Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Allowed 23744
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Allowed 10049
CWE-862 Missing Authorization Allowed-with-Review 6836
CWE-352 Cross-Site Request Forgery (CSRF) Allowed 5119
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Allowed-with-Review 4359
CWE-74 Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Discouraged 4279
CWE-416 Use After Free Allowed 4134
CWE-20 Improper Input Validation Discouraged 4101
CWE-125 Out-of-bounds Read Allowed 3908
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Discouraged 3559
CWE-122 Heap-based Buffer Overflow Allowed 3408
CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Allowed 3368
CWE-284 Improper Access Control Discouraged 3356
CWE-121 Stack-based Buffer Overflow Allowed 3081
CWE-94 Improper Control of Generation of Code ('Code Injection') Allowed-with-Review 3041
CWE-787 Out-of-bounds Write Allowed-with-Review 2809
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer Discouraged 2661
CWE-434 Unrestricted Upload of File with Dangerous Type Allowed 2352
CWE-918 Server-Side Request Forgery (SSRF) Allowed 2265
CWE-502 Deserialization of Untrusted Data Allowed 2220
CWE-863 Incorrect Authorization Allowed-with-Review 1975
CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') Allowed-with-Review 1923
CWE-400 Uncontrolled Resource Consumption Discouraged 1882
CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') Allowed-with-Review 1806
CWE-287 Improper Authentication Discouraged 1666
CWE-639 Authorization Bypass Through User-Controlled Key Allowed 1654
CWE-306 Missing Authentication for Critical Function Allowed 1585
CWE-476 NULL Pointer Dereference Allowed 1400
CWE-285 Improper Authorization Discouraged 1396
CWE-770 Allocation of Resources Without Limits or Throttling Allowed 1366
CWE-190 Integer Overflow or Wraparound Allowed 1357
CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') Allowed 1261
CWE-269 Improper Privilege Management Discouraged 1235
CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') Allowed-with-Review 1124
CWE-266 Incorrect Privilege Assignment Allowed 978
CWE-601 URL Redirection to Untrusted Site ('Open Redirect') Allowed 870
CWE-427 Uncontrolled Search Path Element Allowed-with-Review 775
CWE-59 Improper Link Resolution Before File Access ('Link Following') Allowed 703
CWE-532 Insertion of Sensitive Information into Log File Allowed 689
CWE-798 Use of Hard-coded Credentials Allowed-with-Review 648
CWE-295 Improper Certificate Validation Allowed 633
CWE-126 Buffer Over-read Allowed 573
CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') Allowed 558
CWE-276 Incorrect Default Permissions Allowed 557
CWE-288 Authentication Bypass Using an Alternate Path or Channel Allowed 553
CWE-404 Improper Resource Shutdown or Release Allowed-with-Review 549
CWE-732 Incorrect Permission Assignment for Critical Resource Allowed-with-Review 548
CWE-73 External Control of File Name or Path Allowed 532
CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) Allowed 525
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition Allowed 524