CWE List

ID Name Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 725
CWE-862 Missing Authorization 403
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 256
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') 208
CWE-352 Cross-Site Request Forgery (CSRF) 178
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 166
CWE-94 Improper Control of Generation of Code ('Code Injection') 109
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 100
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 87
CWE-434 Unrestricted Upload of File with Dangerous Type 83
CWE-121 Stack-based Buffer Overflow 75
CWE-502 Deserialization of Untrusted Data 71
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 70
CWE-639 Authorization Bypass Through User-Controlled Key 69
CWE-306 Missing Authentication for Critical Function 65
CWE-284 Improper Access Control 58
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 55
CWE-20 Improper Input Validation 52
CWE-125 Out-of-bounds Read 52
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 51
CWE-918 Server-Side Request Forgery (SSRF) 49
CWE-863 Incorrect Authorization 41
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere 40
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 39
CWE-416 Use After Free 38
CWE-787 Out-of-bounds Write 37
CWE-266 Incorrect Privilege Assignment 37
CWE-122 Heap-based Buffer Overflow 36
CWE-427 Uncontrolled Search Path Element 34
CWE-201 Insertion of Sensitive Information Into Sent Data 30
CWE-285 Improper Authorization 28
CWE-190 Integer Overflow or Wraparound 26
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 25
CWE-770 Allocation of Resources Without Limits or Throttling 24
CWE-798 Use of Hard-coded Credentials 20
CWE-476 NULL Pointer Dereference 19
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 19
CWE-287 Improper Authentication 19
CWE-428 Unquoted Search Path or Element 17
CWE-269 Improper Privilege Management 17
CWE-732 Incorrect Permission Assignment for Critical Resource 16
CWE-693 Protection Mechanism Failure 14
CWE-617 Reachable Assertion 14
CWE-321 Use of Hard-coded Cryptographic Key 14
CWE-749 Exposed Dangerous Method or Function 13
CWE-347 Improper Verification of Cryptographic Signature 12
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) 11
CWE-290 Authentication Bypass by Spoofing 11
CWE-611 Improper Restriction of XML External Entity Reference 10
CWE-532 Insertion of Sensitive Information into Log File 10
CWE-327 Use of a Broken or Risky Cryptographic Algorithm 10
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine 10
CWE-73 External Control of File Name or Path 9
CWE-59 Improper Link Resolution Before File Access ('Link Following') 9
CWE-400 Uncontrolled Resource Consumption 9
CWE-356 Product UI does not Warn User of Unsafe Actions 9
CWE-250 Execution with Unnecessary Privileges 9
CWE-913 Improper Control of Dynamically-Managed Code Resources 8
CWE-552 Files or Directories Accessible to External Parties 8
CWE-522 Insufficiently Protected Credentials 8
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor 8
CWE-319 Cleartext Transmission of Sensitive Information 8
CWE-126 Buffer Over-read 8
CWE-640 Weak Password Recovery Mechanism for Forgotten Password 7
CWE-61 UNIX Symbolic Link (Symlink) Following 7
CWE-405 Asymmetric Resource Consumption (Amplification) 7
CWE-404 Improper Resource Shutdown or Release 7
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition 7
CWE-288 Authentication Bypass Using an Alternate Path or Channel 7
CWE-204 Observable Response Discrepancy 7
CWE-822 Untrusted Pointer Dereference 6
CWE-494 Download of Code Without Integrity Check 6
CWE-425 Direct Request ('Forced Browsing') 6
CWE-312 Cleartext Storage of Sensitive Information 6
CWE-307 Improper Restriction of Excessive Authentication Attempts 6
CWE-295 Improper Certificate Validation 6
CWE-256 Plaintext Storage of a Password 6
CWE-23 Relative Path Traversal 6
CWE-209 Generation of Error Message Containing Sensitive Information 6
CWE-1287 Improper Validation of Specified Type of Input 6
CWE-1284 Improper Validation of Specified Quantity in Input 6
CWE-1188 Initialization of a Resource with an Insecure Default 6
CWE-116 Improper Encoding or Escaping of Output 6
CWE-829 Inclusion of Functionality from Untrusted Control Sphere 5
