Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-1336 | Improper Neutralization of Special Elements Used in a Template Engine | Allowed | 164 |
| CWE-93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | Allowed | 162 |
| CWE-35 | Path Traversal: '.../...//' | Allowed | 162 |
| CWE-184 | Incomplete List of Disallowed Inputs | Allowed | 162 |
| CWE-203 | Observable Discrepancy | Allowed | 160 |
| CWE-259 | Use of Hard-coded Password | Allowed | 157 |
| CWE-204 | Observable Response Discrepancy | Allowed | 155 |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | Allowed-with-Review | 154 |
| CWE-61 | UNIX Symbolic Link (Symlink) Following | Allowed | 151 |
| CWE-1188 | Initialization of a Resource with an Insecure Default | Allowed | 151 |
| CWE-305 | Authentication Bypass by Primary Weakness | Allowed | 148 |
| CWE-208 | Observable Timing Discrepancy | Allowed | 148 |
| CWE-915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | Allowed | 147 |
| CWE-369 | Divide By Zero | Allowed | 146 |
| CWE-95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | Allowed | 144 |
| CWE-788 | Access of Memory Location After End of Buffer | Discouraged | 144 |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File | Allowed | 142 |
| CWE-36 | Absolute Path Traversal | Allowed | 138 |
| CWE-1287 | Improper Validation of Specified Type of Input | Allowed | 137 |
| CWE-330 | Use of Insufficiently Random Values | Discouraged | 135 |
| CWE-326 | Inadequate Encryption Strength | Allowed-with-Review | 134 |
| CWE-280 | Improper Handling of Insufficient Permissions or Privileges | Allowed | 133 |
| CWE-134 | Use of Externally-Controlled Format String | Allowed | 130 |
| CWE-407 | Inefficient Algorithmic Complexity | Allowed-with-Review | 126 |
| CWE-494 | Download of Code Without Integrity Check | Allowed | 124 |
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames | Allowed | 122 |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | Allowed | 120 |
| CWE-294 | Authentication Bypass by Capture-replay | Allowed | 120 |
| CWE-665 | Improper Initialization | Discouraged | 119 |
| CWE-521 | Weak Password Requirements | Allowed | 118 |
| CWE-457 | Use of Uninitialized Variable | Allowed | 115 |
| CWE-922 | Insecure Storage of Sensitive Information | Allowed-with-Review | 114 |
| CWE-281 | Improper Preservation of Permissions | Allowed | 114 |
| CWE-131 | Incorrect Calculation of Buffer Size | Allowed | 114 |
| CWE-1220 | Insufficient Granularity of Access Control | Allowed | 110 |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | Discouraged | 108 |
| CWE-602 | Client-Side Enforcement of Server-Side Security | Allowed-with-Review | 104 |
| CWE-193 | Off-by-one Error | Allowed | 104 |
| CWE-1392 | Use of Default Credentials | Allowed | 101 |
| CWE-680 | Integer Overflow to Buffer Overflow | Discouraged | 100 |
| CWE-409 | Improper Handling of Highly Compressed Data (Data Amplification) | Allowed | 100 |
| CWE-24 | Path Traversal: '../filedir' | Allowed | 100 |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information | Allowed-with-Review | 99 |
| CWE-942 | Permissive Cross-domain Security Policy with Untrusted Domains | Allowed | 96 |
| CWE-823 | Use of Out-of-range Pointer Offset | Allowed | 96 |
| CWE-117 | Improper Output Neutralization for Logs | Allowed | 95 |
| CWE-425 | Direct Request ('Forced Browsing') | Allowed | 94 |
| CWE-358 | Improperly Implemented Security Check for Standard | Allowed | 90 |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | Allowed | 90 |