CWE Weakness Categories

CWE-79 High

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

42,294

CVEs

CWE-89 High

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

18,079

CVEs

CWE-119 High

Improper Restriction of Operations within the Bounds of a Memory Buffer

13,484

CVEs

CWE-787 High

Out-of-bounds Write

13,468

CVEs

CWE-20 High

Improper Input Validation

11,826

CVEs

CWE-200 High

Exposure of Sensitive Information to an Unauthorized Actor

9,625

CVEs

CWE-352 Medium

Cross-Site Request Forgery (CSRF)

8,781

CVEs

CWE-22 High

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

8,295

CVEs

CWE-125

Out-of-bounds Read

8,220

CVEs

CWE-862 High

Missing Authorization

6,956

CVEs

CWE-416 High

Use After Free

6,582

CVEs

CWE-94 Medium

Improper Control of Generation of Code ('Code Injection')

5,810

CVEs

CWE-78 High

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

5,314

CVEs

CWE-476 Medium

NULL Pointer Dereference

4,868

CVEs

CWE-284

Improper Access Control

4,434

CVEs

CWE-74 High

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

4,135

CVEs

CWE-287 High

Improper Authentication

4,073

CVEs

CWE-120 High

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

3,905

CVEs

CWE-434 Medium

Unrestricted Upload of File with Dangerous Type

3,879

CVEs

CWE-77 High

Improper Neutralization of Special Elements used in a Command ('Command Injection')

3,065

CVEs

CWE-190 Medium

Integer Overflow or Wraparound

2,947

CVEs

CWE-121 High

Stack-based Buffer Overflow

2,930

CVEs

CWE-400 High

Uncontrolled Resource Consumption

2,766

CVEs

CWE-863 High

Incorrect Authorization

2,566

CVEs

CWE-269 Medium

Improper Privilege Management

2,564

CVEs

CWE-502 Medium

Deserialization of Untrusted Data

2,421

CVEs

CWE-362 Medium

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

2,156

CVEs

CWE-918

Server-Side Request Forgery (SSRF)

2,104

CVEs

CWE-306 High

Missing Authentication for Critical Function

2,016

CVEs

CWE-122 High

Heap-based Buffer Overflow

1,970

CVEs

CWE-798 High

Use of Hard-coded Credentials

1,621

CVEs

CWE-732 High

Incorrect Permission Assignment for Critical Resource

1,586

CVEs

CWE-770 High

Allocation of Resources Without Limits or Throttling

1,584

CVEs

CWE-401 Medium

Missing Release of Memory after Effective Lifetime

1,558

CVEs

CWE-276 Medium

Incorrect Default Permissions

1,461

CVEs

CWE-59 Medium

Improper Link Resolution Before File Access ('Link Following')

1,418

CVEs

CWE-601 Low

URL Redirection to Untrusted Site ('Open Redirect')

1,380

CVEs

CWE-639 High

Authorization Bypass Through User-Controlled Key

1,321

CVEs

CWE-522

Insufficiently Protected Credentials

1,289

CVEs

CWE-295

Improper Certificate Validation

1,280

CVEs

CWE-611

Improper Restriction of XML External Entity Reference

1,209

CVEs

CWE-427

Uncontrolled Search Path Element

1,098

CVEs

CWE-285 High

Improper Authorization

1,076

CVEs

CWE-532 Medium

Insertion of Sensitive Information into Log File

1,066

CVEs

CWE-98 High

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

986

CVEs

CWE-319 High

Cleartext Transmission of Sensitive Information

829

CVEs

CWE-312

Cleartext Storage of Sensitive Information

765

CVEs

CWE-835

Loop with Unreachable Exit Condition ('Infinite Loop')