CWE-613 Insufficient Session Expiration 5
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') 5
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') 5
CWE-426 Untrusted Search Path 5
CWE-36 Absolute Path Traversal 5
CWE-346 Origin Validation Error 5
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) 5
CWE-331 Insufficient Entropy 5
CWE-276 Incorrect Default Permissions 5
CWE-248 Uncaught Exception 5
CWE-203 Observable Discrepancy 5
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes 4
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') 4
CWE-674 Uncontrolled Recursion 4
CWE-35 Path Traversal: '.../...//' 4
CWE-330 Use of Insufficiently Random Values 4
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer 4
CWE-184 Incomplete List of Disallowed Inputs 4
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 4
CWE-1236 Improper Neutralization of Formula Elements in a CSV File 4
CWE-1021 Improper Restriction of Rendered UI Layers or Frames 4
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') 3
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') 3
CWE-807 Reliance on Untrusted Inputs in a Security Decision 3
CWE-754 Improper Check for Unusual or Exceptional Conditions 3
CWE-620 Unverified Password Change 3
CWE-602 Client-Side Enforcement of Server-Side Security 3
CWE-565 Reliance on Cookies without Validation and Integrity Checking 3
CWE-548 Exposure of Information Through Directory Listing 3
CWE-457 Use of Uninitialized Variable 3
CWE-451 User Interface (UI) Misrepresentation of Critical Information 3
CWE-415 Double Free 3
CWE-384 Session Fixation 3
CWE-358 Improperly Implemented Security Check for Standard 3
CWE-311 Missing Encryption of Sensitive Data 3
CWE-305 Authentication Bypass by Primary Weakness 3
CWE-303 Incorrect Implementation of Authentication Algorithm 3
CWE-260 Password in Configuration File 3
CWE-259 Use of Hard-coded Password 3
CWE-1392 Use of Default Credentials 3
CWE-129 Improper Validation of Array Index 3
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') 2
CWE-940 Improper Verification of Source of a Communication Channel 2
CWE-916 Use of Password Hash With Insufficient Computational Effort 2
CWE-914 Improper Control of Dynamically-Identified Variables 2
CWE-908 Use of Uninitialized Resource 2
CWE-841 Improper Enforcement of Behavioral Workflow 2
CWE-824 Access of Uninitialized Pointer 2
CWE-763 Release of Invalid Pointer or Reference 2
CWE-755 Improper Handling of Exceptional Conditions 2
CWE-708 Incorrect Ownership Assignment 2
CWE-707 Improper Neutralization 2
CWE-706 Use of Incorrectly-Resolved Name or Reference 2
CWE-667 Improper Locking 2
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax 2
CWE-524 Use of Cache Containing Sensitive Information 2
CWE-521 Weak Password Requirements 2
CWE-489 Active Debug Code 2
CWE-459 Incomplete Cleanup 2
CWE-403 Exposure of File Descriptor to Unintended Control Sphere ('File Descriptor Leak') 2
CWE-379 Creation of Temporary File in Directory with Insecure Permissions 2
CWE-377 Insecure Temporary File 2
CWE-348 Use of Less Trusted Source 2
CWE-313 Cleartext Storage in a File or on Disk 2
CWE-289 Authentication Bypass by Alternate Name 2
CWE-280 Improper Handling of Insufficient Permissions or Privileges 2
CWE-279 Incorrect Execution-Assigned Permissions 2
CWE-24 Path Traversal: '../filedir' 2
CWE-202 Exposure of Sensitive Information Through Data Queries 2
CWE-170 Improper Null Termination 2
CWE-1394 Use of Default Cryptographic Key 2
CWE-1333 Inefficient Regular Expression Complexity 2
CWE-1244 Internal Asset Exposed to Unsafe Debug Access Level or State 2
CWE-1191 On-Chip Debug and Test Interface With Improper Access Control 2
CWE-117 Improper Output Neutralization for Logs 2
CWE-97 Improper Neutralization of Server-Side Includes (SSI) Within a Web Page 1
CWE-926 Improper Export of Android Application Components 1
CWE-922 Insecure Storage of Sensitive Information 1
CWE-912 Hidden Functionality 1
CWE-91 XML Injection (aka Blind XPath Injection) 1
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') 1
CWE-87 Improper Neutralization of Alternate XSS Syntax 1
CWE-836 Use of Password Hash Instead of Password for Authentication 1
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') 1
CWE-834 Excessive Iteration 1
