Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-823 Use of Out-of-range Pointer Offset Allowed 96
CWE-130 Improper Handling of Length Parameter Inconsistency Allowed 95
CWE-436 Interpretation Conflict Allowed-with-Review 94
CWE-252 Unchecked Return Value Allowed 89
CWE-113 Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') Allowed 88
CWE-506 Embedded Malicious Code Allowed-with-Review 87
CWE-328 Use of Weak Hash Allowed 87
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') Allowed-with-Review 85
CWE-377 Insecure Temporary File Allowed-with-Review 85
CWE-670 Always-Incorrect Control Flow Implementation Allowed-with-Review 84
CWE-354 Improper Validation of Integrity Check Value Allowed 84
CWE-1390 Weak Authentication Allowed-with-Review 84
CWE-704 Incorrect Type Conversion or Cast Allowed-with-Review 82
CWE-620 Unverified Password Change Allowed 81
CWE-538 Insertion of Sensitive Information into Externally-Accessible File or Directory Allowed 81
CWE-489 Active Debug Code Allowed 79
CWE-807 Reliance on Untrusted Inputs in a Security Decision Allowed 78
CWE-331 Insufficient Entropy Allowed 76
CWE-926 Improper Export of Android Application Components Allowed 75
CWE-912 Hidden Functionality Allowed-with-Review 75
CWE-697 Incorrect Comparison Discouraged 75
CWE-598 Use of HTTP Request With Sensitive Query String Allowed 75
CWE-591 Sensitive Data Storage in Improperly Locked Memory Allowed 75
CWE-681 Incorrect Conversion between Numeric Types Allowed 73
CWE-610 Externally Controlled Reference to a Resource in Another Sphere Discouraged 73
CWE-1286 Improper Validation of Syntactic Correctness of Input Allowed 73
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') Allowed 70
CWE-943 Improper Neutralization of Special Elements in Data Query Logic Allowed-with-Review 69
CWE-459 Incomplete Cleanup Allowed 69
CWE-913 Improper Control of Dynamically-Managed Code Resources Allowed-with-Review 68
CWE-799 Improper Control of Interaction Frequency Allowed-with-Review 68
CWE-772 Missing Release of Resource after Effective Lifetime Allowed 68
CWE-325 Missing Cryptographic Step Allowed 68
CWE-150 Improper Neutralization of Escape, Meta, or Control Sequences Allowed 68
CWE-348 Use of Less Trusted Source Allowed 66
CWE-923 Improper Restriction of Communication Channel to Intended Endpoints Allowed-with-Review 65
CWE-15 External Control of System or Configuration Setting Allowed 65
CWE-916 Use of Password Hash With Insufficient Computational Effort Allowed 64
CWE-91 XML Injection (aka Blind XPath Injection) Allowed-with-Review 63
CWE-257 Storing Passwords in a Recoverable Format Allowed 63
CWE-212 Improper Removal of Sensitive Information Before Storage or Transfer Allowed 63
CWE-648 Incorrect Use of Privileged APIs Allowed 62
CWE-29 Path Traversal: '\..\filename' Allowed 61
CWE-170 Improper Null Termination Allowed 60
CWE-669 Incorrect Resource Transfer Between Spheres Allowed-with-Review 59
CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute Allowed 59