Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-23 Relative Path Traversal Allowed 467
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') Allowed 463
CWE-611 Improper Restriction of XML External Entity Reference Allowed 462
CWE-522 Insufficiently Protected Credentials Allowed-with-Review 461
CWE-319 Cleartext Transmission of Sensitive Information Allowed 399
CWE-693 Protection Mechanism Failure Discouraged 397
CWE-613 Insufficient Session Expiration Allowed-with-Review 372
CWE-307 Improper Restriction of Excessive Authentication Attempts Allowed 372
CWE-345 Insufficient Verification of Data Authenticity Discouraged 370
CWE-754 Improper Check for Unusual or Exceptional Conditions Allowed-with-Review 364
CWE-290 Authentication Bypass by Spoofing Allowed 359
CWE-201 Insertion of Sensitive Information Into Sent Data Allowed 353
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Allowed 344
CWE-428 Unquoted Search Path or Element Allowed 344
CWE-209 Generation of Error Message Containing Sensitive Information Allowed 336
CWE-191 Integer Underflow (Wrap or Wraparound) Allowed 336
CWE-327 Use of a Broken or Risky Cryptographic Algorithm Allowed-with-Review 328
CWE-1333 Inefficient Regular Expression Complexity Allowed 321
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Allowed 312
CWE-250 Execution with Unnecessary Privileges Allowed 309
CWE-617 Reachable Assertion Allowed 297
CWE-401 Missing Release of Memory after Effective Lifetime Allowed 292
CWE-312 Cleartext Storage of Sensitive Information Allowed 290
CWE-321 Use of Hard-coded Cryptographic Key Allowed 279
CWE-426 Untrusted Search Path Allowed-with-Review 272
CWE-346 Origin Validation Error Allowed-with-Review 270
CWE-311 Missing Encryption of Sensitive Data Discouraged 270
CWE-116 Improper Encoding or Escaping of Output Allowed-with-Review 253
CWE-552 Files or Directories Accessible to External Parties Allowed 249
CWE-415 Double Free Allowed 249
CWE-707 Improper Neutralization Discouraged 246
CWE-822 Untrusted Pointer Dereference Allowed 244
CWE-674 Uncontrolled Recursion Allowed-with-Review 242
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Allowed 230
CWE-248 Uncaught Exception Allowed 230
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Allowed 229
CWE-129 Improper Validation of Array Index Allowed 229
CWE-908 Use of Uninitialized Resource Allowed 227
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Allowed 220
CWE-1284 Improper Validation of Specified Quantity in Input Allowed 208
CWE-789 Memory Allocation with Excessive Size Value Allowed 204
CWE-755 Improper Handling of Exceptional Conditions Discouraged 195
CWE-824 Access of Uninitialized Pointer Allowed 186
CWE-668 Exposure of Resource to Wrong Sphere Discouraged 186
CWE-829 Inclusion of Functionality from Untrusted Control Sphere Allowed 184
CWE-384 Session Fixation Allowed 173
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor Allowed 171
CWE-256 Plaintext Storage of a Password Allowed 171
CWE-749 Exposed Dangerous Method or Function Allowed 164