Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

287 CWEs ranked in 2025-10

API response
CWE Name Mapping usage Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Allowed 607
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Allowed 269
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Discouraged 173
CWE-862 Missing Authorization Allowed-with-Review 161
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Discouraged 88
CWE-352 Cross-Site Request Forgery (CSRF) Allowed 84
CWE-94 Improper Control of Generation of Code ('Code Injection') Allowed-with-Review 82
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Allowed-with-Review 80
CWE-416 Use After Free Allowed 79
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Allowed 78
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Discouraged 78
CWE-284 Improper Access Control Discouraged 74
CWE-121 Stack-based Buffer Overflow Allowed 65
CWE-434 Unrestricted Upload of File with Dangerous Type Allowed 61
CWE-502 Deserialization of Untrusted Data Allowed 54
CWE-125 Out-of-bounds Read Allowed 54
CWE-476 NULL Pointer Dereference Allowed 52
CWE-787 Out-of-bounds Write Allowed-with-Review 44
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Allowed-with-Review 42
CWE-918 Server-Side Request Forgery (SSRF) Allowed 38
CWE-863 Incorrect Authorization Allowed-with-Review 38
CWE-20 Improper Input Validation Discouraged 37
CWE-639 Authorization Bypass Through User-Controlled Key Allowed 36
CWE-770 Allocation of Resources Without Limits or Throttling Allowed 34
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Allowed-with-Review 34
CWE-306 Missing Authentication for Critical Function Allowed 34
CWE-122 Heap-based Buffer Overflow Allowed 32
CWE-287 Improper Authentication Discouraged 29
CWE-266 Incorrect Privilege Assignment Allowed 28
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Allowed 26
CWE-400 Uncontrolled Resource Consumption Discouraged 25
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Allowed 24
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Allowed 24
CWE-288 Authentication Bypass Using an Alternate Path or Channel Allowed 21
CWE-532 Insertion of Sensitive Information into Log File Allowed 20
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Allowed 20
CWE-285 Improper Authorization Discouraged 19
CWE-250 Execution with Unnecessary Privileges Allowed 19
CWE-427 Uncontrolled Search Path Element Allowed-with-Review 17
CWE-269 Improper Privilege Management Discouraged 17
CWE-73 External Control of File Name or Path Allowed 16
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Allowed-with-Review 16
CWE-190 Integer Overflow or Wraparound Allowed 16
CWE-126 Buffer Over-read Allowed 16
CWE-732 Incorrect Permission Assignment for Critical Resource Allowed-with-Review 15
CWE-59 Improper Link Resolution Before File Access ('Link Following') Allowed 14
CWE-23 Relative Path Traversal Allowed 13
CWE-201 Insertion of Sensitive Information Into Sent Data Allowed 13
CWE-613 Insufficient Session Expiration Allowed-with-Review 12
CWE-276 Incorrect Default Permissions Allowed 12