

Improper Restriction of Excessive Authentication Attempts

561

CVEs

CWE-755 Medium

Improper Handling of Exceptional Conditions

560

CVEs

CWE-754 Medium

Improper Check for Unusual or Exceptional Conditions

557

CVEs

CWE-129 High

Improper Validation of Array Index

556

CVEs

CWE-345

Insufficient Verification of Data Authenticity

552

CVEs

CWE-209 High

Generation of Error Message Containing Sensitive Information

540

CVEs

CWE-290

Authentication Bypass by Spoofing

535

CVEs

CWE-288

Authentication Bypass Using an Alternate Path or Channel

521

CVEs

CWE-80 High

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

517

CVEs

CWE-613

Insufficient Session Expiration

509

CVEs

CWE-311 High

Missing Encryption of Sensitive Data

506

CVEs

CWE-346

Origin Validation Error

479

CVEs

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

473

CVEs

CWE-552

Files or Directories Accessible to External Parties

453

CVEs

CWE-693

Protection Mechanism Failure

443

CVEs

CWE-772 High

Missing Release of Resource after Effective Lifetime

443

CVEs

CWE-326

Inadequate Encryption Strength

442

CVEs

CWE-126

Buffer Over-read

435

CVEs

CWE-191

Integer Underflow (Wrap or Wraparound)

428

CVEs

CWE-369 Medium

Divide By Zero

425

CVEs

CWE-428

Unquoted Search Path or Element

418

CVEs

CWE-116 High

Improper Encoding or Escaping of Output

414

CVEs

CWE-1333 High

Inefficient Regular Expression Complexity

410

CVEs

CWE-73 High

External Control of File Name or Path

396

CVEs

CWE-384

Session Fixation

392

CVEs

CWE-23

Relative Path Traversal

391

CVEs

CWE-674

Uncontrolled Recursion

386

CVEs

CWE-134 High

Use of Externally-Controlled Format String

379

CVEs

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

376

CVEs

CWE-922

Insecure Storage of Sensitive Information

368

CVEs

CWE-330 High

Use of Insufficiently Random Values

364

CVEs

CWE-665 Medium

Improper Initialization

346

CVEs

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

326

CVEs

CWE-281

Improper Preservation of Permissions

321

CVEs

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

314

CVEs

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

311

CVEs

CWE-250 Medium

Execution with Unnecessary Privileges

303

CVEs

CWE-201

Insertion of Sensitive Information Into Sent Data

294

CVEs

CWE-1284

Improper Validation of Specified Quantity in Input

293

CVEs

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

283

CVEs

CWE-824

Access of Uninitialized Pointer

278

CVEs

CWE-321 High

Use of Hard-coded Cryptographic Key

276

CVEs

CWE-1188

Initialization of a Resource with an Insecure Default

261

CVEs

CWE-704

Incorrect Type Conversion or Cast

260

CVEs

CWE-640 High

Weak Password Recovery Mechanism for Forgotten Password

258

CVEs

CWE-521

Weak Password Requirements

254

CVEs

CWE-707

Improper Neutralization

240

CVEs

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

230

CVEs

CWE-425

Direct Request ('Forced Browsing')

223

CVEs

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

220

CVEs

CWE-294 High

Authentication Bypass by Capture-replay

210

CVEs

CWE-256 High

Plaintext Storage of a Password

200

CVEs

CWE-494 Medium

Download of Code Without Integrity Check

200

CVEs

CWE-822

Untrusted Pointer Dereference

189

CVEs

CWE-248

Uncaught Exception

188

CVEs

CWE-259 High

Use of Hard-coded Password

186

CVEs

CWE-193

Off-by-one Error

182

CVEs

CWE-451

User Interface (UI) Misrepresentation of Critical Information

182

CVEs

CWE-459

Incomplete Cleanup

182

CVEs

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

180

CVEs

CWE-131 High

Incorrect Calculation of Buffer Size

174

CVEs

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

174

CVEs

CWE-338 Medium

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

171

CVEs

CWE-252 Low

Unchecked Return Value

164

CVEs

CWE-354 Medium

Improper Validation of Integrity Check Value

157

CVEs

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

155

CVEs

CWE-35

Path Traversal: '.../...//'

