Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-592 | DEPRECATED: Authentication Bypass Issues | Prohibited | 22 |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | Allowed-with-Review | 22 |
| CWE-283 | Unverified Ownership | Allowed | 22 |
| CWE-27 | Path Traversal: 'dir/../../filename' | Allowed | 22 |
| CWE-268 | Privilege Chaining | Allowed | 22 |
| CWE-253 | Incorrect Check of Function Return Value | Allowed | 22 |
| CWE-1240 | Use of a Cryptographic Primitive with a Risky Implementation | Allowed | 22 |
| CWE-96 | Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') | Allowed | 21 |
| CWE-833 | Deadlock | Allowed | 21 |
| CWE-603 | Use of Client-Side Authentication | Allowed | 21 |
| CWE-214 | Invocation of Process Using Visible Sensitive Information | Allowed | 21 |
| CWE-114 | Process Control | Discouraged | 21 |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel | Allowed | 20 |
| CWE-708 | Incorrect Ownership Assignment | Allowed | 20 |
| CWE-460 | Improper Cleanup on Thrown Exception | Allowed | 20 |
| CWE-410 | Insufficient Resource Pool | Allowed | 20 |
| CWE-296 | Improper Following of a Certificate's Chain of Trust | Allowed | 20 |
| CWE-1327 | Binding to an Unrestricted IP Address | Allowed | 20 |
| CWE-1295 | Debug Messages Revealing Unnecessary Information | Allowed | 20 |
| CWE-939 | Improper Authorization in Handler for Custom URL Scheme | Allowed | 19 |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) | Discouraged | 19 |
| CWE-641 | Improper Restriction of Names for Files and Other Resources | Allowed | 19 |
| CWE-475 | Undefined Behavior for Input to API | Allowed | 19 |
| CWE-350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | Allowed | 19 |
| CWE-180 | Incorrect Behavior Order: Validate Before Canonicalize | Allowed | 19 |
| CWE-698 | Execution After Redirect (EAR) | Allowed | 18 |
| CWE-590 | Free of Memory not on the Heap | Allowed | 18 |
| CWE-390 | Detection of Error Condition Without Action | Allowed | 18 |
| CWE-324 | Use of a Key Past its Expiration Date | Allowed | 18 |
| CWE-215 | Insertion of Sensitive Information Into Debugging Code | Allowed | 18 |
| CWE-140 | Improper Neutralization of Delimiters | Allowed | 18 |
| CWE-1104 | Use of Unmaintained Third Party Components | Allowed | 18 |
| CWE-779 | Logging of Excessive Data | Allowed | 17 |
| CWE-1394 | Use of Default Cryptographic Key | Allowed | 17 |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | Allowed | 16 |
| CWE-837 | Improper Enforcement of a Single, Unique Action | Allowed | 16 |
| CWE-836 | Use of Password Hash Instead of Password for Authentication | Allowed | 16 |
| CWE-657 | Violation of Secure Design Principles | Discouraged | 16 |
| CWE-526 | Cleartext Storage of Sensitive Information in an Environment Variable | Allowed | 16 |
| CWE-477 | Use of Obsolete Function | Allowed | 16 |
| CWE-392 | Missing Report of Error Condition | Allowed | 16 |
| CWE-366 | Race Condition within a Thread | Allowed | 16 |
| CWE-351 | Insufficient Type Distinction | Allowed | 16 |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) | Allowed | 16 |
| CWE-228 | Improper Handling of Syntactically Invalid Structure | Allowed-with-Review | 16 |
| CWE-195 | Signed to Unsigned Conversion Error | Allowed | 16 |
| CWE-177 | Improper Handling of URL Encoding (Hex Encoding) | Allowed | 16 |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') | Discouraged | 16 |
| CWE-759 | Use of a One-Way Hash without a Salt | Allowed | 15 |
| CWE-413 | Improper Resource Locking | Allowed | 15 |