CWE Weakness Categories

CWE-79 High

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

44,788

CVEs

CWE-89 High

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

19,440

CVEs

CWE-787 High

Out-of-bounds Write

14,135

CVEs

CWE-119 High

Improper Restriction of Operations within the Bounds of a Memory Buffer

13,957

CVEs

CWE-20 High

Improper Input Validation

12,432

CVEs

CWE-200 High

Exposure of Sensitive Information to an Unauthorized Actor

10,097

CVEs

CWE-352 Medium

Cross-Site Request Forgery (CSRF)

9,313

CVEs

CWE-22 High

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

9,125

CVEs

CWE-125

Out-of-bounds Read

8,808

CVEs

CWE-862 High

Missing Authorization

8,194

CVEs

CWE-416 High

Use After Free

7,475

CVEs

CWE-94 Medium

Improper Control of Generation of Code ('Code Injection')

6,471

CVEs

CWE-78 High

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

5,963

CVEs

CWE-476 Medium

NULL Pointer Dereference

5,275

CVEs

CWE-284

Improper Access Control

5,237

CVEs

CWE-74 High

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

4,794

CVEs

CWE-287 High

Improper Authentication

4,340

CVEs

CWE-120 High

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

4,214

CVEs

CWE-434 Medium

Unrestricted Upload of File with Dangerous Type

4,117

CVEs

CWE-77 High

Improper Neutralization of Special Elements used in a Command ('Command Injection')

3,553

CVEs

CWE-121 High

Stack-based Buffer Overflow

3,407

CVEs

CWE-190 Medium

Integer Overflow or Wraparound

3,184

CVEs

CWE-400 High

Uncontrolled Resource Consumption

3,120

CVEs

CWE-863 High

Incorrect Authorization

3,055

CVEs

CWE-269 Medium

Improper Privilege Management

2,820

CVEs

CWE-502 Medium

Deserialization of Untrusted Data

2,806

CVEs

CWE-918

Server-Side Request Forgery (SSRF)

2,686

CVEs

CWE-306 High

Missing Authentication for Critical Function

2,410

CVEs

CWE-362 Medium

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

2,389

CVEs

CWE-122 High

Heap-based Buffer Overflow

2,322

CVEs

CWE-770 High

Allocation of Resources Without Limits or Throttling

1,864

CVEs

CWE-639 High

Authorization Bypass Through User-Controlled Key

1,788

CVEs

CWE-401 Medium

Missing Release of Memory after Effective Lifetime

1,755

CVEs

CWE-798 High

Use of Hard-coded Credentials

1,714

CVEs

CWE-732 High

Incorrect Permission Assignment for Critical Resource

1,663

CVEs

CWE-601 Low

URL Redirection to Untrusted Site ('Open Redirect')

1,524

CVEs

CWE-59 Medium

Improper Link Resolution Before File Access ('Link Following')