CWE-799 Improper Control of Interaction Frequency 1
CWE-791 Incomplete Filtering of Special Elements 1
CWE-778 Insufficient Logging 1
CWE-775 Missing Release of File Descriptor or Handle after Effective Lifetime 1
CWE-703 Improper Check or Handling of Exceptional Conditions 1
CWE-681 Incorrect Conversion between Numeric Types 1
CWE-675 Multiple Operations on Resource in Single-Operation Context 1
CWE-669 Incorrect Resource Transfer Between Spheres 1
CWE-665 Improper Initialization 1
CWE-653 Improper Isolation or Compartmentalization 1
CWE-648 Incorrect Use of Privileged APIs 1
CWE-647 Use of Non-Canonical URL Paths for Authorization Decisions 1
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute 1
CWE-610 Externally Controlled Reference to a Resource in Another Sphere 1
CWE-603 Use of Client-Side Authentication 1
CWE-592 DEPRECATED: Authentication Bypass Issues 1
CWE-573 Improper Following of Specification by Caller 1
CWE-549 Missing Password Field Masking 1
CWE-541 Inclusion of Sensitive Information in an Include File 1
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory 1
CWE-530 Exposure of Backup File to an Unauthorized Control Sphere 1
CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable 1
CWE-523 Unprotected Transport of Credentials 1
CWE-506 Embedded Malicious Code 1
CWE-501 Trust Boundary Violation 1
CWE-472 External Control of Assumed-Immutable Web Parameter 1
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') 1
CWE-440 Expected Behavior Violation 1
CWE-436 Interpretation Conflict 1
CWE-424 Improper Protection of Alternate Path 1
CWE-420 Unprotected Alternate Channel 1
CWE-410 Insufficient Resource Pool 1
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) 1
CWE-407 Inefficient Algorithmic Complexity 1
CWE-402 Transmission of Private Resources into a New Sphere ('Resource Leak') 1
CWE-401 Missing Release of Memory after Effective Lifetime 1
CWE-378 Creation of Temporary File With Insecure Permissions 1
CWE-363 Race Condition Enabling Link Following 1
CWE-354 Improper Validation of Integrity Check Value 1
CWE-345 Insufficient Verification of Data Authenticity 1
CWE-340 Generation of Predictable Numbers or Identifiers 1
CWE-328 Use of Weak Hash 1
CWE-326 Inadequate Encryption Strength 1
CWE-323 Reusing a Nonce, Key Pair in Encryption 1
CWE-309 Use of Password System for Primary Authentication 1
CWE-302 Authentication Bypass by Assumed-Immutable Data 1
CWE-298 Improper Validation of Certificate Expiration 1
CWE-297 Improper Validation of Certificate with Host Mismatch 1
CWE-294 Authentication Bypass by Capture-replay 1
CWE-286 Incorrect User Management 1
CWE-268 Privilege Chaining 1
CWE-257 Storing Passwords in a Recoverable Format 1
CWE-252 Unchecked Return Value 1
CWE-25 Path Traversal: '/../filedir' 1
CWE-244 Improper Clearing of Heap Memory Before Release ('Heap Inspection') 1
CWE-241 Improper Handling of Unexpected Data Type 1
CWE-197 Numeric Truncation Error 1
CWE-195 Signed to Unsigned Conversion Error 1
CWE-191 Integer Underflow (Wrap or Wraparound) 1
CWE-178 Improper Handling of Case Sensitivity 1
CWE-158 Improper Neutralization of Null Byte or NUL Character 1
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences 1
CWE-149 Improper Neutralization of Quoting Syntax 1
CWE-1395 Dependency on Vulnerable Third-Party Component 1
CWE-1390 Weak Authentication 1
CWE-1385 Missing Origin Validation in WebSockets 1
CWE-134 Use of Externally-Controlled Format String 1
CWE-1325 Improperly Controlled Sequential Memory Allocation 1
CWE-131 Incorrect Calculation of Buffer Size 1
CWE-130 Improper Handling of Length Parameter Inconsistency 1
CWE-1299 Missing Protection Mechanism for Alternate Hardware Interface 1
CWE-1286 Improper Validation of Syntactic Correctness of Input 1
CWE-1275 Sensitive Cookie with Improper SameSite Attribute 1
CWE-1262 Improper Access Control for Register Interface 1
CWE-1254 Incorrect Comparison Logic Granularity 1
CWE-1250 Improper Preservation of Consistency Between Independent Representations of Shared State 1
CWE-1245 Improper Finite State Machines (FSMs) in Hardware Logic 1
CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation 1
CWE-124 Buffer Underwrite ('Buffer Underflow') 1
CWE-115 Misinterpretation of Input 1
CWE-1023 Incomplete Comparison with Missing Factors 1