Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-337 | Predictable Seed in Pseudo-Random Number Generator (PRNG) | Allowed | 15 |
| CWE-273 | Improper Check for Dropped Privileges | Allowed | 15 |
| CWE-271 | Privilege Dropping / Lowering Errors | Allowed-with-Review | 15 |
| CWE-244 | Improper Clearing of Heap Memory Before Release ('Heap Inspection') | Allowed | 15 |
| CWE-155 | Improper Neutralization of Wildcards or Matching Symbols | Allowed | 15 |
| CWE-1386 | Insecure Operation on Windows Junction / Mount Point | Allowed | 15 |
| CWE-1191 | On-Chip Debug and Test Interface With Improper Access Control | Allowed | 15 |
| CWE-453 | Insecure Default Variable Initialization | Allowed | 14 |
| CWE-394 | Unexpected Status Code or Return Value | Allowed | 14 |
| CWE-159 | Improper Handling of Invalid Use of Special Elements | Allowed-with-Review | 14 |
| CWE-1325 | Improperly Controlled Sequential Memory Allocation | Allowed | 14 |
| CWE-1242 | Inclusion of Undocumented Features or Chicken Bits | Allowed | 14 |
| CWE-909 | Missing Initialization of Resource | Allowed-with-Review | 13 |
| CWE-820 | Missing Synchronization | Allowed | 13 |
| CWE-804 | Guessable CAPTCHA | Allowed | 13 |
| CWE-643 | Improper Neutralization of Data within XPath Expressions ('XPath Injection') | Allowed | 13 |
| CWE-642 | External Control of Critical State Data | Allowed-with-Review | 13 |
| CWE-549 | Missing Password Field Masking | Allowed | 13 |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) | Allowed-with-Review | 13 |
| CWE-393 | Return of Wrong Status Code | Allowed | 13 |
| CWE-364 | Signal Handler Race Condition | Allowed | 13 |
| CWE-334 | Small Space of Random Values | Allowed | 13 |
| CWE-138 | Improper Neutralization of Special Elements | Discouraged | 13 |
| CWE-84 | Improper Neutralization of Encoded URI Schemes in a Web Page | Allowed | 12 |
| CWE-821 | Incorrect Synchronization | Allowed | 12 |
| CWE-790 | Improper Filtering of Special Elements | Allowed-with-Review | 12 |
| CWE-76 | Improper Neutralization of Equivalent Special Elements | Allowed | 12 |
| CWE-650 | Trusting HTTP Permission Methods on the Server Side | Allowed | 12 |
| CWE-647 | Use of Non-Canonical URL Paths for Authorization Decisions | Allowed | 12 |
| CWE-551 | Incorrect Behavior Order: Authorization Before Parsing and Canonicalization | Allowed | 12 |
| CWE-530 | Exposure of Backup File to an Unauthorized Control Sphere | Allowed | 12 |
| CWE-449 | The UI Performs the Wrong Action | Allowed | 12 |
| CWE-395 | Use of NullPointerException Catch to Detect NULL Pointer Dereference | Allowed | 12 |
| CWE-329 | Generation of Predictable IV with CBC Mode | Allowed | 12 |
| CWE-26 | Path Traversal: '/dir/../filename' | Allowed | 12 |
| CWE-25 | Path Traversal: '/../filedir' | Allowed | 12 |
| CWE-229 | Improper Handling of Values | Allowed | 12 |
| CWE-187 | Partial String Comparison | Allowed | 12 |
| CWE-1260 | Improper Handling of Overlap Between Protected Memory Ranges | Allowed | 12 |
| CWE-1244 | Internal Asset Exposed to Unsafe Debug Access Level or State | Allowed | 12 |
| CWE-1025 | Comparison Using Wrong Factors | Allowed | 12 |
| CWE-1023 | Incomplete Comparison with Missing Factors | Allowed-with-Review | 12 |
| CWE-1022 | Use of Web Link to Untrusted Target with window.opener Access | Allowed | 12 |
| CWE-911 | Improper Update of Reference Count | Allowed | 11 |
| CWE-762 | Mismatched Memory Management Routines | Allowed | 11 |
| CWE-694 | Use of Multiple Resources with Duplicate Identifier | Allowed | 11 |
| CWE-612 | Improper Authorization of Index Containing Sensitive Information | Allowed | 11 |
| CWE-547 | Use of Hard-coded, Security-relevant Constants | Allowed | 11 |