Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-471 | Modification of Assumed-Immutable Data (MAID) | Allowed | 33 |
| CWE-353 | Missing Support for Integrity Check | Allowed | 33 |
| CWE-349 | Acceptance of Extraneous Untrusted Data With Trusted Data | Allowed | 33 |
| CWE-304 | Missing Critical Step in Authentication | Allowed | 33 |
| CWE-289 | Authentication Bypass by Alternate Name | Allowed | 33 |
| CWE-690 | Unchecked Return Value to NULL Pointer Dereference | Discouraged | 32 |
| CWE-664 | Improper Control of a Resource Through its Lifetime | Discouraged | 32 |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking | Allowed | 32 |
| CWE-226 | Sensitive Information in Resource Not Removed Before Reuse | Allowed | 32 |
| CWE-202 | Exposure of Sensitive Information Through Data Queries | Allowed | 31 |
| CWE-176 | Improper Handling of Unicode Encoding | Allowed | 31 |
| CWE-313 | Cleartext Storage in a File or on Disk | Allowed | 30 |
| CWE-241 | Improper Handling of Unexpected Data Type | Allowed | 30 |
| CWE-213 | Exposure of Sensitive Information Due to Incompatible Policies | Allowed | 30 |
| CWE-834 | Excessive Iteration | Discouraged | 29 |
| CWE-540 | Inclusion of Sensitive Information in Source Code | Allowed | 29 |
| CWE-316 | Cleartext Storage of Sensitive Information in Memory | Allowed | 29 |
| CWE-185 | Incorrect Regular Expression | Allowed-with-Review | 29 |
| CWE-1385 | Missing Origin Validation in WebSockets | Allowed | 29 |
| CWE-782 | Exposed IOCTL with Insufficient Access Control | Allowed | 28 |
| CWE-757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | Allowed | 28 |
| CWE-684 | Incorrect Provision of Specified Functionality | Allowed-with-Review | 28 |
| CWE-525 | Use of Web Browser Cache Containing Sensitive Information | Allowed | 28 |
| CWE-488 | Exposure of Data Element to Wrong Session | Allowed | 28 |
| CWE-356 | Product UI does not Warn User of Unsafe Actions | Allowed | 28 |
| CWE-322 | Key Exchange without Entity Authentication | Allowed | 28 |
| CWE-282 | Improper Ownership Management | Allowed-with-Review | 28 |
| CWE-691 | Insufficient Control Flow Management | Discouraged | 27 |
| CWE-606 | Unchecked Input for Loop Condition | Allowed | 27 |
| CWE-501 | Trust Boundary Violation | Allowed | 27 |
| CWE-357 | Insufficient UI Warning of Dangerous Operations | Allowed | 27 |
| CWE-763 | Release of Invalid Pointer or Reference | Allowed | 26 |
| CWE-41 | Improper Resolution of Path Equivalence | Allowed | 26 |
| CWE-270 | Privilege Context Switching Error | Allowed | 26 |
| CWE-115 | Misinterpretation of Input | Allowed | 26 |
| CWE-233 | Improper Handling of Parameters | Allowed | 25 |
| CWE-158 | Improper Neutralization of Null Byte or NUL Character | Allowed | 25 |
| CWE-1289 | Improper Validation of Unsafe Equivalence in Input | Allowed | 25 |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior | Allowed-with-Review | 24 |
| CWE-523 | Unprotected Transport of Credentials | Allowed | 24 |
| CWE-391 | Unchecked Error Condition | Prohibited | 24 |
| CWE-286 | Incorrect User Management | Allowed-with-Review | 24 |
| CWE-279 | Incorrect Execution-Assigned Permissions | Allowed | 24 |
| CWE-1275 | Sensitive Cookie with Improper SameSite Attribute | Allowed | 24 |
| CWE-1230 | Exposure of Sensitive Information Through Metadata | Allowed | 24 |
| CWE-83 | Improper Neutralization of Script in Attributes in a Web Page | Allowed | 23 |
| CWE-778 | Insufficient Logging | Allowed | 23 |
| CWE-260 | Password in Configuration File | Allowed | 23 |
| CWE-1288 | Improper Validation of Consistency within Input | Allowed | 23 |