CWE List

ID Name Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 929
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 577
CWE-862 Missing Authorization 505
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 425
CWE-416 Use After Free 369
CWE-639 Authorization Bypass Through User-Controlled Key 277
CWE-918 Server-Side Request Forgery (SSRF) 276
CWE-125 Out-of-bounds Read 269
CWE-502 Deserialization of Untrusted Data 265
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 263
CWE-284 Improper Access Control 258
CWE-122 Heap-based Buffer Overflow 246
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 244
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 237
CWE-400 Uncontrolled Resource Consumption 226
CWE-94 Improper Control of Generation of Code ('Code Injection') 224
CWE-20 Improper Input Validation 215
CWE-863 Incorrect Authorization 214
CWE-770 Allocation of Resources Without Limits or Throttling 182
CWE-787 Out-of-bounds Write 178
CWE-306 Missing Authentication for Critical Function 175
CWE-287 Improper Authentication 161
CWE-121 Stack-based Buffer Overflow 160
CWE-190 Integer Overflow or Wraparound 149
CWE-285 Improper Authorization 144
CWE-266 Incorrect Privilege Assignment 128
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 109
CWE-352 Cross-Site Request Forgery (CSRF) 106
CWE-59 Improper Link Resolution Before File Access ('Link Following') 101
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 100
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 96
CWE-434 Unrestricted Upload of File with Dangerous Type 92
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 88
CWE-693 Protection Mechanism Failure 84
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 82
CWE-476 NULL Pointer Dereference 70
CWE-73 External Control of File Name or Path 63
CWE-290 Authentication Bypass by Spoofing 63
CWE-288 Authentication Bypass Using an Alternate Path or Channel 62
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition 60
CWE-295 Improper Certificate Validation 57
CWE-269 Improper Privilege Management 57
CWE-674 Uncontrolled Recursion 54
CWE-829 Inclusion of Functionality from Untrusted Control Sphere 53
CWE-345 Insufficient Verification of Data Authenticity 52
CWE-201 Insertion of Sensitive Information Into Sent Data 49
CWE-401 Missing Release of Memory after Effective Lifetime 48
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') 47
CWE-347 Improper Verification of Cryptographic Signature 47
CWE-191 Integer Underflow (Wrap or Wraparound) 47
CWE-428 Unquoted Search Path or Element 46
CWE-116 Improper Encoding or Escaping of Output 45
CWE-407 Inefficient Algorithmic Complexity 44
CWE-798 Use of Hard-coded Credentials 43
CWE-613 Insufficient Session Expiration 43
CWE-327 Use of a Broken or Risky Cryptographic Algorithm 42
CWE-346 Origin Validation Error 41
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') 40
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 40
CWE-23 Relative Path Traversal 39
CWE-184 Incomplete List of Disallowed Inputs 39
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') 38
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') 37
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 37
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') 36
CWE-427 Uncontrolled Search Path Element 36
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 33
CWE-532 Insertion of Sensitive Information into Log File 32
CWE-522 Insufficiently Protected Credentials 31
CWE-732 Incorrect Permission Assignment for Critical Resource 30
CWE-611 Improper Restriction of XML External Entity Reference 30
CWE-319 Cleartext Transmission of Sensitive Information 30
CWE-1188 Initialization of a Resource with an Insecure Default 30
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes 29
CWE-126 Buffer Over-read 29
CWE-789 Memory Allocation with Excessive Size Value 27
CWE-250 Execution with Unnecessary Privileges 27
CWE-426 Untrusted Search Path 26
CWE-1333 Inefficient Regular Expression Complexity 26
CWE-61 UNIX Symbolic Link (Symlink) Following 25
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere 25
CWE-1284 Improper Validation of Specified Quantity in Input 25
CWE-208 Observable Timing Discrepancy 24
CWE-822 Untrusted Pointer Dereference 23
CWE-617 Reachable Assertion 23
CWE-328 Use of Weak Hash 23
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) 22
CWE-294 Authentication Bypass by Capture-replay 20
CWE-193 Off-by-one Error 20
CWE-436 Interpretation Conflict 19
CWE-197 Numeric Truncation Error 19
CWE-178 Improper Handling of Case Sensitivity 18
CWE-943 Improper Neutralization of Special Elements in Data Query Logic 17
CWE-404 Improper Resource Shutdown or Release 17
CWE-307 Improper Restriction of Excessive Authentication Attempts 17
CWE-276 Incorrect Default Permissions 17
CWE-129 Improper Validation of Array Index 17
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') 16
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor 16
CWE-321 Use of Hard-coded Cryptographic Key 16
CWE-209 Generation of Error Message Containing Sensitive Information 16
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains 15
CWE-524 Use of Cache Containing Sensitive Information 15
CWE-354 Improper Validation of Integrity Check Value 15
CWE-602 Client-Side Enforcement of Server-Side Security 14
CWE-415 Double Free 14
CWE-384 Session Fixation 14
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) 14
CWE-330 Use of Insufficiently Random Values 14
CWE-908 Use of Uninitialized Resource 13
CWE-348 Use of Less Trusted Source 13
CWE-340 Generation of Predictable Numbers or Identifiers 13
CWE-183 Permissive List of Allowed Inputs 13
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') 13
CWE-841 Improper Enforcement of Behavioral Workflow 12
CWE-825 Expired Pointer Dereference 12
CWE-670 Always-Incorrect Control Flow Implementation 12
CWE-640 Weak Password Recovery Mechanism for Forgotten Password 12
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute 12
CWE-494 Download of Code Without Integrity Check 12
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 12
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') 12
CWE-325 Missing Cryptographic Step 12
CWE-280 Improper Handling of Insufficient Permissions or Privileges 12
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine 12
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints 11
CWE-697 Incorrect Comparison 11
CWE-668 Exposure of Resource to Wrong Sphere 11
CWE-451 User Interface (UI) Misrepresentation of Critical Information 11
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences 11
CWE-15 External Control of System or Configuration Setting 11
CWE-1286 Improper Validation of Syntactic Correctness of Input 11
CWE-1025 Comparison Using Wrong Factors 11
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') 10
CWE-749 Exposed Dangerous Method or Function 10
CWE-248 Uncaught Exception 10
CWE-203 Observable Discrepancy 10
CWE-1329 Reliance on Component That is Not Updateable 10
CWE-131 Incorrect Calculation of Buffer Size 10
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory 9
CWE-377 Insecure Temporary File 9
CWE-1392 Use of Default Credentials 9
CWE-117 Improper Output Neutralization for Logs 9
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') 8
CWE-916 Use of Password Hash With Insufficient Computational Effort 8
CWE-425 Direct Request ('Forced Browsing') 8
CWE-405 Asymmetric Resource Consumption (Amplification) 8
CWE-349 Acceptance of Extraneous Untrusted Data With Trusted Data 8
CWE-304 Missing Critical Step in Authentication 8
CWE-303 Incorrect Implementation of Authentication Algorithm 8
CWE-134 Use of Externally-Controlled Format String 8
CWE-1287 Improper Validation of Specified Type of Input 8
CWE-940 Improper Verification of Source of a Communication Channel 7
CWE-913 Improper Control of Dynamically-Managed Code Resources 7
CWE-707 Improper Neutralization 7
CWE-706 Use of Incorrectly-Resolved Name or Reference 7
CWE-681 Incorrect Conversion between Numeric Types 7
CWE-305 Authentication Bypass by Primary Weakness 7
CWE-176 Improper Handling of Unicode Encoding 7
CWE-1021 Improper Restriction of Rendered UI Layers or Frames 7
CWE-939 Improper Authorization in Handler for Custom URL Scheme 6
CWE-754 Improper Check for Unusual or Exceptional Conditions 6
CWE-680 Integer Overflow to Buffer Overflow 6
CWE-636 Not Failing Securely ('Failing Open') 6
CWE-620 Unverified Password Change 6
CWE-606 Unchecked Input for Loop Condition 6
CWE-552 Files or Directories Accessible to External Parties 6
CWE-501 Trust Boundary Violation 6
CWE-35 Path Traversal: '.../...//' 6
CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) 6
CWE-323 Reusing a Nonce, Key Pair in Encryption 6
CWE-289 Authentication Bypass by Alternate Name 6
CWE-272 Least Privilege Violation 6
CWE-252 Unchecked Return Value 6
CWE-1427 Improper Neutralization of Input Used for LLM Prompting 6
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag 6
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') 5
CWE-805 Buffer Access with Incorrect Length Value 5
CWE-791 Incomplete Filtering of Special Elements 5
CWE-782 Exposed IOCTL with Insufficient Access Control 5
CWE-703 Improper Check or Handling of Exceptional Conditions 5
CWE-665 Improper Initialization 5
CWE-379 Creation of Temporary File in Directory with Insecure Permissions 5
CWE-308 Use of Single-factor Authentication 5
CWE-281 Improper Preservation of Permissions 5
CWE-204 Observable Response Discrepancy 5
CWE-180 Incorrect Behavior Order: Validate Before Canonicalize 5
CWE-130 Improper Handling of Length Parameter Inconsistency 5
CWE-1236 Improper Neutralization of Formula Elements in a CSV File 5
CWE-1220 Insufficient Granularity of Access Control 5
CWE-87 Improper Neutralization of Alternate XSS Syntax 4
CWE-836 Use of Password Hash Instead of Password for Authentication 4
CWE-834 Excessive Iteration 4
CWE-83 Improper Neutralization of Script in Attributes in a Web Page 4
CWE-807 Reliance on Untrusted Inputs in a Security Decision 4
CWE-772 Missing Release of Resource after Effective Lifetime 4
CWE-755 Improper Handling of Exceptional Conditions 4
CWE-704 Incorrect Type Conversion or Cast 4
CWE-669 Incorrect Resource Transfer Between Spheres 4
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax 4
CWE-459 Incomplete Cleanup 4
CWE-353 Missing Support for Integrity Check 4
CWE-350 Reliance on Reverse DNS Resolution for a Security-Critical Action 4
CWE-312 Cleartext Storage of Sensitive Information 4
CWE-302 Authentication Bypass by Assumed-Immutable Data 4
CWE-256 Plaintext Storage of a Password 4
CWE-187 Partial String Comparison 4
CWE-1289 Improper Validation of Unsafe Equivalence in Input 4
CWE-1023 Incomplete Comparison with Missing Factors 4
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') 3
CWE-823 Use of Out-of-range Pointer Offset 3
CWE-672 Operation on a Resource after Expiration or Release 3
CWE-641 Improper Restriction of Names for Files and Other Resources 3
CWE-567 Unsynchronized Access to Shared Data in a Multithreaded Context 3
CWE-565 Reliance on Cookies without Validation and Integrity Checking 3
CWE-521 Weak Password Requirements 3
CWE-440 Expected Behavior Violation 3
CWE-41 Improper Resolution of Path Equivalence 3
CWE-390 Detection of Error Condition Without Action 3
CWE-36 Absolute Path Traversal 3
CWE-324 Use of a Key Past its Expiration Date 3
CWE-313 Cleartext Storage in a File or on Disk 3
CWE-297 Improper Validation of Certificate with Host Mismatch 3
CWE-1428 Reliance on HTTP instead of HTTPS 3
CWE-1393 Use of Default Password 3
CWE-1391 Use of Weak Credentials 3
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input 3
CWE-1230 Exposure of Sensitive Information Through Metadata 3
CWE-123 Write-what-where Condition 3
CWE-1104 Use of Unmaintained Third Party Components 3
CWE-926 Improper Export of Android Application Components 2
CWE-91 XML Injection (aka Blind XPath Injection) 2
CWE-839 Numeric Range Comparison Without Minimum Check 2
CWE-833 Deadlock 2
CWE-824 Access of Uninitialized Pointer 2
CWE-821 Incorrect Synchronization 2
CWE-799 Improper Control of Interaction Frequency 2
CWE-777 Regular Expression without Anchors 2
CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') 2
CWE-696 Incorrect Behavior Order 2
CWE-682 Incorrect Calculation 2
CWE-667 Improper Locking 2
CWE-662 Improper Synchronization 2
CWE-648 Incorrect Use of Privileged APIs 2
CWE-610 Externally Controlled Reference to a Resource in Another Sphere 2
CWE-551 Incorrect Behavior Order: Authorization Before Parsing and Canonicalization 2
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere 2
CWE-523 Unprotected Transport of Credentials 2
CWE-515 Covert Storage Channel 2
CWE-488 Exposure of Data Element to Wrong Session 2
CWE-480 Use of Incorrect Operator 2
CWE-474 Use of Function with Inconsistent Implementations 2
CWE-472 External Control of Assumed-Immutable Web Parameter 2
CWE-471 Modification of Assumed-Immutable Data (MAID) 2
CWE-454 External Initialization of Trusted Variables or Data Stores 2
CWE-42 Path Equivalence: 'filename.' (Trailing Dot) 2
CWE-414 Missing Lock Check 2
CWE-393 Return of Wrong Status Code 2
CWE-369 Divide By Zero 2
CWE-358 Improperly Implemented Security Check for Standard 2
CWE-331 Insufficient Entropy 2
CWE-316 Cleartext Storage of Sensitive Information in Memory 2
CWE-311 Missing Encryption of Sensitive Data 2
CWE-261 Weak Encoding for Password 2
CWE-259 Use of Hard-coded Password 2
CWE-253 Incorrect Check of Function Return Value 2
CWE-241 Improper Handling of Unexpected Data Type 2
CWE-24 Path Traversal: '../filedir' 2
CWE-230 Improper Handling of Missing Values 2
CWE-228 Improper Handling of Syntactically Invalid Structure 2
CWE-226 Sensitive Information in Resource Not Removed Before Reuse 2
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer 2
CWE-186 Overly Restrictive Regular Expression 2
CWE-185 Incorrect Regular Expression 2
CWE-182 Collapse of Data into Unsafe Value 2
CWE-179 Incorrect Behavior Order: Early Validation 2
CWE-170 Improper Null Termination 2
CWE-162 Improper Neutralization of Trailing Special Elements 2
CWE-158 Improper Neutralization of Null Byte or NUL Character 2
CWE-148 Improper Neutralization of Input Leaders 2
CWE-14 Compiler Removal of Code to Clear Buffers 2
CWE-1395 Dependency on Vulnerable Third-Party Component 2
CWE-1390 Weak Authentication 2
CWE-1295 Debug Messages Revealing Unnecessary Information 2
CWE-128 Wrap-around Error 2
CWE-1259 Improper Restriction of Security Token Assignment 2
CWE-1124 Excessively Deep Nesting 2
CWE-924 Improper Enforcement of Message Integrity During Transmission in a Communication Channel 1
CWE-922 Insecure Storage of Sensitive Information 1
CWE-81 Improper Neutralization of Script in an Error Message Web Page 1
CWE-804 Guessable CAPTCHA 1
CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime 1
CWE-763 Release of Invalid Pointer or Reference 1
CWE-760 Use of a One-Way Hash with a Predictable Salt 1
CWE-76 Improper Neutralization of Equivalent Special Elements 1
CWE-758 Reliance on Undefined, Unspecified, or Implementation-Defined Behavior 1
CWE-705 Incorrect Control Flow Scoping 1
CWE-698 Execution After Redirect (EAR) 1
CWE-653 Improper Isolation or Compartmentalization 1
CWE-650 Trusting HTTP Permission Methods on the Server Side 1
CWE-645 Overly Restrictive Account Lockout Mechanism 1
CWE-625 Permissive Regular Expression 1
CWE-590 Free of Memory not on the Heap 1
CWE-548 Exposure of Information Through Directory Listing 1
CWE-525 Use of Web Browser Cache Containing Sensitive Information 1
CWE-514 Covert Channel 1
CWE-506 Embedded Malicious Code 1
CWE-489 Active Debug Code 1
CWE-468 Incorrect Pointer Scaling 1
CWE-457 Use of Uninitialized Variable 1
CWE-424 Improper Protection of Alternate Path 1
CWE-391 Unchecked Error Condition 1
CWE-38 Path Traversal: '\absolute\pathname\here' 1
CWE-339 Small Seed Space in PRNG 1
CWE-326 Inadequate Encryption Strength 1
CWE-299 Improper Check for Certificate Revocation 1
CWE-296 Improper Following of a Certificate's Chain of Trust 1
CWE-268 Privilege Chaining 1
CWE-262 Not Using Password Aging 1
CWE-26 Path Traversal: '/dir/../filename' 1
CWE-257 Storing Passwords in a Recoverable Format 1
CWE-195 Signed to Unsigned Conversion Error 1
CWE-155 Improper Neutralization of Wildcards or Matching Symbols 1
CWE-153 Improper Neutralization of Substitution Characters 1
CWE-1389 Incorrect Parsing of Numbers with Different Radices 1
CWE-1386 Insecure Operation on Windows Junction / Mount Point 1
CWE-1385 Missing Origin Validation in WebSockets 1
CWE-1325 Improperly Controlled Sequential Memory Allocation 1
CWE-127 Buffer Under-read 1
CWE-1262 Improper Access Control for Register Interface 1
CWE-1258 Exposure of Sensitive System Information Due to Uncleared Debug Information 1
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State 1
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation 1
CWE-124 Buffer Underwrite ('Buffer Underflow') 1
CWE-115 Misinterpretation of Input 1