154

CVEs

CWE-749 Low

Exposed Dangerous Method or Function

151

CVEs

CWE-204

Observable Response Discrepancy

148

CVEs

CWE-788

Access of Memory Location After End of Buffer

147

CVEs

CWE-703

Improper Check or Handling of Exceptional Conditions

146

CVEs

CWE-697

Incorrect Comparison

144

CVEs

CWE-305

Authentication Bypass by Primary Weakness

138

CVEs

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

135

CVEs

CWE-280

Improper Handling of Insufficient Permissions or Privileges

132

CVEs

CWE-670

Always-Incorrect Control Flow Implementation

130

CVEs

CWE-457 High

Use of Uninitialized Variable

127

CVEs

CWE-95 Medium

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

126

CVEs

CWE-61 High

UNIX Symbolic Link (Symlink) Following

125

CVEs

CWE-331

Insufficient Entropy

124

CVEs

CWE-1287

Improper Validation of Specified Type of Input

123

CVEs

CWE-682 High

Incorrect Calculation

122

CVEs

CWE-789

Memory Allocation with Excessive Size Value

122

CVEs

CWE-208

Observable Timing Discrepancy

119

CVEs

CWE-36

Absolute Path Traversal

117

CVEs

CWE-91

XML Injection (aka Blind XPath Injection)

116

CVEs

CWE-681 High

Incorrect Conversion between Numeric Types

115

CVEs

CWE-358

Improperly Implemented Security Check for Standard

111

CVEs

CWE-916

Use of Password Hash With Insufficient Computational Effort

110

CVEs

CWE-24

Path Traversal: '../filedir'

108

CVEs

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

105

CVEs

CWE-706

Use of Incorrectly-Resolved Name or Reference

105

CVEs

CWE-834

Excessive Iteration

105

CVEs

CWE-602 Medium

Client-Side Enforcement of Server-Side Security

104

CVEs

CWE-680

Integer Overflow to Buffer Overflow

103

CVEs

CWE-184

Incomplete List of Disallowed Inputs

102

CVEs

CWE-909 Medium

Missing Initialization of Resource

101

CVEs

CWE-436

Interpretation Conflict

95

CVEs

CWE-117 Medium

Improper Output Neutralization for Logs

93

CVEs

CWE-823

Use of Out-of-range Pointer Offset

91

CVEs

CWE-763

Release of Invalid Pointer or Reference

90

CVEs

CWE-1392

Use of Default Credentials

89

CVEs

CWE-377

Insecure Temporary File

89

CVEs

CWE-669

Incorrect Resource Transfer Between Spheres

87

CVEs

CWE-130

Improper Handling of Length Parameter Inconsistency

86

CVEs

CWE-913

Improper Control of Dynamically-Managed Code Resources

84

CVEs

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

84

CVEs

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

82

CVEs

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

81

CVEs

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

80

CVEs

CWE-506

Embedded Malicious Code

80

CVEs

CWE-1220

Insufficient Granularity of Access Control

79

CVEs

CWE-303

Incorrect Implementation of Authentication Algorithm

78

CVEs

CWE-620

Unverified Password Change

78

CVEs

CWE-912

Hidden Functionality

78

CVEs

CWE-591

Sensitive Data Storage in Improperly Locked Memory

77

CVEs

CWE-926

Improper Export of Android Application Components

76

CVEs

CWE-1390

Weak Authentication

75

CVEs

CWE-472

External Control of Assumed-Immutable Web Parameter

75

CVEs

CWE-489

Active Debug Code

75

CVEs

CWE-407 Low

Inefficient Algorithmic Complexity

74

CVEs

CWE-598

Use of HTTP Request With Sensitive Query String

74

CVEs

CWE-565

Reliance on Cookies without Validation and Integrity Checking

72

CVEs

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

72

CVEs

CWE-776 Medium

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

71

CVEs

CWE-807 High

Reliance on Untrusted Inputs in a Security Decision

71

CVEs

CWE-277

Insecure Inherited Permissions

69

CVEs

CWE-672

Operation on a Resource after Expiration or Release

69

CVEs

CWE-1286

Improper Validation of Syntactic Correctness of Input

67

CVEs

CWE-799

Improper Control of Interaction Frequency

66

CVEs

CWE-257 High

Storing Passwords in a Recoverable Format

64

CVEs

CWE-178

Improper Handling of Case Sensitivity

62

CVEs

CWE-29

Path Traversal: '\..\filename'

62

CVEs

CWE-267

Privilege Defined With Unsafe Actions

61

CVEs

CWE-648 Low

Incorrect Use of Privileged APIs

61

CVEs

CWE-15

External Control of System or Configuration Setting

58

CVEs

CWE-662

Improper Synchronization

58

CVEs

CWE-328

Use of Weak Hash

56

CVEs

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

56

CVEs

No CWE categories match your filter.