Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') | Allowed-with-Review | 57 |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference | Allowed-with-Review | 57 |
| CWE-614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | Allowed | 57 |
| CWE-178 | Improper Handling of Case Sensitivity | Allowed | 57 |
| CWE-170 | Improper Null Termination | Allowed | 57 |
| CWE-87 | Improper Neutralization of Alternate XSS Syntax | Allowed | 56 |
| CWE-682 | Incorrect Calculation | Discouraged | 56 |
| CWE-325 | Missing Cryptographic Step | Allowed | 56 |
| CWE-841 | Improper Enforcement of Behavioral Workflow | Allowed | 54 |
| CWE-548 | Exposure of Information Through Directory Listing | Allowed | 53 |
| CWE-644 | Improper Neutralization of HTTP Headers for Scripting Syntax | Allowed | 52 |
| CWE-297 | Improper Validation of Certificate with Host Mismatch | Allowed | 52 |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | Allowed | 51 |
| CWE-277 | Insecure Inherited Permissions | Allowed | 50 |
| CWE-653 | Improper Isolation or Compartmentalization | Allowed | 49 |
| CWE-267 | Privilege Defined With Unsafe Actions | Allowed | 49 |
| CWE-672 | Operation on a Resource after Expiration or Release | Allowed-with-Review | 48 |
| CWE-524 | Use of Cache Containing Sensitive Information | Allowed | 48 |
| CWE-340 | Generation of Predictable Numbers or Identifiers | Allowed-with-Review | 48 |
| CWE-1285 | Improper Validation of Specified Index, Position, or Offset in Input | Allowed | 48 |
| CWE-405 | Asymmetric Resource Consumption (Amplification) | Allowed-with-Review | 47 |
| CWE-825 | Expired Pointer Dereference | Allowed | 46 |
| CWE-300 | Channel Accessible by Non-Endpoint | Discouraged | 46 |
| CWE-636 | Not Failing Securely ('Failing Open') | Allowed-with-Review | 45 |
| CWE-1395 | Dependency on Vulnerable Third-Party Component | Allowed-with-Review | 45 |
| CWE-805 | Buffer Access with Incorrect Length Value | Allowed | 44 |
| CWE-940 | Improper Verification of Source of a Communication Channel | Allowed | 43 |
| CWE-378 | Creation of Temporary File With Insecure Permissions | Allowed | 43 |
| CWE-183 | Permissive List of Allowed Inputs | Allowed | 43 |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') | Allowed | 42 |
| CWE-440 | Expected Behavior Violation | Allowed | 42 |
| CWE-1391 | Use of Weak Credentials | Allowed-with-Review | 42 |
| CWE-302 | Authentication Bypass by Assumed-Immutable Data | Allowed | 41 |
| CWE-323 | Reusing a Nonce, Key Pair in Encryption | Allowed | 40 |
| CWE-1004 | Sensitive Cookie Without 'HttpOnly' Flag | Allowed | 40 |
| CWE-667 | Improper Locking | Allowed-with-Review | 39 |
| CWE-274 | Improper Handling of Insufficient Privileges | Discouraged | 39 |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') | Allowed | 38 |
| CWE-420 | Unprotected Alternate Channel | Allowed | 37 |
| CWE-261 | Weak Encoding for Password | Allowed | 37 |
| CWE-385 | Covert Timing Channel | Allowed | 36 |
| CWE-123 | Write-what-where Condition | Allowed | 36 |
| CWE-791 | Incomplete Filtering of Special Elements | Allowed | 35 |
| CWE-424 | Improper Protection of Alternate Path | Allowed-with-Review | 35 |
| CWE-1393 | Use of Default Password | Allowed | 35 |
| CWE-124 | Buffer Underwrite ('Buffer Underflow') | Allowed | 35 |
| CWE-92 | DEPRECATED: Improper Sanitization of Custom Special Characters | Prohibited | 34 |
| CWE-696 | Incorrect Behavior Order | Allowed-with-Review | 34 |
| CWE-272 | Least Privilege Violation | Allowed | 34 |