Weaknesses
Common Weakness Enumeration (CWE) — a catalogue of software and hardware weakness types. This list only includes weaknesses that the National Vulnerability Database (NVD) assigns to CVEs, not the full CWE catalogue.
What is a CWE? — Click to learn more
What is a CWE?
A CWE (Common Weakness Enumeration) is a named category of programming mistake — things like storing passwords insecurely or trusting user input without checking it first. Where a CVE is a specific security flaw found in a real product, a CWE is the type of mistake that caused it. The same type of mistake can affect thousands of different products from completely different vendors.
Why does it matter?
A CVE tells you something is broken. A CWE tells you why. If the same type of mistake keeps appearing across different products, fixing each one individually misses the point — the underlying habit or pattern needs to change. CWEs help organisations understand whether they have a one-off problem or a recurring one.
Who maintains the CWE list?
CWEs are maintained by MITRE, a U.S. non-profit organization. They are used as a shared language between software developers, security researchers, and auditors worldwide.
130 / 130
| CWE ID | Name |
|---|---|
| CWE-1021 | Improper Restriction of Rendered UI Layers or Frames |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-1188 | Initialization of a Resource with an Insecure Default |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
| CWE-1236 | Improper Neutralization of Formula Elements in a CSV File |
| CWE-125 | Out-of-bounds Read |
| CWE-1284 | Improper Validation of Specified Quantity in Input |
| CWE-129 | Improper Validation of Array Index |
| CWE-131 | Incorrect Calculation of Buffer Size |
| CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') |
| CWE-1333 | Inefficient Regular Expression Complexity |
| CWE-134 | Use of Externally-Controlled Format String |
| CWE-178 | Improper Handling of Case Sensitivity |
| CWE-190 | Integer Overflow or Wraparound |
| CWE-191 | Integer Underflow (Wrap or Wraparound) |
| CWE-193 | Off-by-one Error |
| CWE-20 | Improper Input Validation |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-203 | Observable Discrepancy |
| CWE-209 | Generation of Error Message Containing Sensitive Information |
| CWE-212 | Improper Removal of Sensitive Information Before Storage or Transfer |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| CWE-252 | Unchecked Return Value |
| CWE-269 | Improper Privilege Management |
| CWE-273 | Improper Check for Dropped Privileges |
| CWE-276 | Incorrect Default Permissions |
| CWE-281 | Improper Preservation of Permissions |
| CWE-287 | Improper Authentication |
| CWE-290 | Authentication Bypass by Spoofing |
| CWE-294 | Authentication Bypass by Capture-replay |
| CWE-295 | Improper Certificate Validation |
| CWE-306 | Missing Authentication for Critical Function |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-312 | Cleartext Storage of Sensitive Information |
| CWE-319 | Cleartext Transmission of Sensitive Information |
| CWE-326 | Inadequate Encryption Strength |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| CWE-330 | Use of Insufficiently Random Values |
| CWE-331 | Insufficient Entropy |
| CWE-335 | Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-347 | Improper Verification of Cryptographic Signature |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-354 | Improper Validation of Integrity Check Value |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| CWE-367 | Time-of-check Time-of-use (TOCTOU) Race Condition |
| CWE-369 | Divide By Zero |
| CWE-384 | Session Fixation |
| CWE-400 | Uncontrolled Resource Consumption |
| CWE-401 | Missing Release of Memory after Effective Lifetime |
| CWE-404 | Improper Resource Shutdown or Release |
| CWE-407 | Inefficient Algorithmic Complexity |
| CWE-415 | Double Free |
| CWE-416 | Use After Free |
| CWE-425 | Direct Request ('Forced Browsing') |
| CWE-426 | Untrusted Search Path |
| CWE-427 | Uncontrolled Search Path Element |
| CWE-428 | Unquoted Search Path or Element |
| CWE-434 | Unrestricted Upload of File with Dangerous Type |
| CWE-436 | Interpretation Conflict |
| CWE-444 | Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') |
| CWE-459 | Incomplete Cleanup |
| CWE-470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
| CWE-476 | NULL Pointer Dereference |
| CWE-494 | Download of Code Without Integrity Check |
| CWE-502 | Deserialization of Untrusted Data |
| CWE-521 | Weak Password Requirements |
| CWE-522 | Insufficiently Protected Credentials |
| CWE-532 | Insertion of Sensitive Information into Log File |
| CWE-552 | Files or Directories Accessible to External Parties |
| CWE-565 | Reliance on Cookies without Validation and Integrity Checking |
| CWE-59 | Improper Link Resolution Before File Access ('Link Following') |
| CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere |
| CWE-611 | Improper Restriction of XML External Entity Reference |
| CWE-613 | Insufficient Session Expiration |
| CWE-617 | Reachable Assertion |
| CWE-639 | Authorization Bypass Through User-Controlled Key |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password |
| CWE-662 | Improper Synchronization |
| CWE-665 | Improper Initialization |
| CWE-667 | Improper Locking |
| CWE-668 | Exposure of Resource to Wrong Sphere |
| CWE-669 | Incorrect Resource Transfer Between Spheres |
| CWE-670 | Always-Incorrect Control Flow Implementation |
| CWE-672 | Operation on a Resource after Expiration or Release |
| CWE-674 | Uncontrolled Recursion |
| CWE-681 | Incorrect Conversion between Numeric Types |
| CWE-682 | Incorrect Calculation |
| CWE-697 | Incorrect Comparison |
| CWE-704 | Incorrect Type Conversion or Cast |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions |
| CWE-755 | Improper Handling of Exceptional Conditions |
| CWE-763 | Release of Invalid Pointer or Reference |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-770 | Allocation of Resources Without Limits or Throttling |
| CWE-772 | Missing Release of Resource after Effective Lifetime |
| CWE-776 | Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| CWE-787 | Out-of-bounds Write |
| CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| CWE-798 | Use of Hard-coded Credentials |
| CWE-824 | Access of Uninitialized Pointer |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| CWE-834 | Excessive Iteration |
| CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') |
| CWE-838 | Inappropriate Encoding for Output Context |
| CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') |
| CWE-862 | Missing Authorization |
| CWE-863 | Incorrect Authorization |
| CWE-88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') |
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| CWE-908 | Use of Uninitialized Resource |
| CWE-909 | Missing Initialization of Resource |
| CWE-91 | XML Injection (aka Blind XPath Injection) |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources |
| CWE-916 | Use of Password Hash With Insufficient Computational Effort |
| CWE-917 | Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection') |
| CWE-918 | Server-Side Request Forgery (SSRF) |
| CWE-920 | Improper Restriction of Power Consumption |
| CWE-922 | Insecure Storage of Sensitive Information |
| CWE-924 | Improper Enforcement of Message Integrity During Transmission in a Communication Channel |
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |