Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-592 DEPRECATED: Authentication Bypass Issues Prohibited 22
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') Allowed-with-Review 22
CWE-283 Unverified Ownership Allowed 22
CWE-27 Path Traversal: 'dir/../../filename' Allowed 22
CWE-268 Privilege Chaining Allowed 22
CWE-253 Incorrect Check of Function Return Value Allowed 22
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation Allowed 22
CWE-96 Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection') Allowed 21
CWE-833 Deadlock Allowed 21
CWE-603 Use of Client-Side Authentication Allowed 21
CWE-214 Invocation of Process Using Visible Sensitive Information Allowed 21
CWE-114 Process Control Discouraged 21
CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel Allowed 20
CWE-708 Incorrect Ownership Assignment Allowed 20
CWE-460 Improper Cleanup on Thrown Exception Allowed 20
CWE-410 Insufficient Resource Pool Allowed 20
CWE-296 Improper Following of a Certificate's Chain of Trust Allowed 20
CWE-1327 Binding to an Unrestricted IP Address Allowed 20
CWE-1295 Debug Messages Revealing Unnecessary Information Allowed 20
CWE-939 Improper Authorization in Handler for Custom URL Scheme Allowed 19
CWE-75 Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) Discouraged 19
CWE-641 Improper Restriction of Names for Files and Other Resources Allowed 19
CWE-475 Undefined Behavior for Input to API Allowed 19
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action Allowed 19
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize Allowed 19
CWE-698 Execution After Redirect (EAR) Allowed 18
CWE-590 Free of Memory not on the Heap Allowed 18
CWE-390 Detection of Error Condition Without Action Allowed 18
CWE-324 Use of a Key Past its Expiration Date Allowed 18
CWE-215 Insertion of Sensitive Information Into Debugging Code Allowed 18
CWE-140 Improper Neutralization of Delimiters Allowed 18
CWE-1104 Use of Unmaintained Third Party Components Allowed 18
CWE-779 Logging of Excessive Data Allowed 17
CWE-1394 Use of Default Cryptographic Key Allowed 17
CWE-927 Use of Implicit Intent for Sensitive Communication Allowed 16
CWE-837 Improper Enforcement of a Single, Unique Action Allowed 16
CWE-836 Use of Password Hash Instead of Password for Authentication Allowed 16
CWE-657 Violation of Secure Design Principles Discouraged 16
CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable Allowed 16
CWE-477 Use of Obsolete Function Allowed 16
CWE-392 Missing Report of Error Condition Allowed 16
CWE-366 Race Condition within a Thread Allowed 16
CWE-351 Insufficient Type Distinction Allowed 16
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) Allowed 16
CWE-228 Improper Handling of Syntactically Invalid Structure Allowed-with-Review 16
CWE-195 Signed to Unsigned Conversion Error Allowed 16
CWE-177 Improper Handling of URL Encoding (Hex Encoding) Allowed 16
CWE-118 Incorrect Access of Indexable Resource ('Range Error') Discouraged 16
CWE-759 Use of a One-Way Hash without a Salt Allowed 15
CWE-413 Improper Resource Locking Allowed 15