Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-303 | Incorrect Implementation of Authentication Algorithm | Allowed | 90 |
| CWE-130 | Improper Handling of Length Parameter Inconsistency | Allowed | 90 |
| CWE-252 | Unchecked Return Value | Allowed | 89 |
| CWE-436 | Interpretation Conflict | Allowed-with-Review | 87 |
| CWE-328 | Use of Weak Hash | Allowed | 87 |
| CWE-113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | Allowed | 87 |
| CWE-506 | Embedded Malicious Code | Allowed-with-Review | 85 |
| CWE-670 | Always-Incorrect Control Flow Implementation | Allowed-with-Review | 83 |
| CWE-377 | Insecure Temporary File | Allowed-with-Review | 83 |
| CWE-354 | Improper Validation of Integrity Check Value | Allowed | 82 |
| CWE-538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | Allowed | 81 |
| CWE-620 | Unverified Password Change | Allowed | 80 |
| CWE-489 | Active Debug Code | Allowed | 79 |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') | Allowed-with-Review | 79 |
| CWE-1390 | Weak Authentication | Allowed-with-Review | 78 |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision | Allowed | 77 |
| CWE-704 | Incorrect Type Conversion or Cast | Allowed-with-Review | 76 |
| CWE-331 | Insufficient Entropy | Allowed | 76 |
| CWE-926 | Improper Export of Android Application Components | Allowed | 75 |
| CWE-912 | Hidden Functionality | Allowed-with-Review | 75 |
| CWE-591 | Sensitive Data Storage in Improperly Locked Memory | Allowed | 75 |
| CWE-697 | Incorrect Comparison | Discouraged | 74 |
| CWE-197 | Numeric Truncation Error | Allowed | 74 |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere | Discouraged | 73 |
| CWE-1286 | Improper Validation of Syntactic Correctness of Input | Allowed | 73 |
| CWE-598 | Use of HTTP Request With Sensitive Query String | Allowed | 71 |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic | Allowed-with-Review | 69 |
| CWE-459 | Incomplete Cleanup | Allowed | 69 |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources | Allowed-with-Review | 68 |
| CWE-772 | Missing Release of Resource after Effective Lifetime | Allowed | 67 |
| CWE-348 | Use of Less Trusted Source | Allowed | 66 |
| CWE-150 | Improper Neutralization of Escape, Meta, or Control Sequences | Allowed | 66 |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints | Allowed-with-Review | 65 |
| CWE-799 | Improper Control of Interaction Frequency | Allowed-with-Review | 65 |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort | Allowed | 64 |
| CWE-15 | External Control of System or Configuration Setting | Allowed | 64 |
| CWE-91 | XML Injection (aka Blind XPath Injection) | Allowed-with-Review | 63 |
| CWE-90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | Allowed | 63 |
| CWE-257 | Storing Passwords in a Recoverable Format | Allowed | 63 |
| CWE-648 | Incorrect Use of Privileged APIs | Allowed | 62 |
| CWE-681 | Incorrect Conversion between Numeric Types | Allowed | 61 |
| CWE-29 | Path Traversal: '\..\filename' | Allowed | 61 |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer | Allowed | 61 |
| CWE-669 | Incorrect Resource Transfer Between Spheres | Allowed-with-Review | 59 |
| CWE-472 | External Control of Assumed-Immutable Web Parameter | Allowed | 58 |
| CWE-379 | Creation of Temporary File in Directory with Insecure Permissions | Allowed | 58 |