Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Allowed 23727
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Allowed 10032
CWE-862 Missing Authorization Allowed-with-Review 6798
CWE-352 Cross-Site Request Forgery (CSRF) Allowed 5117
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Allowed-with-Review 4331
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Discouraged 4276
CWE-20 Improper Input Validation Discouraged 4088
CWE-416 Use After Free Allowed 4077
CWE-125 Out-of-bounds Read Allowed 3874
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Discouraged 3532
CWE-122 Heap-based Buffer Overflow Allowed 3361
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Allowed 3347
CWE-284 Improper Access Control Discouraged 3336
CWE-121 Stack-based Buffer Overflow Allowed 3067
CWE-94 Improper Control of Generation of Code ('Code Injection') Allowed-with-Review 3020
CWE-787 Out-of-bounds Write Allowed-with-Review 2789
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Discouraged 2661
CWE-434 Unrestricted Upload of File with Dangerous Type Allowed 2354
CWE-918 Server-Side Request Forgery (SSRF) Allowed 2245
CWE-502 Deserialization of Untrusted Data Allowed 2209
CWE-863 Incorrect Authorization Allowed-with-Review 1947
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Allowed-with-Review 1921
CWE-400 Uncontrolled Resource Consumption Discouraged 1865
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Allowed-with-Review 1800
CWE-287 Improper Authentication Discouraged 1659
CWE-639 Authorization Bypass Through User-Controlled Key Allowed 1634
CWE-306 Missing Authentication for Critical Function Allowed 1568
CWE-476 NULL Pointer Dereference Allowed 1393
CWE-285 Improper Authorization Discouraged 1389
CWE-190 Integer Overflow or Wraparound Allowed 1341
CWE-770 Allocation of Resources Without Limits or Throttling Allowed 1337
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Allowed 1258
CWE-269 Improper Privilege Management Discouraged 1223
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Allowed-with-Review 1099
CWE-266 Incorrect Privilege Assignment Allowed 978
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Allowed 867
CWE-427 Uncontrolled Search Path Element Allowed-with-Review 773
CWE-59 Improper Link Resolution Before File Access ('Link Following') Allowed 696
CWE-532 Insertion of Sensitive Information into Log File Allowed 681
CWE-798 Use of Hard-coded Credentials Allowed-with-Review 646
CWE-295 Improper Certificate Validation Allowed 629
CWE-126 Buffer Over-read Allowed 566
CWE-276 Incorrect Default Permissions Allowed 557
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') Allowed 555
CWE-288 Authentication Bypass Using an Alternate Path or Channel Allowed 550
CWE-404 Improper Resource Shutdown or Release Allowed-with-Review 549
CWE-732 Incorrect Permission Assignment for Critical Resource Allowed-with-Review 546
CWE-73 External Control of File Name or Path Allowed 526
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Allowed 524
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Allowed 521