Common weakness enumeration (CWE) database is a categorized list of security related flaw in software. We use CWE identifiers to describe types of vulnerabilities in our database.
For more information about Common weakness enumeration (CWE) database please refer to the official MITRE website.
Below is the list of CWE identifiers we use to describe vulnerabilities:
CWE-20 - Improper Input Validation
CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-23 - Relative Path Traversal
CWE-36 - Absolute Path Traversal
CWE-46 - Path Equivalence: 'filename ' (Trailing Space)
CWE-59 - Improper Link Resolution Before File Access ('Link Following')
CWE-61 - UNIX Symbolic Link (Symlink) Following
CWE-73 - External Control of File Name or Path
CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-87 - Improper Neutralization of Alternate XSS Syntax
CWE-88 - Improper Neutralization of Argument Delimiters in a Command
CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-94 - Improper Control of Generation of Code ('Code Injection')
CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')
CWE-112 - Missing XML Validation
CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')
CWE-117 - Improper Output Neutralization for Logs
CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
CWE-121 - Stack-based Buffer Overflow
CWE-122 - Heap-based Buffer Overflow
CWE-123 - Write-what-where Condition
CWE-124 - Buffer Underwrite ('Buffer Underflow')
CWE-129 - Improper Validation of Array Index
CWE-130 - Improper Handling of Length Parameter Inconsistency
CWE-131 - Incorrect Calculation of Buffer Size
CWE-134 - Use of Externally-Controlled Format String
CWE-141 - Improper Neutralization of Parameter/Argument Delimiters
CWE-158 - Improper Neutralization of Null Byte or NUL Character
CWE-170 - Improper Null Termination
CWE-184 - Incomplete List of Disallowed Inputs
CWE-185 - Incorrect Regular Expression
CWE-190 - Integer Overflow or Wraparound
CWE-191 - Integer Underflow (Wrap or Wraparound)
CWE-192 - Integer Coercion Error
CWE-194 - Unexpected Sign Extension
CWE-196 - Unsigned to Signed Conversion Error
CWE-199 - Information Management Errors
CWE-200 - Information Exposure
CWE-203 - Observable discrepancy
CWE-204 - Observable Response Discrepancy
CWE-208 - Information Exposure Through Timing Discrepancy
CWE-209 - Information Exposure Through an Error Message
CWE-211 - Externally-generated error message containing sensitive information
CWE-228 - Improper Handling of Syntactically Invalid Structure
CWE-229 - Improper Handling of Values
CWE-233 - Improper Handling of Parameters
CWE-241 - Improper Handling of Unexpected Data Type
CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')
CWE-250 - Execution with Unnecessary Privileges
CWE-252 - Unchecked Return Value
CWE-255 - Credentials Management
CWE-256 - Unprotected Storage of Credentials
CWE-257 - Storing Passwords in a Recoverable Format
CWE-258 - Empty password in configuration file
CWE-259 - Use of Hard-coded Password
CWE-260 - Password in Configuration File
CWE-261 - Weak Cryptography for Passwords
CWE-262 - Not Using Password Aging
CWE-264 - Permissions, Privileges, and Access Controls
CWE-265 - Privilege / Sandbox Issues
CWE-266 - Incorrect Privilege Assignment
CWE-269 - Improper Privilege Management
CWE-271 - Privilege Dropping / Lowering Errors
CWE-272 - Least Privilege Violation
CWE-273 - Improper Check for Dropped Privileges
CWE-276 - Incorrect Default Permissions
CWE-277 - Insecure inherited permissions
CWE-284 - Improper Access Control
CWE-285 - Improper Authorization
CWE-286 - Incorrect User Management
CWE-287 - Improper Authentication
CWE-288 - Authentication Bypass Using an Alternate Path or Channel
CWE-290 - Authentication Bypass by Spoofing
CWE-294 - Authentication Bypass by Capture-replay
CWE-295 - Improper Certificate Validation
CWE-297 - Improper Validation of Certificate with Host Mismatch
CWE-299 - Improper Check for Certificate Revocation
CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')
CWE-302 - Authentication Bypass by Assumed-Immutable Data
CWE-303 - Incorrect Implementation of Authentication Algorithm
CWE-306 - Missing Authentication for Critical Function
CWE-307 - Improper Restriction of Excessive Authentication Attempts
CWE-309 - Use of Password System for Primary Authentication
CWE-310 - Cryptographic Issues
CWE-311 - Missing Encryption of Sensitive Data
CWE-312 - Cleartext Storage of Sensitive Information
CWE-319 - Cleartext Transmission of Sensitive Information
CWE-320 - Key Management Errors
CWE-321 - Use of Hard-coded Cryptographic Key
CWE-323 - Reusing a Nonce, Key Pair in Encryption
CWE-325 - Missing Required Cryptographic Step
CWE-326 - Inadequate Encryption Strength
CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
CWE-329 - Not Using an Unpredictable IV with CBC Mode
CWE-330 - Use of Insufficiently Random Values
CWE-331 - Insufficient Entropy
CWE-332 - Insufficient Entropy in PRNG
CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
CWE-341 - Predictable from Observable State
CWE-342 - Predictable Exact Value from Previous Values
CWE-343 - Predictable Value Range from Previous Values
CWE-345 - Insufficient Verification of Data Authenticity
CWE-346 - Origin Validation Error
CWE-347 - Improper Verification of Cryptographic Signature
CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action
CWE-352 - Cross-Site Request Forgery (CSRF)
CWE-354 - Improper Validation of Integrity Check Value
CWE-357 - Insufficient UI Warning of Dangerous Operations
CWE-358 - Improperly Implemented Security Check for Standard
CWE-359 - Exposure of Private Information ('Privacy Violation')
CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-372 - Incomplete Internal State Distinction
CWE-377 - Insecure Temporary File
CWE-378 - Creation of Temporary File With Insecure Permissions
CWE-385 - Covert Timing Channel
CWE-391 - Unchecked Error Condition
CWE-392 - Missing Report of Error Condition
CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference
CWE-399 - Resource Management Errors
CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')
CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')
CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')
CWE-404 - Improper Resource Shutdown or Release
CWE-406 - Insufficient Control of Network Message Volume
CWE-407 - Inefficient Algorithmic Complexity
CWE-413 - Improper Resource Locking
CWE-419 - Unprotected primary channel
CWE-424 - Improper Protection of Alternate Path
CWE-425 - Direct Request ('Forced Browsing')
CWE-426 - Untrusted Search Path
CWE-427 - Uncontrolled Search Path Element
CWE-428 - Unquoted Search Path or Element
CWE-434 - Unrestricted Upload of File with Dangerous Type
CWE-435 - Improper Interaction Between Multiple Correctly-Behaving Entities
CWE-440 - Expected Behavior Violation
CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')
CWE-448 - Obsolete Feature in UI
CWE-450 - Multiple Interpretations of UI Input
CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)
CWE-453 - Insecure Default Variable Initialization
CWE-456 - Missing Initialization of a Variable
CWE-457 - Use of Uninitialized Variable
CWE-460 - Improper Cleanup on Thrown Exception
CWE-466 - Return of pointer value outside of expected range
CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
CWE-471 - Modification of Assumed-Immutable Data
CWE-476 - NULL Pointer Dereference
CWE-477 - Use of Obsolete Function
CWE-485 - Insufficient Encapsulation
CWE-494 - Download of Code Without Integrity Check
CWE-502 - Deserialization of Untrusted Data
CWE-506 - Embedded Malicious Code
CWE-521 - Weak Password Requirements
CWE-522 - Insufficiently Protected Credentials
CWE-523 - Unprotected Transport of Credentials
CWE-525 - Use of Web Browser Cache Containing Sensitive Information
CWE-532 - Information Exposure Through Log Files
CWE-538 - File And Directory Information Exposure
CWE-540 - Inclusion of Sensitive Information in Source Code
CWE-552 - Files or Directories Accessible to External Parties
CWE-564 - SQL Injection: Hibernate
CWE-565 - Reliance on Cookies without Validation and Integrity Checking
CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key
CWE-592 - Authentication Bypass Issues
CWE-598 - Information Exposure Through Query Strings in GET Request
CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
CWE-602 - Client-Side Enforcement of Server-Side Security
CWE-603 - Use of Client-Side Authentication
CWE-610 - Externally Controlled Reference to a Resource in Another Sphere
CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')
CWE-613 - Insufficient Session Expiration
CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
CWE-618 - Exposed Unsafe ActiveX Method
