Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-425 Direct Request ('Forced Browsing') Allowed 94
CWE-130 Improper Handling of Length Parameter Inconsistency Allowed 90
CWE-252 Unchecked Return Value Allowed 89
CWE-436 Interpretation Conflict Allowed-with-Review 87
CWE-328 Use of Weak Hash Allowed 87
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Allowed 87
CWE-506 Embedded Malicious Code Allowed-with-Review 86
CWE-377 Insecure Temporary File Allowed-with-Review 85
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') Allowed-with-Review 83
CWE-354 Improper Validation of Integrity Check Value Allowed 83
CWE-670 Always-Incorrect Control Flow Implementation Allowed-with-Review 82
CWE-1390 Weak Authentication Allowed-with-Review 82
CWE-704 Incorrect Type Conversion or Cast Allowed-with-Review 81
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory Allowed 81
CWE-620 Unverified Password Change Allowed 80
CWE-489 Active Debug Code Allowed 79
CWE-807 Reliance on Untrusted Inputs in a Security Decision Allowed 77
CWE-697 Incorrect Comparison Discouraged 76
CWE-331 Insufficient Entropy Allowed 76
CWE-926 Improper Export of Android Application Components Allowed 75
CWE-912 Hidden Functionality Allowed-with-Review 75
CWE-591 Sensitive Data Storage in Improperly Locked Memory Allowed 75
CWE-610 Externally Controlled Reference to a Resource in Another Sphere Discouraged 73
CWE-1286 Improper Validation of Syntactic Correctness of Input Allowed 73
CWE-681 Incorrect Conversion between Numeric Types Allowed 71
CWE-598 Use of HTTP Request With Sensitive Query String Allowed 70
CWE-459 Incomplete Cleanup Allowed 69
CWE-943 Improper Neutralization of Special Elements in Data Query Logic Allowed-with-Review 68
CWE-913 Improper Control of Dynamically-Managed Code Resources Allowed-with-Review 68
CWE-772 Missing Release of Resource after Effective Lifetime Allowed 68
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Allowed 67
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Allowed 67
CWE-348 Use of Less Trusted Source Allowed 66
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Allowed-with-Review 65
CWE-799 Improper Control of Interaction Frequency Allowed-with-Review 65
CWE-325 Missing Cryptographic Step Allowed 65
CWE-15 External Control of System or Configuration Setting Allowed 65
CWE-916 Use of Password Hash With Insufficient Computational Effort Allowed 64
CWE-91 XML Injection (aka Blind XPath Injection) Allowed-with-Review 63
CWE-257 Storing Passwords in a Recoverable Format Allowed 63
CWE-648 Incorrect Use of Privileged APIs Allowed 62
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Allowed 62
CWE-29 Path Traversal: '\..\filename' Allowed 61
CWE-669 Incorrect Resource Transfer Between Spheres Allowed-with-Review 59
CWE-706 Use of Incorrectly-Resolved Name or Reference Allowed-with-Review 58
CWE-472 External Control of Assumed-Immutable Web Parameter Allowed 58