Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-184 Incomplete List of Disallowed Inputs Allowed 166
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Allowed 165
CWE-35 Path Traversal: '.../...//' Allowed 162
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Allowed 161
CWE-203 Observable Discrepancy Allowed 161
CWE-640 Weak Password Recovery Mechanism for Forgotten Password Allowed-with-Review 158
CWE-259 Use of Hard-coded Password Allowed 157
CWE-204 Observable Response Discrepancy Allowed 157
CWE-1188 Initialization of a Resource with an Insecure Default Allowed 152
CWE-61 UNIX Symbolic Link (Symlink) Following Allowed 151
CWE-208 Observable Timing Discrepancy Allowed 150
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Allowed 148
CWE-305 Authentication Bypass by Primary Weakness Allowed 148
CWE-1287 Improper Validation of Specified Type of Input Allowed 147
CWE-369 Divide By Zero Allowed 146
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Allowed 144
CWE-788 Access of Memory Location After End of Buffer Discouraged 144
CWE-36 Absolute Path Traversal Allowed 143
CWE-1236 Improper Neutralization of Formula Elements in a CSV File Allowed 142
CWE-1220 Insufficient Granularity of Access Control Allowed 139
CWE-330 Use of Insufficiently Random Values Discouraged 137
CWE-326 Inadequate Encryption Strength Allowed-with-Review 135
CWE-280 Improper Handling of Insufficient Permissions or Privileges Allowed 135
CWE-134 Use of Externally-Controlled Format String Allowed 131
CWE-494 Download of Code Without Integrity Check Allowed 126
CWE-1021 Improper Restriction of Rendered UI Layers or Frames Allowed 126
CWE-407 Inefficient Algorithmic Complexity Allowed-with-Review 125
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Allowed 121
CWE-665 Improper Initialization Discouraged 119
CWE-294 Authentication Bypass by Capture-replay Allowed 119
CWE-521 Weak Password Requirements Allowed 118
CWE-457 Use of Uninitialized Variable Allowed 115
CWE-922 Insecure Storage of Sensitive Information Allowed-with-Review 114
CWE-281 Improper Preservation of Permissions Allowed 114
CWE-131 Incorrect Calculation of Buffer Size Allowed 114
CWE-703 Improper Check or Handling of Exceptional Conditions Discouraged 110
CWE-193 Off-by-one Error Allowed 110
CWE-451 User Interface (UI) Misrepresentation of Critical Information Allowed-with-Review 107
CWE-602 Client-Side Enforcement of Server-Side Security Allowed-with-Review 105
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Allowed 101
CWE-197 Numeric Truncation Error Allowed 101
CWE-1392 Use of Default Credentials Allowed 101
CWE-680 Integer Overflow to Buffer Overflow Discouraged 100
CWE-303 Incorrect Implementation of Authentication Algorithm Allowed 100
CWE-24 Path Traversal: '../filedir' Allowed 100
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains Allowed 98
CWE-117 Improper Output Neutralization for Logs Allowed 97
CWE-823 Use of Out-of-range Pointer Offset Allowed 96
CWE-358 Improperly Implemented Security Check for Standard Allowed 96