Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-184 Incomplete List of Disallowed Inputs Allowed 168
CWE-1336 Improper Neutralization of Special Elements Used in a Template Engine Allowed 168
CWE-93 Improper Neutralization of CRLF Sequences ('CRLF Injection') Allowed 166
CWE-35 Path Traversal: '.../...//' Allowed 162
CWE-203 Observable Discrepancy Allowed 161
CWE-204 Observable Response Discrepancy Allowed 160
CWE-259 Use of Hard-coded Password Allowed 157
CWE-640 Weak Password Recovery Mechanism for Forgotten Password Allowed-with-Review 156
CWE-1188 Initialization of a Resource with an Insecure Default Allowed 153
CWE-208 Observable Timing Discrepancy Allowed 152
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes Allowed 151
CWE-61 UNIX Symbolic Link (Symlink) Following Allowed 151
CWE-1220 Insufficient Granularity of Access Control Allowed 150
CWE-1287 Improper Validation of Specified Type of Input Allowed 149
CWE-369 Divide By Zero Allowed 148
CWE-305 Authentication Bypass by Primary Weakness Allowed 148
CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') Allowed 146
CWE-788 Access of Memory Location After End of Buffer Discouraged 144
CWE-36 Absolute Path Traversal Allowed 144
CWE-1236 Improper Neutralization of Formula Elements in a CSV File Allowed 143
CWE-330 Use of Insufficiently Random Values Discouraged 139
CWE-326 Inadequate Encryption Strength Allowed-with-Review 139
CWE-280 Improper Handling of Insufficient Permissions or Privileges Allowed 135
CWE-134 Use of Externally-Controlled Format String Allowed 132
CWE-1021 Improper Restriction of Rendered UI Layers or Frames Allowed 129
CWE-407 Inefficient Algorithmic Complexity Allowed-with-Review 128
CWE-494 Download of Code Without Integrity Check Allowed 126
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) Allowed 124
CWE-294 Authentication Bypass by Capture-replay Allowed 124
CWE-665 Improper Initialization Discouraged 120
CWE-521 Weak Password Requirements Allowed 118
CWE-131 Incorrect Calculation of Buffer Size Allowed 116
CWE-457 Use of Uninitialized Variable Allowed 115
CWE-922 Insecure Storage of Sensitive Information Allowed-with-Review 114
CWE-281 Improper Preservation of Permissions Allowed 114
CWE-193 Off-by-one Error Allowed 113
CWE-703 Improper Check or Handling of Exceptional Conditions Discouraged 110
CWE-409 Improper Handling of Highly Compressed Data (Data Amplification) Allowed 110
CWE-451 User Interface (UI) Misrepresentation of Critical Information Allowed-with-Review 109
CWE-197 Numeric Truncation Error Allowed 107
CWE-602 Client-Side Enforcement of Server-Side Security Allowed-with-Review 105
CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains Allowed 104
CWE-303 Incorrect Implementation of Authentication Algorithm Allowed 102
CWE-24 Path Traversal: '../filedir' Allowed 102
CWE-1392 Use of Default Credentials Allowed 101
CWE-680 Integer Overflow to Buffer Overflow Discouraged 100
CWE-425 Direct Request ('Forced Browsing') Allowed 98
CWE-358 Improperly Implemented Security Check for Standard Allowed 98
CWE-117 Improper Output Neutralization for Logs Allowed 97