Common Weakness Enumeration
Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.
287 CWEs ranked in 2025-10
API response| CWE | Name | Mapping usage | Occurrences |
|---|---|---|---|
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | Allowed | 607 |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | Allowed | 269 |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | Discouraged | 173 |
| CWE-862 | Missing Authorization | Allowed-with-Review | 161 |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Discouraged | 88 |
| CWE-352 | Cross-Site Request Forgery (CSRF) | Allowed | 84 |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') | Allowed-with-Review | 82 |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | Allowed-with-Review | 80 |
| CWE-416 | Use After Free | Allowed | 79 |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | Allowed | 78 |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | Discouraged | 78 |
| CWE-284 | Improper Access Control | Discouraged | 74 |
| CWE-121 | Stack-based Buffer Overflow | Allowed | 65 |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | Allowed | 61 |
| CWE-502 | Deserialization of Untrusted Data | Allowed | 54 |
| CWE-125 | Out-of-bounds Read | Allowed | 54 |
| CWE-476 | NULL Pointer Dereference | Allowed | 52 |
| CWE-787 | Out-of-bounds Write | Allowed-with-Review | 44 |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | Allowed-with-Review | 42 |
| CWE-918 | Server-Side Request Forgery (SSRF) | Allowed | 38 |
| CWE-863 | Incorrect Authorization | Allowed-with-Review | 38 |
| CWE-20 | Improper Input Validation | Discouraged | 37 |
| CWE-639 | Authorization Bypass Through User-Controlled Key | Allowed | 36 |
| CWE-770 | Allocation of Resources Without Limits or Throttling | Allowed | 34 |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | Allowed-with-Review | 34 |
| CWE-306 | Missing Authentication for Critical Function | Allowed | 34 |
| CWE-122 | Heap-based Buffer Overflow | Allowed | 32 |
| CWE-287 | Improper Authentication | Discouraged | 29 |
| CWE-266 | Incorrect Privilege Assignment | Allowed | 28 |
| CWE-98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | Allowed | 26 |
| CWE-400 | Uncontrolled Resource Consumption | Discouraged | 25 |
| CWE-80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | Allowed | 24 |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | Allowed | 24 |
| CWE-288 | Authentication Bypass Using an Alternate Path or Channel | Allowed | 21 |
| CWE-532 | Insertion of Sensitive Information into Log File | Allowed | 20 |
| CWE-497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | Allowed | 20 |
| CWE-285 | Improper Authorization | Discouraged | 19 |
| CWE-250 | Execution with Unnecessary Privileges | Allowed | 19 |
| CWE-427 | Uncontrolled Search Path Element | Allowed-with-Review | 17 |
| CWE-269 | Improper Privilege Management | Discouraged | 17 |
| CWE-73 | External Control of File Name or Path | Allowed | 16 |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | Allowed-with-Review | 16 |
| CWE-190 | Integer Overflow or Wraparound | Allowed | 16 |
| CWE-126 | Buffer Over-read | Allowed | 16 |
| CWE-732 | Incorrect Permission Assignment for Critical Resource | Allowed-with-Review | 15 |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') | Allowed | 14 |
| CWE-23 | Relative Path Traversal | Allowed | 13 |
| CWE-201 | Insertion of Sensitive Information Into Sent Data | Allowed | 13 |
| CWE-613 | Insufficient Session Expiration | Allowed-with-Review | 12 |
| CWE-276 | Incorrect Default Permissions | Allowed | 12 |