CWE List

ID Name Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 533
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 356
CWE-862 Missing Authorization 279
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 230
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 225
CWE-94 Improper Control of Generation of Code ('Code Injection') 194
CWE-918 Server-Side Request Forgery (SSRF) 183
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 178
CWE-863 Incorrect Authorization 170
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 169
CWE-284 Improper Access Control 140
CWE-639 Authorization Bypass Through User-Controlled Key 138
CWE-122 Heap-based Buffer Overflow 132
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 132
CWE-352 Cross-Site Request Forgery (CSRF) 124
CWE-20 Improper Input Validation 118
CWE-770 Allocation of Resources Without Limits or Throttling 116
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 110
CWE-416 Use After Free 109
CWE-125 Out-of-bounds Read 104
CWE-121 Stack-based Buffer Overflow 102
CWE-400 Uncontrolled Resource Consumption 90
CWE-287 Improper Authentication 85
CWE-476 NULL Pointer Dereference 82
CWE-404 Improper Resource Shutdown or Release 80
CWE-190 Integer Overflow or Wraparound 77
CWE-787 Out-of-bounds Write 72
CWE-306 Missing Authentication for Critical Function 72
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 68
CWE-295 Improper Certificate Validation 64
CWE-502 Deserialization of Untrusted Data 60
CWE-269 Improper Privilege Management 60
CWE-434 Unrestricted Upload of File with Dangerous Type 52
CWE-285 Improper Authorization 52
CWE-266 Incorrect Privilege Assignment 51
CWE-59 Improper Link Resolution Before File Access ('Link Following') 48
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 43
CWE-288 Authentication Bypass Using an Alternate Path or Channel 42
CWE-73 External Control of File Name or Path 40
CWE-693 Protection Mechanism Failure 40
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 39
CWE-754 Improper Check for Unusual or Exceptional Conditions 38
CWE-789 Memory Allocation with Excessive Size Value 36
CWE-345 Insufficient Verification of Data Authenticity 35
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') 32
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition 32
CWE-798 Use of Hard-coded Credentials 31
CWE-674 Uncontrolled Recursion 29
CWE-346 Origin Validation Error 29
CWE-732 Incorrect Permission Assignment for Critical Resource 28
CWE-1284 Improper Validation of Specified Quantity in Input 27
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') 26
CWE-532 Insertion of Sensitive Information into Log File 25
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') 25
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') 23
CWE-347 Improper Verification of Cryptographic Signature 23
CWE-23 Relative Path Traversal 23
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 23
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine 22
CWE-290 Authentication Bypass by Spoofing 21
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 20
CWE-522 Insufficiently Protected Credentials 20
CWE-427 Uncontrolled Search Path Element 20
CWE-415 Double Free 20
CWE-407 Inefficient Algorithmic Complexity 19
CWE-209 Generation of Error Message Containing Sensitive Information 19
CWE-184 Incomplete List of Disallowed Inputs 19
CWE-1188 Initialization of a Resource with an Insecure Default 19
CWE-91 XML Injection (aka Blind XPath Injection) 18
CWE-829 Inclusion of Functionality from Untrusted Control Sphere 18
CWE-307 Improper Restriction of Excessive Authentication Attempts 18
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 17
CWE-668 Exposure of Resource to Wrong Sphere 17
CWE-436 Interpretation Conflict 17
CWE-250 Execution with Unnecessary Privileges 17
CWE-193 Off-by-one Error 17
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') 16
CWE-613 Insufficient Session Expiration 16
CWE-312 Cleartext Storage of Sensitive Information 16
CWE-280 Improper Handling of Insufficient Permissions or Privileges 16
CWE-617 Reachable Assertion 15
CWE-208 Observable Timing Discrepancy 15
CWE-611 Improper Restriction of XML External Entity Reference 14
CWE-276 Incorrect Default Permissions 14
CWE-170 Improper Null Termination 14
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes 13
CWE-552 Files or Directories Accessible to External Parties 13
CWE-475 Undefined Behavior for Input to API 13
CWE-248 Uncaught Exception 13
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer 13
CWE-130 Improper Handling of Length Parameter Inconsistency 13
CWE-1275 Sensitive Cookie with Improper SameSite Attribute 13
CWE-116 Improper Encoding or Escaping of Output 13
CWE-908 Use of Uninitialized Resource 12
CWE-426 Untrusted Search Path 12
CWE-327 Use of a Broken or Risky Cryptographic Algorithm 12
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') 12
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') 11
CWE-841 Improper Enforcement of Behavioral Workflow 11
CWE-749 Exposed Dangerous Method or Function 11
CWE-672 Operation on a Resource after Expiration or Release 11
CWE-636 Not Failing Securely ('Failing Open') 11
CWE-451 User Interface (UI) Misrepresentation of Critical Information 11
CWE-319 Cleartext Transmission of Sensitive Information 11
CWE-297 Improper Validation of Certificate with Host Mismatch 11
CWE-201 Insertion of Sensitive Information Into Sent Data 11
CWE-191 Integer Underflow (Wrap or Wraparound) 11
CWE-126 Buffer Over-read 11
CWE-822 Untrusted Pointer Dereference 10
CWE-640 Weak Password Recovery Mechanism for Forgotten Password 10
CWE-36 Absolute Path Traversal 10
CWE-35 Path Traversal: '.../...//' 10
CWE-321 Use of Hard-coded Cryptographic Key 10
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains 9
CWE-669 Incorrect Resource Transfer Between Spheres 9
CWE-61 UNIX Symbolic Link (Symlink) Following 9
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere 9
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) 9
CWE-305 Authentication Bypass by Primary Weakness 9
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') 8
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') 8
CWE-696 Incorrect Behavior Order 8
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 8
CWE-428 Unquoted Search Path or Element 8
CWE-384 Session Fixation 8
CWE-358 Improperly Implemented Security Check for Standard 8
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) 8
CWE-303 Incorrect Implementation of Authentication Algorithm 8
CWE-281 Improper Preservation of Permissions 8
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences 8
CWE-1333 Inefficient Regular Expression Complexity 8
CWE-755 Improper Handling of Exceptional Conditions 7
CWE-506 Embedded Malicious Code 7
CWE-393 Return of Wrong Status Code 7
CWE-331 Insufficient Entropy 7
CWE-204 Observable Response Discrepancy 7
CWE-197 Numeric Truncation Error 7
CWE-178 Improper Handling of Case Sensitivity 7
CWE-1392 Use of Default Credentials 7
CWE-1390 Weak Authentication 7
CWE-1286 Improper Validation of Syntactic Correctness of Input 7
CWE-824 Access of Uninitialized Pointer 6
CWE-602 Client-Side Enforcement of Server-Side Security 6
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') 6
CWE-440 Expected Behavior Violation 6
CWE-401 Missing Release of Memory after Effective Lifetime 6
CWE-392 Missing Report of Error Condition 6
CWE-385 Covert Timing Channel 6
CWE-369 Divide By Zero 6
CWE-340 Generation of Predictable Numbers or Identifiers 6
CWE-328 Use of Weak Hash 6
CWE-296 Improper Following of a Certificate's Chain of Trust 6
CWE-271 Privilege Dropping / Lowering Errors 6
CWE-242 Use of Inherently Dangerous Function 6
CWE-1395 Dependency on Vulnerable Third-Party Component 6
CWE-129 Improper Validation of Array Index 6
CWE-1287 Improper Validation of Specified Type of Input 6
CWE-1220 Insufficient Granularity of Access Control 6
CWE-943 Improper Neutralization of Special Elements in Data Query Logic 5
CWE-704 Incorrect Type Conversion or Cast 5
CWE-610 Externally Controlled Reference to a Resource in Another Sphere 5
CWE-603 Use of Client-Side Authentication 5
CWE-598 Use of HTTP Request With Sensitive Query String 5
CWE-294 Authentication Bypass by Capture-replay 5
CWE-252 Unchecked Return Value 5
CWE-158 Improper Neutralization of Null Byte or NUL Character 5
CWE-1236 Improper Neutralization of Formula Elements in a CSV File 5
CWE-1189 Improper Isolation of Shared Resources on System-on-a-Chip (SoC) 5
CWE-940 Improper Verification of Source of a Communication Channel 4
CWE-807 Reliance on Untrusted Inputs in a Security Decision 4
CWE-791 Incomplete Filtering of Special Elements 4
CWE-777 Regular Expression without Anchors 4
CWE-772 Missing Release of Resource after Effective Lifetime 4
CWE-771 Missing Reference to Active Allocated Resource 4
CWE-707 Improper Neutralization 4
CWE-682 Incorrect Calculation 4
CWE-620 Unverified Password Change 4
CWE-494 Download of Code Without Integrity Check 4
CWE-459 Incomplete Cleanup 4
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor 4
