Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Allowed 23548
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Allowed 9991
CWE-862 Missing Authorization Allowed-with-Review 6749
CWE-352 Cross-Site Request Forgery (CSRF) Allowed 5108
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Allowed-with-Review 4289
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Discouraged 4261
CWE-20 Improper Input Validation Discouraged 4017
CWE-125 Out-of-bounds Read Allowed 3560
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Discouraged 3349
CWE-416 Use After Free Allowed 3347
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Allowed 3335
CWE-284 Improper Access Control Discouraged 3208
CWE-94 Improper Control of Generation of Code ('Code Injection') Allowed-with-Review 2990
CWE-121 Stack-based Buffer Overflow Allowed 2957
CWE-787 Out-of-bounds Write Allowed-with-Review 2791
CWE-122 Heap-based Buffer Overflow Allowed 2788
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Discouraged 2654
CWE-434 Unrestricted Upload of File with Dangerous Type Allowed 2349
CWE-918 Server-Side Request Forgery (SSRF) Allowed 2177
CWE-502 Deserialization of Untrusted Data Allowed 2153
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Allowed-with-Review 1911
CWE-863 Incorrect Authorization Allowed-with-Review 1900
CWE-400 Uncontrolled Resource Consumption Discouraged 1834
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Allowed-with-Review 1765
CWE-639 Authorization Bypass Through User-Controlled Key Allowed 1613
CWE-287 Improper Authentication Discouraged 1612
CWE-306 Missing Authentication for Critical Function Allowed 1528
CWE-476 NULL Pointer Dereference Allowed 1367
CWE-285 Improper Authorization Discouraged 1330
CWE-770 Allocation of Resources Without Limits or Throttling Allowed 1290
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Allowed 1258
CWE-190 Integer Overflow or Wraparound Allowed 1218
CWE-269 Improper Privilege Management Discouraged 1197
CWE-266 Incorrect Privilege Assignment Allowed 973
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Allowed 857
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Allowed-with-Review 800
CWE-427 Uncontrolled Search Path Element Allowed-with-Review 771
CWE-532 Insertion of Sensitive Information into Log File Allowed 675
CWE-59 Improper Link Resolution Before File Access ('Link Following') Allowed 645
CWE-798 Use of Hard-coded Credentials Allowed-with-Review 640
CWE-295 Improper Certificate Validation Allowed 607
CWE-276 Incorrect Default Permissions Allowed 555
CWE-404 Improper Resource Shutdown or Release Allowed-with-Review 549
CWE-288 Authentication Bypass Using an Alternate Path or Channel Allowed 549
CWE-732 Incorrect Permission Assignment for Critical Resource Allowed-with-Review 542
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Allowed 521
CWE-73 External Control of File Name or Path Allowed 504
CWE-126 Buffer Over-read Allowed 498
CWE-347 Improper Verification of Cryptographic Signature Allowed 493
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Allowed 480