747

CVEs

CWE-266

Incorrect Privilege Assignment

738

CVEs

CWE-415 High

Double Free

716

CVEs

CWE-203

Observable Discrepancy

714

CVEs

CWE-908 Medium

Use of Uninitialized Resource

709

CVEs

CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

707

CVEs

CWE-668

Exposure of Resource to Wrong Sphere

685

CVEs

CWE-617

Reachable Assertion

680

CVEs

CWE-667

Improper Locking

620

CVEs

CWE-327 High

Use of a Broken or Risky Cryptographic Algorithm

618

CVEs

CWE-404 Medium

Improper Resource Shutdown or Release

618

CVEs

CWE-347

Improper Verification of Cryptographic Signature

605

CVEs

CWE-426 High

Untrusted Search Path

602

CVEs

CWE-755 Medium

Improper Handling of Exceptional Conditions

557

CVEs

CWE-129 High

Improper Validation of Array Index

530

CVEs

CWE-367 Medium

Time-of-check Time-of-use (TOCTOU) Race Condition

530

CVEs

CWE-307

Improper Restriction of Excessive Authentication Attempts

522

CVEs

CWE-209 High

Generation of Error Message Containing Sensitive Information

521

CVEs

CWE-754 Medium

Improper Check for Unusual or Exceptional Conditions

513

CVEs

CWE-345

Insufficient Verification of Data Authenticity

510

CVEs

CWE-311 High

Missing Encryption of Sensitive Data

503

CVEs

CWE-290

Authentication Bypass by Spoofing

492

CVEs

CWE-80 High

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

485

CVEs

CWE-613

Insufficient Session Expiration

475

CVEs

CWE-1321

Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

444

CVEs

CWE-772 High

Missing Release of Resource after Effective Lifetime

439

CVEs

CWE-288

Authentication Bypass Using an Alternate Path or Channel

437

CVEs

CWE-346

Origin Validation Error

437

CVEs

CWE-326

Inadequate Encryption Strength

434

CVEs

CWE-552

Files or Directories Accessible to External Parties

434

CVEs

CWE-369 Medium

Divide By Zero

413

CVEs

CWE-126

Buffer Over-read

412

CVEs

CWE-428

Unquoted Search Path or Element

403

CVEs

CWE-693

Protection Mechanism Failure

399

CVEs

CWE-191

Integer Underflow (Wrap or Wraparound)

392

CVEs

CWE-1333 High

Inefficient Regular Expression Complexity

388

CVEs

CWE-384

Session Fixation

383

CVEs

CWE-116 High

Improper Encoding or Escaping of Output

374

CVEs

CWE-134 High

Use of Externally-Controlled Format String

373

CVEs

CWE-1021

Improper Restriction of Rendered UI Layers or Frames

372

CVEs

CWE-23

Relative Path Traversal

370

CVEs

CWE-922

Insecure Storage of Sensitive Information

356

CVEs

CWE-330 High

Use of Insufficiently Random Values

355

CVEs

CWE-674

Uncontrolled Recursion

348

CVEs

CWE-73 High

External Control of File Name or Path

345

CVEs

CWE-665 Medium

Improper Initialization

344

CVEs

CWE-281

Improper Preservation of Permissions

317

CVEs

CWE-88

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')

305

CVEs

CWE-444

Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')

291

CVEs

CWE-250 Medium

Execution with Unnecessary Privileges

290

CVEs

CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

289

CVEs

CWE-1236

Improper Neutralization of Formula Elements in a CSV File

280

CVEs

CWE-824

Access of Uninitialized Pointer

271

CVEs

CWE-1284

Improper Validation of Specified Quantity in Input

263

CVEs

CWE-704

Incorrect Type Conversion or Cast

258

CVEs

CWE-201

Insertion of Sensitive Information Into Sent Data

257

CVEs

CWE-521

Weak Password Requirements

249

CVEs

CWE-1188

Initialization of a Resource with an Insecure Default

247

CVEs

CWE-640 High

Weak Password Recovery Mechanism for Forgotten Password

246

CVEs

CWE-321 High

Use of Hard-coded Cryptographic Key

242

CVEs

CWE-707

Improper Neutralization

231

CVEs

CWE-610

Externally Controlled Reference to a Resource in Another Sphere

216

CVEs

CWE-425

Direct Request ('Forced Browsing')

212

CVEs

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

203

CVEs

CWE-294 High

Authentication Bypass by Capture-replay

197

CVEs

CWE-494 Medium

Download of Code Without Integrity Check

188

CVEs

CWE-256 High

Plaintext Storage of a Password

185

CVEs

CWE-459

Incomplete Cleanup

180

CVEs

CWE-822

Untrusted Pointer Dereference

179

CVEs

CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

174

CVEs

CWE-248

Uncaught Exception

171

CVEs

CWE-259 High

Use of Hard-coded Password

171

CVEs

CWE-193

Off-by-one Error

167

CVEs

CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

164

CVEs

CWE-131 High

Incorrect Calculation of Buffer Size

159

CVEs

CWE-338 Medium

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

158

CVEs

CWE-252 Low

Unchecked Return Value

157

CVEs

CWE-451

User Interface (UI) Misrepresentation of Critical Information

156

CVEs

CWE-788

Access of Memory Location After End of Buffer

146

CVEs

CWE-749 Low

Exposed Dangerous Method or Function

145

CVEs

CWE-35

Path Traversal: '.../...//'

