Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') Allowed-with-Review 57
CWE-706 Use of Incorrectly-Resolved Name or Reference Allowed-with-Review 57
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Allowed 57
CWE-178 Improper Handling of Case Sensitivity Allowed 57
CWE-170 Improper Null Termination Allowed 57
CWE-87 Improper Neutralization of Alternate XSS Syntax Allowed 56
CWE-682 Incorrect Calculation Discouraged 56
CWE-325 Missing Cryptographic Step Allowed 56
CWE-841 Improper Enforcement of Behavioral Workflow Allowed 54
CWE-548 Exposure of Information Through Directory Listing Allowed 53
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax Allowed 52
CWE-297 Improper Validation of Certificate with Host Mismatch Allowed 52
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Allowed 51
CWE-277 Insecure Inherited Permissions Allowed 50
CWE-653 Improper Isolation or Compartmentalization Allowed 49
CWE-267 Privilege Defined With Unsafe Actions Allowed 49
CWE-672 Operation on a Resource after Expiration or Release Allowed-with-Review 48
CWE-524 Use of Cache Containing Sensitive Information Allowed 48
CWE-340 Generation of Predictable Numbers or Identifiers Allowed-with-Review 48
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input Allowed 48
CWE-405 Asymmetric Resource Consumption (Amplification) Allowed-with-Review 47
CWE-825 Expired Pointer Dereference Allowed 46
CWE-300 Channel Accessible by Non-Endpoint Discouraged 46
CWE-636 Not Failing Securely ('Failing Open') Allowed-with-Review 45
CWE-1395 Dependency on Vulnerable Third-Party Component Allowed-with-Review 45
CWE-805 Buffer Access with Incorrect Length Value Allowed 44
CWE-940 Improper Verification of Source of a Communication Channel Allowed 43
CWE-378 Creation of Temporary File With Insecure Permissions Allowed 43
CWE-183 Permissive List of Allowed Inputs Allowed 43
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Allowed 42
CWE-440 Expected Behavior Violation Allowed 42
CWE-1391 Use of Weak Credentials Allowed-with-Review 42
CWE-302 Authentication Bypass by Assumed-Immutable Data Allowed 41
CWE-323 Reusing a Nonce, Key Pair in Encryption Allowed 40
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag Allowed 40
CWE-667 Improper Locking Allowed-with-Review 39
CWE-274 Improper Handling of Insufficient Privileges Discouraged 39
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Allowed 38
CWE-420 Unprotected Alternate Channel Allowed 37
CWE-261 Weak Encoding for Password Allowed 37
CWE-385 Covert Timing Channel Allowed 36
CWE-123 Write-what-where Condition Allowed 36
CWE-791 Incomplete Filtering of Special Elements Allowed 35
CWE-424 Improper Protection of Alternate Path Allowed-with-Review 35
CWE-1393 Use of Default Password Allowed 35
CWE-124 Buffer Underwrite ('Buffer Underflow') Allowed 35
CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters Prohibited 34
CWE-696 Incorrect Behavior Order Allowed-with-Review 34
CWE-272 Least Privilege Violation Allowed 34