CWE-330 Use of Insufficiently Random Values 4
CWE-326 Inadequate Encryption Strength 4
CWE-235 Improper Handling of Extra Parameters 4
CWE-203 Observable Discrepancy 4
CWE-1391 Use of Weak Credentials 4
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') 3
CWE-926 Improper Export of Android Application Components 3
CWE-922 Insecure Storage of Sensitive Information 3
CWE-916 Use of Password Hash With Insufficient Computational Effort 3
CWE-87 Improper Neutralization of Alternate XSS Syntax 3
CWE-759 Use of a One-Way Hash without a Salt 3
CWE-697 Incorrect Comparison 3
CWE-670 Always-Incorrect Control Flow Implementation 3
CWE-626 Null Byte Interaction Error (Poison Null Byte) 3
CWE-524 Use of Cache Containing Sensitive Information 3
CWE-405 Asymmetric Resource Consumption (Amplification) 3
CWE-364 Signal Handler Race Condition 3
CWE-267 Privilege Defined With Unsafe Actions 3
CWE-259 Use of Hard-coded Password 3
CWE-183 Permissive List of Allowed Inputs 3
CWE-15 External Control of System or Configuration Setting 3
CWE-134 Use of Externally-Controlled Format String 3
CWE-131 Incorrect Calculation of Buffer Size 3
CWE-1289 Improper Validation of Unsafe Equivalence in Input 3
CWE-1021 Improper Restriction of Rendered UI Layers or Frames 3
CWE-913 Improper Control of Dynamically-Managed Code Resources 2
CWE-837 Improper Enforcement of a Single, Unique Action 2
CWE-823 Use of Out-of-range Pointer Offset 2
CWE-779 Logging of Excessive Data 2
CWE-778 Insufficient Logging 2
CWE-706 Use of Incorrectly-Resolved Name or Reference 2
CWE-690 Unchecked Return Value to NULL Pointer Dereference 2
CWE-648 Incorrect Use of Privileged APIs 2
CWE-646 Reliance on File Name or Extension of Externally-Supplied File 2
CWE-643 Improper Neutralization of Data within XPath Expressions ('XPath Injection') 2
CWE-606 Unchecked Input for Loop Condition 2
CWE-565 Reliance on Cookies without Validation and Integrity Checking 2
CWE-548 Exposure of Information Through Directory Listing 2
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory 2
CWE-521 Weak Password Requirements 2
CWE-489 Active Debug Code 2
CWE-488 Exposure of Data Element to Wrong Session 2
CWE-472 External Control of Assumed-Immutable Web Parameter 2
CWE-471 Modification of Assumed-Immutable Data (MAID) 2
CWE-457 Use of Uninitialized Variable 2
CWE-420 Unprotected Alternate Channel 2
CWE-390 Detection of Error Condition Without Action 2
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data 2
CWE-348 Use of Less Trusted Source 2
CWE-322 Key Exchange without Entity Authentication 2
CWE-304 Missing Critical Step in Authentication 2
CWE-302 Authentication Bypass by Assumed-Immutable Data 2
CWE-283 Unverified Ownership 2
CWE-277 Insecure Inherited Permissions 2
CWE-256 Plaintext Storage of a Password 2
CWE-253 Incorrect Check of Function Return Value 2
CWE-24 Path Traversal: '../filedir' 2
CWE-233 Improper Handling of Parameters 2
CWE-192 Integer Coercion Error 2
CWE-185 Incorrect Regular Expression 2
CWE-1427 Improper Neutralization of Input Used for LLM Prompting 2
CWE-1384 Improper Handling of Physical or Environmental Conditions 2
CWE-138 Improper Neutralization of Special Elements 2
CWE-1329 Reliance on Component That is Not Updateable 2
CWE-1327 Binding to an Unrestricted IP Address 2
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input 2
CWE-1241 Use of Predictable Algorithm in Random Number Generator 2
CWE-124 Buffer Underwrite ('Buffer Underflow') 2
CWE-1233 Security-Sensitive Hardware Controls with Missing Lock Bit Protection 2
CWE-939 Improper Authorization in Handler for Custom URL Scheme 1
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints 1
CWE-912 Hidden Functionality 1
CWE-839 Numeric Range Comparison Without Minimum Check 1
CWE-834 Excessive Iteration 1
CWE-833 Deadlock 1
CWE-83 Improper Neutralization of Script in Attributes in a Web Page 1
CWE-825 Expired Pointer Dereference 1
CWE-820 Missing Synchronization 1
CWE-805 Buffer Access with Incorrect Length Value 1
CWE-799 Improper Control of Interaction Frequency 1
CWE-790 Improper Filtering of Special Elements 1
CWE-784 Reliance on Cookies without Validation and Integrity Checking in a Security Decision 1
CWE-782 Exposed IOCTL with Insufficient Access Control 1
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') 1
CWE-763 Release of Invalid Pointer or Reference 1
CWE-760 Use of a One-Way Hash with a Predictable Salt 1
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') 1
CWE-703 Improper Check or Handling of Exceptional Conditions 1
CWE-684 Incorrect Provision of Specified Functionality 1
CWE-681 Incorrect Conversion between Numeric Types 1
CWE-680 Integer Overflow to Buffer Overflow 1
CWE-676 Use of Potentially Dangerous Function 1
CWE-667 Improper Locking 1
CWE-665 Improper Initialization 1
CWE-656 Reliance on Security Through Obscurity 1
CWE-653 Improper Isolation or Compartmentalization 1
CWE-650 Trusting HTTP Permission Methods on the Server Side 1
CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions 1
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax 1
CWE-637 Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') 1
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute 1
CWE-592 DEPRECATED: Authentication Bypass Issues 1
CWE-590 Free of Memory not on the Heap 1
CWE-573 Improper Following of Specification by Caller 1
CWE-561 Dead Code 1
CWE-549 Missing Password Field Masking 1
CWE-540 Inclusion of Sensitive Information in Source Code 1
CWE-539 Use of Persistent Cookies Containing Sensitive Information 1
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere 1
CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable 1
CWE-523 Unprotected Transport of Credentials 1
CWE-484 Omitted Break Statement in Switch 1
CWE-479 Signal Handler Use of a Non-reentrant Function 1
CWE-460 Improper Cleanup on Thrown Exception 1
CWE-443 DEPRECATED: HTTP response splitting 1
CWE-425 Direct Request ('Forced Browsing') 1
CWE-424 Improper Protection of Alternate Path 1
CWE-413 Improper Resource Locking 1
CWE-410 Insufficient Resource Pool 1
CWE-408 Incorrect Behavior Order: Early Amplification 1
CWE-406 Insufficient Control of Network Message Volume (Network Amplification) 1
CWE-379 Creation of Temporary File in Directory with Insecure Permissions 1
CWE-378 Creation of Temporary File With Insecure Permissions 1
CWE-357 Insufficient UI Warning of Dangerous Operations 1
CWE-354 Improper Validation of Integrity Check Value 1
CWE-353 Missing Support for Integrity Check 1
CWE-351 Insufficient Type Distinction 1
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action 1
CWE-344 Use of Invariant Value in Dynamically Changing Context 1
CWE-341 Predictable from Observable State 1
CWE-334 Small Space of Random Values 1
CWE-332 Insufficient Entropy in PRNG 1
CWE-329 Generation of Predictable IV with CBC Mode 1
CWE-323 Reusing a Nonce, Key Pair in Encryption 1
CWE-316 Cleartext Storage of Sensitive Information in Memory 1
CWE-313 Cleartext Storage in a File or on Disk 1
CWE-29 Path Traversal: '\..\filename' 1
CWE-289 Authentication Bypass by Alternate Name 1
CWE-282 Improper Ownership Management 1
CWE-274 Improper Handling of Insufficient Privileges 1
CWE-273 Improper Check for Dropped Privileges 1
CWE-272 Least Privilege Violation 1
CWE-270 Privilege Context Switching Error 1
CWE-261 Weak Encoding for Password 1
CWE-26 Path Traversal: '/dir/../filename' 1
CWE-228 Improper Handling of Syntactically Invalid Structure 1
CWE-202 Exposure of Sensitive Information Through Data Queries 1
CWE-195 Signed to Unsigned Conversion Error 1
CWE-187 Partial String Comparison 1
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize 1
CWE-176 Improper Handling of Unicode Encoding 1
CWE-172 Encoding Error 1
CWE-166 Improper Handling of Missing Special Element 1
CWE-1423 Exposure of Sensitive Information caused by Shared Microarchitectural Predictor State that Influences Transient Execution 1
CWE-1393 Use of Default Password 1
CWE-1386 Insecure Operation on Windows Junction / Mount Point 1
CWE-1385 Missing Origin Validation in WebSockets 1
CWE-1325 Improperly Controlled Sequential Memory Allocation 1
CWE-1322 Use of Blocking Code in Single-threaded, Non-blocking Context 1
CWE-1304 Improperly Preserved Integrity of Hardware Configuration State During a Power Save/Restore Operation 1
CWE-1300 Improper Protection of Physical Side Channels 1
CWE-1288 Improper Validation of Consistency within Input 1
CWE-1280 Access Control Check Implemented After Asset is Accessed 1
CWE-1274 Improper Access Control for Volatile Memory Containing Boot Code 1
CWE-1263 Improper Physical Access Control 1
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation 1
CWE-1230 Exposure of Sensitive Information Through Metadata 1
CWE-1104 Use of Unmaintained Third Party Components 1
CWE-1072 Data Resource Access without Use of Connection Pooling 1
CWE-1068 Inconsistency Between Implementation and Documented Design 1
CWE-1066 Missing Serialization Control Element 1
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag 1