144

CVEs

CWE-354 Medium

Improper Validation of Integrity Check Value

143

CVEs

CWE-703

Improper Check or Handling of Exceptional Conditions

141

CVEs

CWE-697

Incorrect Comparison

140

CVEs

CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

133

CVEs

CWE-204

Observable Response Discrepancy

128

CVEs

CWE-280

Improper Handling of Insufficient Permissions or Privileges

124

CVEs

CWE-305

Authentication Bypass by Primary Weakness

124

CVEs

CWE-331

Insufficient Entropy

121

CVEs

CWE-682 High

Incorrect Calculation

121

CVEs

CWE-457 High

Use of Uninitialized Variable

120

CVEs

CWE-1287

Improper Validation of Specified Type of Input

114

CVEs

CWE-670

Always-Incorrect Control Flow Implementation

114

CVEs

CWE-91

XML Injection (aka Blind XPath Injection)

114

CVEs

CWE-36

Absolute Path Traversal

112

CVEs

CWE-95 Medium

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

111

CVEs

CWE-916

Use of Password Hash With Insufficient Computational Effort

110

CVEs

CWE-681 High

Incorrect Conversion between Numeric Types

107

CVEs

CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

107

CVEs

CWE-358

Improperly Implemented Security Check for Standard

106

CVEs

CWE-61 High

UNIX Symbolic Link (Symlink) Following

106

CVEs

CWE-208

Observable Timing Discrepancy

104

CVEs

CWE-24

Path Traversal: '../filedir'

103

CVEs

CWE-680

Integer Overflow to Buffer Overflow

103

CVEs

CWE-834

Excessive Iteration

101

CVEs

CWE-909 Medium

Missing Initialization of Resource

100

CVEs

CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

98

CVEs

CWE-602 Medium

Client-Side Enforcement of Server-Side Security

95

CVEs

CWE-706

Use of Incorrectly-Resolved Name or Reference

93

CVEs

CWE-789

Memory Allocation with Excessive Size Value

93

CVEs

CWE-117 Medium

Improper Output Neutralization for Logs

90

CVEs

CWE-1392

Use of Default Credentials

88

CVEs

CWE-763

Release of Invalid Pointer or Reference

88

CVEs

CWE-823

Use of Out-of-range Pointer Offset

87

CVEs

CWE-436

Interpretation Conflict

84

CVEs

CWE-377

Insecure Temporary File

81

CVEs

CWE-913

Improper Control of Dynamically-Managed Code Resources

78

CVEs

CWE-591

Sensitive Data Storage in Improperly Locked Memory

77

CVEs

CWE-926

Improper Export of Android Application Components

76

CVEs

CWE-303

Incorrect Implementation of Authentication Algorithm

75

CVEs

CWE-506

Embedded Malicious Code

75

CVEs

CWE-130

Improper Handling of Length Parameter Inconsistency

74

CVEs

CWE-113

Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')

73

CVEs

CWE-1220

Insufficient Granularity of Access Control

73

CVEs

CWE-669

Incorrect Resource Transfer Between Spheres

73

CVEs

CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

72

CVEs

CWE-489

Active Debug Code

71

CVEs

CWE-184

Incomplete List of Disallowed Inputs

70

CVEs

CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

69

CVEs

CWE-620

Unverified Password Change

69

CVEs

CWE-776 Medium

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

69

CVEs

CWE-912

Hidden Functionality

69

CVEs

CWE-277

Insecure Inherited Permissions

68

CVEs

CWE-565

Reliance on Cookies without Validation and Integrity Checking

68

CVEs

CWE-1390

Weak Authentication

67

CVEs

CWE-672

Operation on a Resource after Expiration or Release

66

CVEs

CWE-598

Use of GET Request Method With Sensitive Query Strings

65

CVEs

CWE-942

Permissive Cross-domain Security Policy with Untrusted Domains

64

CVEs

CWE-1286

Improper Validation of Syntactic Correctness of Input

60

CVEs

CWE-29

Path Traversal: '\..\filename'

60

CVEs

CWE-267

Privilege Defined With Unsafe Actions

59

CVEs

CWE-407 Low

Inefficient Algorithmic Complexity

59

CVEs

CWE-257 High

Storing Passwords in a Recoverable Format

58

CVEs

CWE-662

Improper Synchronization

57

CVEs

CWE-472

External Control of Assumed-Immutable Web Parameter

56

CVEs

CWE-799

Improper Control of Interaction Frequency

56

CVEs

CWE-178

Improper Handling of Case Sensitivity

55

CVEs

CWE-648 Low

Incorrect Use of Privileged APIs

54

CVEs

CWE-300

Channel Accessible by Non-Endpoint

53

CVEs

CWE-328

Use of Weak Hash

53

CVEs

CWE-548

Exposure of Information Through Directory Listing

53

CVEs

CWE-379 Low

Creation of Temporary File in Directory with Insecure Permissions

52

CVEs

CWE-807 High

Reliance on Untrusted Inputs in a Security Decision

50

CVEs

No CWE categories match your filter.