1,521

CVEs

CWE-276 Medium

Incorrect Default Permissions

1,512

CVEs

CWE-295

Improper Certificate Validation

1,400

CVEs

CWE-522

Insufficiently Protected Credentials

1,360

CVEs

CWE-285 High

Improper Authorization

1,320

CVEs

CWE-611

Improper Restriction of XML External Entity Reference

1,250

CVEs

CWE-98 High

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

1,228

CVEs

CWE-427

Uncontrolled Search Path Element

1,171

CVEs

CWE-532 Medium

Insertion of Sensitive Information into Log File

1,137

CVEs

CWE-266

Incorrect Privilege Assignment

926

CVEs

CWE-319 High

Cleartext Transmission of Sensitive Information

883

CVEs

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

828

CVEs

CWE-312

Cleartext Storage of Sensitive Information

805

CVEs

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

790

CVEs

CWE-415 High

Double Free

787

CVEs

CWE-908 Medium

Use of Uninitialized Resource

761

CVEs

CWE-617

Reachable Assertion

750

CVEs

CWE-203

Observable Discrepancy

733

CVEs

CWE-404 Medium

Improper Resource Shutdown or Release

723

CVEs

CWE-668

Exposure of Resource to Wrong Sphere

720

CVEs

CWE-667

Improper Locking

688

CVEs

CWE-347

Improper Verification of Cryptographic Signature

686

CVEs

CWE-327 High

Use of a Broken or Risky Cryptographic Algorithm

671

CVEs

CWE-367 Medium

Time-of-check Time-of-use (TOCTOU) Race Condition

650

CVEs

CWE-426 High

Untrusted Search Path

643

CVEs

CWE-345

Insufficient Verification of Data Authenticity

596

CVEs

CWE-754 Medium

Improper Check for Unusual or Exceptional Conditions

588

CVEs

CWE-307

Improper Restriction of Excessive Authentication Attempts

586

CVEs

CWE-290

Authentication Bypass by Spoofing

579

CVEs

CWE-288

Authentication Bypass Using an Alternate Path or Channel

576

CVEs

CWE-129 High

Improper Validation of Array Index

573

CVEs

CWE-755 Medium

Improper Handling of Exceptional Conditions

573

CVEs

CWE-209 High

Generation of Error Message Containing Sensitive Information

562

CVEs

CWE-693

Protection Mechanism Failure

559

CVEs

CWE-346

Origin Validation Error

558

CVEs

CWE-80 High

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

538

CVEs

CWE-613

Insufficient Session Expiration

534

CVEs

CWE-311 High

Missing Encryption of Sensitive Data

508

CVEs

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

502

CVEs

CWE-552

Files or Directories Accessible to External Parties

474

CVEs

CWE-191

Integer Underflow (Wrap or Wraparound)

461

CVEs

CWE-772 High

Missing Release of Resource after Effective Lifetime

453

CVEs

CWE-73 High

External Control of File Name or Path

452

CVEs

CWE-126

Buffer Over-read

449

CVEs

CWE-326

Inadequate Encryption Strength

448

CVEs

CWE-369 Medium

Divide By Zero

447

CVEs

CWE-116 High

Improper Encoding or Escaping of Output

446

CVEs

CWE-674

Uncontrolled Recursion

430

CVEs

CWE-1333 High

Inefficient Regular Expression Complexity

427

CVEs

CWE-428

Unquoted Search Path or Element

427

CVEs

CWE-23

Relative Path Traversal

417

CVEs

CWE-384

Session Fixation

405

CVEs

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

391

CVEs

CWE-134 High

Use of Externally-Controlled Format String

389

CVEs

CWE-330 High

Use of Insufficiently Random Values

374

CVEs

CWE-922

Insecure Storage of Sensitive Information

373

CVEs

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

360

CVEs

CWE-665 Medium

Improper Initialization

347

CVEs

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

337

CVEs

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

334

CVEs

CWE-281

Improper Preservation of Permissions

329

CVEs

CWE-201

Insertion of Sensitive Information Into Sent Data

328

CVEs

CWE-250 Medium

Execution with Unnecessary Privileges

327

CVEs

CWE-1284

Improper Validation of Specified Quantity in Input

322

CVEs

CWE-321 High

Use of Hard-coded Cryptographic Key

297

CVEs

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

292

CVEs

CWE-1188

Initialization of a Resource with an Insecure Default

290

CVEs

CWE-824

Access of Uninitialized Pointer

283

CVEs

CWE-640 High

Weak Password Recovery Mechanism for Forgotten Password

273

CVEs

CWE-704

Incorrect Type Conversion or Cast

268

CVEs

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

259

CVEs

CWE-521

Weak Password Requirements

257

CVEs

CWE-707

Improper Neutralization

251

CVEs

CWE-451

User Interface (UI) Misrepresentation of Critical Information

231

CVEs

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

228

CVEs

CWE-425

Direct Request ('Forced Browsing')

226

CVEs

CWE-294 High

Authentication Bypass by Capture-replay

219

CVEs

CWE-248

Uncaught Exception

206

CVEs

CWE-256 High

Plaintext Storage of a Password

206

CVEs

CWE-494 Medium

Download of Code Without Integrity Check

204

CVEs

CWE-822

Untrusted Pointer Dereference

200

CVEs

CWE-193

Off-by-one Error

198

CVEs

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

196

CVEs

CWE-259 High

Use of Hard-coded Password

194

CVEs

CWE-459

Incomplete Cleanup

189

CVEs

CWE-338 Medium

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

184

CVEs

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

184

CVEs

CWE-131 High

Incorrect Calculation of Buffer Size

182

CVEs

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

176

CVEs

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

175

CVEs

CWE-457 High

Use of Uninitialized Variable

173

CVEs

CWE-252 Low

Unchecked Return Value

171

CVEs

CWE-35

Path Traversal: '.../...//'

