Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Allowed 164
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Allowed 162
CWE-35 Path Traversal: '.../...//' Allowed 162
CWE-184 Incomplete List of Disallowed Inputs Allowed 162
CWE-203 Observable Discrepancy Allowed 160
CWE-259 Use of Hard-coded Password Allowed 157
CWE-204 Observable Response Discrepancy Allowed 155
CWE-640 Weak Password Recovery Mechanism for Forgotten Password Allowed-with-Review 154
CWE-61 UNIX Symbolic Link (Symlink) Following Allowed 151
CWE-1188 Initialization of a Resource with an Insecure Default Allowed 151
CWE-305 Authentication Bypass by Primary Weakness Allowed 148
CWE-208 Observable Timing Discrepancy Allowed 148
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Allowed 147
CWE-369 Divide By Zero Allowed 146
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Allowed 144
CWE-788 Access of Memory Location After End of Buffer Discouraged 144
CWE-1236 Improper Neutralization of Formula Elements in a CSV File Allowed 142
CWE-36 Absolute Path Traversal Allowed 138
CWE-1287 Improper Validation of Specified Type of Input Allowed 137
CWE-330 Use of Insufficiently Random Values Discouraged 135
CWE-326 Inadequate Encryption Strength Allowed-with-Review 134
CWE-280 Improper Handling of Insufficient Permissions or Privileges Allowed 133
CWE-134 Use of Externally-Controlled Format String Allowed 130
CWE-407 Inefficient Algorithmic Complexity Allowed-with-Review 126
CWE-494 Download of Code Without Integrity Check Allowed 124
CWE-1021 Improper Restriction of Rendered UI Layers or Frames Allowed 122
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Allowed 120
CWE-294 Authentication Bypass by Capture-replay Allowed 120
CWE-665 Improper Initialization Discouraged 119
CWE-521 Weak Password Requirements Allowed 118
CWE-457 Use of Uninitialized Variable Allowed 115
CWE-922 Insecure Storage of Sensitive Information Allowed-with-Review 114
CWE-281 Improper Preservation of Permissions Allowed 114
CWE-131 Incorrect Calculation of Buffer Size Allowed 114
CWE-1220 Insufficient Granularity of Access Control Allowed 110
CWE-703 Improper Check or Handling of Exceptional Conditions Discouraged 108
CWE-602 Client-Side Enforcement of Server-Side Security Allowed-with-Review 104
CWE-193 Off-by-one Error Allowed 104
CWE-1392 Use of Default Credentials Allowed 101
CWE-680 Integer Overflow to Buffer Overflow Discouraged 100
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Allowed 100
CWE-24 Path Traversal: '../filedir' Allowed 100
CWE-451 User Interface (UI) Misrepresentation of Critical Information Allowed-with-Review 99
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains Allowed 96
CWE-823 Use of Out-of-range Pointer Offset Allowed 96
CWE-117 Improper Output Neutralization for Logs Allowed 95
CWE-425 Direct Request ('Forced Browsing') Allowed 94
CWE-358 Improperly Implemented Security Check for Standard Allowed 90
CWE-130 Improper Handling of Length Parameter Inconsistency Allowed 90