Common Weakness Enumeration

Browse CWEs ranked by the number of vulnerabilities referencing them, and pivot to weakness details, mitigations, and related attack patterns.

Reset

765 CWEs

API response
CWE Name Mapping usage Occurrences
CWE-472 External Control of Assumed-Immutable Web Parameter Allowed 59
CWE-178 Improper Handling of Case Sensitivity Allowed 59
CWE-706 Use of Incorrectly-Resolved Name or Reference Allowed-with-Review 58
CWE-379 Creation of Temporary File in Directory with Insecure Permissions Allowed 58
CWE-99 Improper Control of Resource Identifiers ('Resource Injection') Allowed-with-Review 57
CWE-87 Improper Neutralization of Alternate XSS Syntax Allowed 56
CWE-682 Incorrect Calculation Discouraged 56
CWE-636 Not Failing Securely ('Failing Open') Allowed-with-Review 56
CWE-297 Improper Validation of Certificate with Host Mismatch Allowed 56
CWE-672 Operation on a Resource after Expiration or Release Allowed-with-Review 55
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') Allowed 55
CWE-841 Improper Enforcement of Behavioral Workflow Allowed 54
CWE-644 Improper Neutralization of HTTP Headers for Scripting Syntax Allowed 54
CWE-302 Authentication Bypass by Assumed-Immutable Data Allowed 54
CWE-548 Exposure of Information Through Directory Listing Allowed 53
CWE-277 Insecure Inherited Permissions Allowed 52
CWE-524 Use of Cache Containing Sensitive Information Allowed 50
CWE-653 Improper Isolation or Compartmentalization Allowed 49
CWE-340 Generation of Predictable Numbers or Identifiers Allowed-with-Review 49
CWE-267 Privilege Defined With Unsafe Actions Allowed 49
CWE-1285 Improper Validation of Specified Index, Position, or Offset in Input Allowed 48
CWE-825 Expired Pointer Dereference Allowed 47
CWE-405 Asymmetric Resource Consumption (Amplification) Allowed-with-Review 47
CWE-300 Channel Accessible by Non-Endpoint Discouraged 46
CWE-183 Permissive List of Allowed Inputs Allowed 45
CWE-1395 Dependency on Vulnerable Third-Party Component Allowed-with-Review 45
CWE-805 Buffer Access with Incorrect Length Value Allowed 44
CWE-940 Improper Verification of Source of a Communication Channel Allowed 43
CWE-440 Expected Behavior Violation Allowed 43
CWE-378 Creation of Temporary File With Insecure Permissions Allowed 43
CWE-1391 Use of Weak Credentials Allowed-with-Review 43
CWE-917 Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') Allowed 42
CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') Allowed 41
CWE-274 Improper Handling of Insufficient Privileges Discouraged 41
CWE-323 Reusing a Nonce, Key Pair in Encryption Allowed 40
CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag Allowed 40
CWE-667 Improper Locking Allowed-with-Review 39
CWE-420 Unprotected Alternate Channel Allowed 37
CWE-261 Weak Encoding for Password Allowed 37
CWE-123 Write-what-where Condition Allowed 37
CWE-385 Covert Timing Channel Allowed 36
CWE-1393 Use of Default Password Allowed 36
CWE-791 Incomplete Filtering of Special Elements Allowed 35
CWE-424 Improper Protection of Alternate Path Allowed-with-Review 35
CWE-353 Missing Support for Integrity Check Allowed 35
CWE-124 Buffer Underwrite ('Buffer Underflow') Allowed 35
CWE-92 DEPRECATED: Improper Sanitization of Custom Special Characters Prohibited 34
CWE-696 Incorrect Behavior Order Allowed-with-Review 34