Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG) Allowed 15
CWE-273 Improper Check for Dropped Privileges Allowed 15
CWE-271 Privilege Dropping / Lowering Errors Allowed-with-Review 15
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') Allowed 15
CWE-155 Improper Neutralization of Wildcards or Matching Symbols Allowed 15
CWE-1386 Insecure Operation on Windows Junction / Mount Point Allowed 15
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control Allowed 15
CWE-453 Insecure Default Variable Initialization Allowed 14
CWE-394 Unexpected Status Code or Return Value Allowed 14
CWE-159 Improper Handling of Invalid Use of Special Elements Allowed-with-Review 14
CWE-1325 Improperly Controlled Sequential Memory Allocation Allowed 14
CWE-1242 Inclusion of Undocumented Features or Chicken Bits Allowed 14
CWE-909 Missing Initialization of Resource Allowed-with-Review 13
CWE-820 Missing Synchronization Allowed 13
CWE-804 Guessable CAPTCHA Allowed 13
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') Allowed 13
CWE-642 External Control of Critical State Data Allowed-with-Review 13
CWE-549 Missing Password Field Masking Allowed 13
CWE-406 Insufficient Control of Network Message Volume (Network Amplification) Allowed-with-Review 13
CWE-393 Return of Wrong Status Code Allowed 13
CWE-364 Signal Handler Race Condition Allowed 13
CWE-334 Small Space of Random Values Allowed 13
CWE-138 Improper Neutralization of Special Elements Discouraged 13
CWE-84 Improper Neutralization of Encoded URI Schemes in a Web Page Allowed 12
CWE-821 Incorrect Synchronization Allowed 12
CWE-790 Improper Filtering of Special Elements Allowed-with-Review 12
CWE-76 Improper Neutralization of Equivalent Special Elements Allowed 12
CWE-650 Trusting HTTP Permission Methods on the Server Side Allowed 12
CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions Allowed 12
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization Allowed 12
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere Allowed 12
CWE-449 The UI Performs the Wrong Action Allowed 12
CWE-395 Use of NullPointerException Catch to Detect NULL Pointer Dereference Allowed 12
CWE-329 Generation of Predictable IV with CBC Mode Allowed 12
CWE-26 Path Traversal: '/dir/../filename' Allowed 12
CWE-25 Path Traversal: '/../filedir' Allowed 12
CWE-229 Improper Handling of Values Allowed 12
CWE-187 Partial String Comparison Allowed 12
CWE-1260 Improper Handling of Overlap Between Protected Memory Ranges Allowed 12
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State Allowed 12
CWE-1025 Comparison Using Wrong Factors Allowed 12
CWE-1023 Incomplete Comparison with Missing Factors Allowed-with-Review 12
CWE-1022 Use of Web Link to Untrusted Target with window.opener Access Allowed 12
CWE-911 Improper Update of Reference Count Allowed 11
CWE-762 Mismatched Memory Management Routines Allowed 11
CWE-694 Use of Multiple Resources with Duplicate Identifier Allowed 11
CWE-612 Improper Authorization of Index Containing Sensitive Information Allowed 11
CWE-547 Use of Hard-coded, Security-relevant Constants Allowed 11