Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Allowed | 23548 |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Allowed | 9991 |
| CWE-862 | Missing Authorization | Allowed-with-Review | 6749 |
| CWE-352 | Cross-Site Request Forgery (CSRF) | Allowed | 5108 |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Allowed-with-Review | 4289 |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | Discouraged | 4261 |
| CWE-20 | Improper Input Validation | Discouraged | 4017 |
| CWE-125 | Out-of-bounds Read | Allowed | 3560 |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | Discouraged | 3349 |
| CWE-416 | Use After Free | Allowed | 3347 |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Allowed | 3335 |
| CWE-284 | Improper Access Control | Discouraged | 3208 |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | Allowed-with-Review | 2990 |
| CWE-121 | Stack-based Buffer Overflow | Allowed | 2957 |
| CWE-787 | Out-of-bounds Write | Allowed-with-Review | 2791 |
| CWE-122 | Heap-based Buffer Overflow | Allowed | 2788 |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Discouraged | 2654 |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | Allowed | 2349 |
| CWE-918 | Server-Side Request Forgery (SSRF) | Allowed | 2177 |
| CWE-502 | Deserialization of Untrusted Data | Allowed | 2153 |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Allowed-with-Review | 1911 |
| CWE-863 | Incorrect Authorization | Allowed-with-Review | 1900 |
| CWE-400 | Uncontrolled Resource Consumption | Discouraged | 1834 |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | Allowed-with-Review | 1765 |
| CWE-639 | Authorization Bypass Through User-Controlled Key | Allowed | 1613 |
| CWE-287 | Improper Authentication | Discouraged | 1612 |
| CWE-306 | Missing Authentication for Critical Function | Allowed | 1528 |
| CWE-476 | NULL Pointer Dereference | Allowed | 1367 |
| CWE-285 | Improper Authorization | Discouraged | 1330 |
| CWE-770 | Allocation of Resources Without Limits or Throttling | Allowed | 1290 |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | Allowed | 1258 |
| CWE-190 | Integer Overflow or Wraparound | Allowed | 1218 |
| CWE-269 | Improper Privilege Management | Discouraged | 1197 |
| CWE-266 | Incorrect Privilege Assignment | Allowed | 973 |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | Allowed | 857 |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | Allowed-with-Review | 800 |
| CWE-427 | Uncontrolled Search Path Element | Allowed-with-Review | 771 |
| CWE-532 | Insertion of Sensitive Information into Log File | Allowed | 675 |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | Allowed | 645 |
| CWE-798 | Use of Hard-coded Credentials | Allowed-with-Review | 640 |
| CWE-295 | Improper Certificate Validation | Allowed | 607 |
| CWE-276 | Incorrect Default Permissions | Allowed | 555 |
| CWE-404 | Improper Resource Shutdown or Release | Allowed-with-Review | 549 |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | Allowed | 549 |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | Allowed-with-Review | 542 |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | Allowed | 521 |
| CWE-73 | External Control of File Name or Path | Allowed | 504 |
| CWE-126 | Buffer Over-read | Allowed | 498 |
| CWE-347 | Improper Verification of Cryptographic Signature | Allowed | 493 |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition | Allowed | 480 |