Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
765 CWEs
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-419 | Unprotected Primary Channel | Allowed | 11 |
| CWE-299 | Improper Check for Certificate Revocation | Allowed | 11 |
| CWE-242 | Use of Inherently Dangerous Function | Allowed | 11 |
| CWE-232 | Improper Handling of Undefined Values | Allowed | 11 |
| CWE-230 | Improper Handling of Missing Values | Allowed | 11 |
| CWE-1427 | Improper Neutralization of Input Used for LLM Prompting | Allowed | 11 |
| CWE-1299 | Missing Protection Mechanism for Alternate Hardware Interface | Allowed | 11 |
| CWE-1050 | Excessive Platform Resource Consumption within a Loop | Allowed | 11 |
| CWE-842 | Placement of User into Incorrect Group | Allowed | 10 |
| CWE-830 | Inclusion of Web Functionality from an Untrusted Source | Allowed | 10 |
| CWE-826 | Premature Release of Resource During Expected Lifetime | Allowed | 10 |
| CWE-656 | Reliance on Security Through Obscurity | Allowed-with-Review | 10 |
| CWE-646 | Reliance on File Name or Extension of Externally-Supplied File | Allowed | 10 |
| CWE-466 | Return of Pointer Value Outside of Expected Range | Allowed | 10 |
| CWE-363 | Race Condition Enabling Link Following | Allowed | 10 |
| CWE-341 | Predictable from Observable State | Allowed | 10 |
| CWE-308 | Use of Single-factor Authentication | Allowed | 10 |
| CWE-14 | Compiler Removal of Code to Clear Buffers | Allowed | 10 |
| CWE-1329 | Reliance on Component That is Not Updateable | Allowed | 10 |
| CWE-1258 | Exposure of Sensitive System Information Due to Uncleared Debug Information | Allowed | 10 |
| CWE-921 | Storage of Sensitive Data in a Mechanism without Access Control | Allowed | 9 |
| CWE-86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | Allowed | 9 |
| CWE-760 | Use of a One-Way Hash with a Predictable Salt | Allowed | 9 |
| CWE-645 | Overly Restrictive Account Lockout Mechanism | Allowed | 9 |
| CWE-64 | Windows Shortcut Following (.LNK) | Allowed | 9 |
| CWE-626 | Null Byte Interaction Error (Poison Null Byte) | Allowed | 9 |
| CWE-573 | Improper Following of Specification by Caller | Allowed-with-Review | 9 |
| CWE-564 | SQL Injection: Hibernate | Allowed | 9 |
| CWE-561 | Dead Code | Allowed | 9 |
| CWE-480 | Use of Incorrect Operator | Allowed | 9 |
| CWE-291 | Reliance on IP Address for Authentication | Allowed | 9 |
| CWE-258 | Empty Password in Configuration File | Allowed | 9 |
| CWE-172 | Encoding Error | Allowed-with-Review | 9 |
| CWE-146 | Improper Neutralization of Expression/Command Delimiters | Allowed | 9 |
| CWE-141 | Improper Neutralization of Parameter/Argument Delimiters | Allowed | 9 |
| CWE-1326 | Missing Immutable Root of Trust in Hardware | Allowed | 9 |
| CWE-127 | Buffer Under-read | Allowed | 9 |
| CWE-81 | Improper Neutralization of Script in an Error Message Web Page | Allowed | 8 |
| CWE-676 | Use of Potentially Dangerous Function | Allowed | 8 |
| CWE-625 | Permissive Regular Expression | Allowed | 8 |
| CWE-456 | Missing Initialization of a Variable | Allowed | 8 |
| CWE-372 | Incomplete Internal State Distinction | Discouraged | 8 |
| CWE-223 | Omission of Security-relevant Information | Allowed | 8 |
| CWE-196 | Unsigned to Signed Conversion Error | Allowed | 8 |
| CWE-1419 | Incorrect Initialization of Resource | Allowed-with-Review | 8 |
| CWE-1282 | Assumed-Immutable Data is Stored in Writable Memory | Allowed | 8 |
| CWE-1263 | Improper Physical Access Control | Allowed-with-Review | 8 |