170

CVEs

CWE-749 Low

Exposed Dangerous Method or Function

168

CVEs

CWE-354 Medium

Improper Validation of Integrity Check Value

161

CVEs

CWE-204

Observable Response Discrepancy

158

CVEs

CWE-789

Memory Allocation with Excessive Size Value

153

CVEs

CWE-697

Incorrect Comparison

150

CVEs

CWE-703

Improper Check or Handling of Exceptional Conditions

149

CVEs

CWE-788

Access of Memory Location After End of Buffer

147

CVEs

CWE-305

Authentication Bypass by Primary Weakness

146

CVEs

CWE-280

Improper Handling of Insufficient Permissions or Privileges

144

CVEs

CWE-95 Medium

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

140

CVEs

CWE-61 High

UNIX Symbolic Link (Symlink) Following

138

CVEs

CWE-208

Observable Timing Discrepancy

137

CVEs

CWE-1287

Improper Validation of Specified Type of Input

135

CVEs

CWE-670

Always-Incorrect Control Flow Implementation

135

CVEs

CWE-184

Incomplete List of Disallowed Inputs

131

CVEs

CWE-331

Insufficient Entropy

131

CVEs

CWE-91

XML Injection (aka Blind XPath Injection)

128

CVEs

CWE-36

Absolute Path Traversal

126

CVEs

CWE-682 High

Incorrect Calculation

126

CVEs

CWE-358

Improperly Implemented Security Check for Standard

123

CVEs

CWE-472

External Control of Assumed-Immutable Web Parameter

123

CVEs

CWE-602 Medium

Client-Side Enforcement of Server-Side Security

118

CVEs

CWE-681 High

Incorrect Conversion between Numeric Types

116

CVEs

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

115

CVEs

CWE-916

Use of Password Hash With Insufficient Computational Effort

115

CVEs

CWE-24

Path Traversal: '../filedir'

110

CVEs

CWE-436

Interpretation Conflict

110

CVEs

CWE-706

Use of Incorrectly-Resolved Name or Reference

108

CVEs

CWE-834

Excessive Iteration

107

CVEs

CWE-680

Integer Overflow to Buffer Overflow

105

CVEs

CWE-909 Medium

Missing Initialization of Resource

102

CVEs

CWE-1392

Use of Default Credentials

99

CVEs

CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

99

CVEs

CWE-117 Medium

Improper Output Neutralization for Logs

98

CVEs

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

97

CVEs

CWE-669

Incorrect Resource Transfer Between Spheres

97

CVEs

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

97

CVEs

CWE-823

Use of Out-of-range Pointer Offset

94

CVEs

CWE-130

Improper Handling of Length Parameter Inconsistency

93

CVEs

CWE-377

Insecure Temporary File

93

CVEs

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

92

CVEs

CWE-763

Release of Invalid Pointer or Reference

92

CVEs

CWE-913

Improper Control of Dynamically-Managed Code Resources

91

CVEs

CWE-407 Low

Inefficient Algorithmic Complexity

90

CVEs

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

90

CVEs

CWE-1220

Insufficient Granularity of Access Control

85

CVEs

CWE-506

Embedded Malicious Code

85

CVEs

CWE-303

Incorrect Implementation of Authentication Algorithm

84

CVEs

CWE-620

Unverified Password Change

82

CVEs

CWE-1390

Weak Authentication

81

CVEs

CWE-598

Use of HTTP Request With Sensitive Query String

80

CVEs

CWE-1286

Improper Validation of Syntactic Correctness of Input

79

CVEs

CWE-328

Use of Weak Hash

79

CVEs

CWE-489

Active Debug Code

79

CVEs

CWE-912

Hidden Functionality

79

CVEs

CWE-926

Improper Export of Android Application Components

79

CVEs

CWE-672

Operation on a Resource after Expiration or Release

78

CVEs

CWE-591

Sensitive Data Storage in Improperly Locked Memory

77

CVEs

CWE-807 High

Reliance on Untrusted Inputs in a Security Decision

77

CVEs

CWE-565

Reliance on Cookies without Validation and Integrity Checking

75

CVEs

CWE-776 Medium

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

75

CVEs

CWE-178

Improper Handling of Case Sensitivity

73

CVEs

CWE-277

Insecure Inherited Permissions

70

CVEs

CWE-799

Improper Control of Interaction Frequency

69

CVEs

CWE-15

External Control of System or Configuration Setting

65

CVEs

CWE-90

Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

65

CVEs

CWE-257 High

Storing Passwords in a Recoverable Format

64

CVEs

CWE-267

Privilege Defined With Unsafe Actions

64

CVEs

CWE-29

Path Traversal: '\..\filename'

64

CVEs

CWE-648 Low

Incorrect Use of Privileged APIs

63

CVEs

CWE-470

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

58

CVEs

No CWE categories match your filter.