Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-347 Improper Verification of Cryptographic Signature Allowed 511
CWE-23 Relative Path Traversal Allowed 508
CWE-522 Insufficiently Protected Credentials Allowed-with-Review 471
CWE-611 Improper Restriction of XML External Entity Reference Allowed 464
CWE-693 Protection Mechanism Failure Discouraged 436
CWE-319 Cleartext Transmission of Sensitive Information Allowed 405
CWE-345 Insufficient Verification of Data Authenticity Discouraged 395
CWE-191 Integer Underflow (Wrap or Wraparound) Allowed 390
CWE-613 Insufficient Session Expiration Allowed-with-Review 378
CWE-307 Improper Restriction of Excessive Authentication Attempts Allowed 376
CWE-290 Authentication Bypass by Spoofing Allowed 369
CWE-754 Improper Check for Unusual or Exceptional Conditions Allowed-with-Review 365
CWE-201 Insertion of Sensitive Information Into Sent Data Allowed 355
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere Allowed 350
CWE-428 Unquoted Search Path or Element Allowed 344
CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop') Allowed 338
CWE-209 Generation of Error Message Containing Sensitive Information Allowed 336
CWE-327 Use of a Broken or Risky Cryptographic Algorithm Allowed-with-Review 331
CWE-1333 Inefficient Regular Expression Complexity Allowed 330
CWE-908 Use of Uninitialized Resource Allowed 326
CWE-250 Execution with Unnecessary Privileges Allowed 312
CWE-401 Missing Release of Memory after Effective Lifetime Allowed 304
CWE-617 Reachable Assertion Allowed 299
CWE-822 Untrusted Pointer Dereference Allowed 295
CWE-312 Cleartext Storage of Sensitive Information Allowed 291
CWE-346 Origin Validation Error Allowed-with-Review 283
CWE-426 Untrusted Search Path Allowed-with-Review 280
CWE-321 Use of Hard-coded Cryptographic Key Allowed 280
CWE-415 Double Free Allowed 272
CWE-311 Missing Encryption of Sensitive Data Discouraged 272
CWE-116 Improper Encoding or Escaping of Output Allowed-with-Review 262
CWE-552 Files or Directories Accessible to External Parties Allowed 249
CWE-707 Improper Neutralization Discouraged 246
CWE-674 Uncontrolled Recursion Allowed-with-Review 245
CWE-248 Uncaught Exception Allowed 242
CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') Allowed 241
CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') Allowed 232
CWE-129 Improper Validation of Array Index Allowed 232
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') Allowed 227
CWE-789 Memory Allocation with Excessive Size Value Allowed 216
CWE-1284 Improper Validation of Specified Quantity in Input Allowed 208
CWE-829 Inclusion of Functionality from Untrusted Control Sphere Allowed 199
CWE-755 Improper Handling of Exceptional Conditions Discouraged 196
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor Allowed 188
CWE-668 Exposure of Resource to Wrong Sphere Discouraged 187
CWE-824 Access of Uninitialized Pointer Allowed 186
CWE-384 Session Fixation Allowed 173
CWE-256 Plaintext Storage of a Password Allowed 172
CWE-749 Exposed Dangerous Method or Function Allowed 171