Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-23 | Relative Path Traversal | Allowed | 467 |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | Allowed | 463 |
| CWE-611 | Improper Restriction of XML External Entity Reference | Allowed | 462 |
| CWE-522 | Insufficiently Protected Credentials | Allowed-with-Review | 461 |
| CWE-319 | Cleartext Transmission of Sensitive Information | Allowed | 399 |
| CWE-693 | Protection Mechanism Failure | Discouraged | 397 |
| CWE-613 | Insufficient Session Expiration | Allowed-with-Review | 372 |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts | Allowed | 372 |
| CWE-345 | Insufficient Verification of Data Authenticity | Discouraged | 370 |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions | Allowed-with-Review | 364 |
| CWE-290 | Authentication Bypass by Spoofing | Allowed | 359 |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | Allowed | 353 |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | Allowed | 344 |
| CWE-428 | Unquoted Search Path or Element | Allowed | 344 |
| CWE-209 | Generation of Error Message Containing Sensitive Information | Allowed | 336 |
| CWE-191 | Integer Underflow (Wrap or Wraparound) | Allowed | 336 |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Allowed-with-Review | 328 |
| CWE-1333 | Inefficient Regular Expression Complexity | Allowed | 321 |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | Allowed | 312 |
| CWE-250 | Execution with Unnecessary Privileges | Allowed | 309 |
| CWE-617 | Reachable Assertion | Allowed | 297 |
| CWE-401 | Missing Release of Memory after Effective Lifetime | Allowed | 292 |
| CWE-312 | Cleartext Storage of Sensitive Information | Allowed | 290 |
| CWE-321 | Use of Hard-coded Cryptographic Key | Allowed | 279 |
| CWE-426 | Untrusted Search Path | Allowed-with-Review | 272 |
| CWE-346 | Origin Validation Error | Allowed-with-Review | 270 |
| CWE-311 | Missing Encryption of Sensitive Data | Discouraged | 270 |
| CWE-116 | Improper Encoding or Escaping of Output | Allowed-with-Review | 253 |
| CWE-552 | Files or Directories Accessible to External Parties | Allowed | 249 |
| CWE-415 | Double Free | Allowed | 249 |
| CWE-707 | Improper Neutralization | Discouraged | 246 |
| CWE-822 | Untrusted Pointer Dereference | Allowed | 244 |
| CWE-674 | Uncontrolled Recursion | Allowed-with-Review | 242 |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') | Allowed | 230 |
| CWE-248 | Uncaught Exception | Allowed | 230 |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | Allowed | 229 |
| CWE-129 | Improper Validation of Array Index | Allowed | 229 |
| CWE-908 | Use of Uninitialized Resource | Allowed | 227 |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | Allowed | 220 |
| CWE-1284 | Improper Validation of Specified Quantity in Input | Allowed | 208 |
| CWE-789 | Memory Allocation with Excessive Size Value | Allowed | 204 |
| CWE-755 | Improper Handling of Exceptional Conditions | Discouraged | 195 |
| CWE-824 | Access of Uninitialized Pointer | Allowed | 186 |
| CWE-668 | Exposure of Resource to Wrong Sphere | Discouraged | 186 |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | Allowed | 184 |
| CWE-384 | Session Fixation | Allowed | 173 |
| CWE-359 | Exposure of Private Personal Information to an Unauthorized Actor | Allowed | 171 |
| CWE-256 | Plaintext Storage of a Password | Allowed | 171 |
| CWE-749 | Exposed Dangerous Method or Function | Allowed | 164 |