Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-303 Incorrect Implementation of Authentication Algorithm Allowed 90
CWE-130 Improper Handling of Length Parameter Inconsistency Allowed 90
CWE-252 Unchecked Return Value Allowed 89
CWE-436 Interpretation Conflict Allowed-with-Review 87
CWE-328 Use of Weak Hash Allowed 87
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Allowed 87
CWE-506 Embedded Malicious Code Allowed-with-Review 85
CWE-670 Always-Incorrect Control Flow Implementation Allowed-with-Review 83
CWE-377 Insecure Temporary File Allowed-with-Review 83
CWE-354 Improper Validation of Integrity Check Value Allowed 82
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory Allowed 81
CWE-620 Unverified Password Change Allowed 80
CWE-489 Active Debug Code Allowed 79
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') Allowed-with-Review 79
CWE-1390 Weak Authentication Allowed-with-Review 78
CWE-807 Reliance on Untrusted Inputs in a Security Decision Allowed 77
CWE-704 Incorrect Type Conversion or Cast Allowed-with-Review 76
CWE-331 Insufficient Entropy Allowed 76
CWE-926 Improper Export of Android Application Components Allowed 75
CWE-912 Hidden Functionality Allowed-with-Review 75
CWE-591 Sensitive Data Storage in Improperly Locked Memory Allowed 75
CWE-697 Incorrect Comparison Discouraged 74
CWE-197 Numeric Truncation Error Allowed 74
CWE-610 Externally Controlled Reference to a Resource in Another Sphere Discouraged 73
CWE-1286 Improper Validation of Syntactic Correctness of Input Allowed 73
CWE-598 Use of HTTP Request With Sensitive Query String Allowed 71
CWE-943 Improper Neutralization of Special Elements in Data Query Logic Allowed-with-Review 69
CWE-459 Incomplete Cleanup Allowed 69
CWE-913 Improper Control of Dynamically-Managed Code Resources Allowed-with-Review 68
CWE-772 Missing Release of Resource after Effective Lifetime Allowed 67
CWE-348 Use of Less Trusted Source Allowed 66
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Allowed 66
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Allowed-with-Review 65
CWE-799 Improper Control of Interaction Frequency Allowed-with-Review 65
CWE-916 Use of Password Hash With Insufficient Computational Effort Allowed 64
CWE-15 External Control of System or Configuration Setting Allowed 64
CWE-91 XML Injection (aka Blind XPath Injection) Allowed-with-Review 63
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Allowed 63
CWE-257 Storing Passwords in a Recoverable Format Allowed 63
CWE-648 Incorrect Use of Privileged APIs Allowed 62
CWE-681 Incorrect Conversion between Numeric Types Allowed 61
CWE-29 Path Traversal: '\..\filename' Allowed 61
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Allowed 61
CWE-669 Incorrect Resource Transfer Between Spheres Allowed-with-Review 59
CWE-472 External Control of Assumed-Immutable Web Parameter Allowed 58
CWE-379 Creation of Temporary File in Directory with Insecure Permissions Allowed 58