Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-23 Relative Path Traversal Allowed 506
CWE-347 Improper Verification of Cryptographic Signature Allowed 502
CWE-522 Insufficiently Protected Credentials Allowed-with-Review 468
CWE-611 Improper Restriction of XML External Entity Reference Allowed 465
CWE-693 Protection Mechanism Failure Discouraged 430
CWE-319 Cleartext Transmission of Sensitive Information Allowed 404
CWE-345 Insufficient Verification of Data Authenticity Discouraged 390
CWE-191 Integer Underflow (Wrap or Wraparound) Allowed 382
CWE-613 Insufficient Session Expiration Allowed-with-Review 376
CWE-307 Improper Restriction of Excessive Authentication Attempts Allowed 372
CWE-290 Authentication Bypass by Spoofing Allowed 365
CWE-754 Improper Check for Unusual or Exceptional Conditions Allowed-with-Review 363
CWE-201 Insertion of Sensitive Information Into Sent Data Allowed 353
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Allowed 348
CWE-428 Unquoted Search Path or Element Allowed 344
CWE-209 Generation of Error Message Containing Sensitive Information Allowed 336
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Allowed 331
CWE-327 Use of a Broken or Risky Cryptographic Algorithm Allowed-with-Review 328
CWE-1333 Inefficient Regular Expression Complexity Allowed 325
CWE-908 Use of Uninitialized Resource Allowed 317
CWE-250 Execution with Unnecessary Privileges Allowed 310
CWE-401 Missing Release of Memory after Effective Lifetime Allowed 302
CWE-617 Reachable Assertion Allowed 298
CWE-822 Untrusted Pointer Dereference Allowed 295
CWE-312 Cleartext Storage of Sensitive Information Allowed 290
CWE-346 Origin Validation Error Allowed-with-Review 282
CWE-426 Untrusted Search Path Allowed-with-Review 279
CWE-321 Use of Hard-coded Cryptographic Key Allowed 279
CWE-311 Missing Encryption of Sensitive Data Discouraged 272
CWE-415 Double Free Allowed 268
CWE-116 Improper Encoding or Escaping of Output Allowed-with-Review 259
CWE-552 Files or Directories Accessible to External Parties Allowed 249
CWE-707 Improper Neutralization Discouraged 246
CWE-674 Uncontrolled Recursion Allowed-with-Review 243
CWE-248 Uncaught Exception Allowed 240
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Allowed 234
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Allowed 231
CWE-129 Improper Validation of Array Index Allowed 231
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Allowed 225
CWE-789 Memory Allocation with Excessive Size Value Allowed 211
CWE-1284 Improper Validation of Specified Quantity in Input Allowed 208
CWE-829 Inclusion of Functionality from Untrusted Control Sphere Allowed 195
CWE-755 Improper Handling of Exceptional Conditions Discouraged 195
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor Allowed 188
CWE-824 Access of Uninitialized Pointer Allowed 186
CWE-668 Exposure of Resource to Wrong Sphere Discouraged 186
CWE-384 Session Fixation Allowed 173
CWE-749 Exposed Dangerous Method or Function Allowed 171
CWE-256 Plaintext Storage of a Password Allowed 171