CWE-619 - Dangling Database Cursor ('Cursor Injection')
CWE-620 - Unverified Password Change
CWE-622 - Improper Validation of Function Hook Argument
CWE-626 - Null Byte Interaction Error (Poison Null Byte)
CWE-639 - Authorization Bypass Through User-Controlled Key
CWE-640 - Weak password recovery mechanism
CWE-642 - External Control of Critical State Data
CWE-643 - Improper Neutralization of Data within XPath Expressions
CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax
CWE-645 - Overly Restrictive Account Lockout Mechanism
CWE-648 - Incorrect Use of Privileged APIs
CWE-653 - Improper isolation or compartmentalization
CWE-661 - Weaknesses in Software Written in PHP
CWE-664 - Improper control of a resource through its lifetime
CWE-665 - Improper Initialization
CWE-668 - Exposure of resource to wrong sphere
CWE-670 - Always-Incorrect Control Flow Implementation
CWE-672 - Operation on a Resource after Expiration or Release
CWE-674 - Uncontrolled Recursion
CWE-676 - Use of Potentially Dangerous Function
CWE-681 - Incorrect Conversion between Numeric Types
CWE-682 - Incorrect Calculation
CWE-688 - Function Call With Incorrect Variable or Reference as Argument
CWE-691 - Insufficient Control Flow Management
CWE-692 - Incomplete Blacklist to Cross-Site Scripting
CWE-693 - Protection Mechanism Failure
CWE-696 - Incorrect Behavior Order
CWE-697 - Incorrect Comparison
CWE-703 - Improper Check or Handling of Exceptional Conditions
CWE-704 - Incorrect Type Conversion or Cast (Type Conversion)
CWE-708 - Incorrect Ownership Assignment
CWE-732 - Incorrect Permission Assignment for Critical Resource
CWE-749 - Exposed Dangerous Method or Function
CWE-754 - Improper Check for Unusual or Exceptional Conditions
CWE-755 - Improper Handling of Exceptional Conditions
CWE-757 - Selection of Less-Secure Algorithm During Negotiat
CWE-759 - Use of a One-Way Hash without a Salt
CWE-760 - Use of a One-Way Hash with a Predictable Salt
CWE-763 - Release of invalid pointer or reference
CWE-770 - Allocation of Resources Without Limits or Throttling
CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
CWE-777 - Regular Expression without Anchors
CWE-778 - Insufficient Logging
CWE-782 - Exposed IOCTL with Insufficient Access Control
CWE-785 - Use of Path Manipulation Function without Maximum-sized Buffer
CWE-788 - Access of Memory Location After End of Buffer
CWE-789 - Uncontrolled Memory Allocation
CWE-791 - Incomplete Filtering of Special Elements
CWE-798 - Use of Hard-coded Credentials
CWE-799 - Improper Control of Interaction Frequency
CWE-805 - Buffer Access with Incorrect Length Value
CWE-807 - Reliance on Untrusted Inputs in a Security Decision
CWE-820 - Missing Synchronization
CWE-822 - Untrusted Pointer Dereference
CWE-823 - Use of Out-of-range Pointer Offset
CWE-824 - Access of Uninitialized Pointer
CWE-825 - Expired pointer dereference
CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-836 - Use of Password Hash Instead of Password for Authentication
CWE-840 - Business Logic Errors
CWE-841 - Improper Enforcement of Behavioral Workflow
CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')
CWE-862 - Missing Authorization
CWE-863 - Incorrect Authorization
CWE-908 - Use of Uninitialized Resource
CWE-909 - Missing initialization of resource
CWE-910 - Use of Expired File Descriptor
CWE-911 - Improper Update of Reference Count
CWE-912 - Hidden Functionality (Backdoor)
CWE-913 - Improper Control of Dynamically-Managed Code Resources
CWE-916 - Use of Password Hash With Insufficient Computational Effort
CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement
CWE-918 - Server-Side Request Forgery (SSRF)
CWE-922 - Insecure Storage of Sensitive Information
CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints
CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel
CWE-939 - Improper Authorization in Handler for Custom URL Scheme
CWE-940 - Improper Verification of Source of a Communication Channel
CWE-941 - Incorrectly Specified Destination in a Communication Channel
CWE-942 - Overly Permissive Cross-domain Whitelist
CWE-943 - Improper Neutralization of Special Elements in Data Query Logic
CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag
CWE-1021 - Improper Restriction of Rendered UI Layers or Frames
CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access
CWE-1025 - Comparison using wrong factors
CWE-1088 - Synchronous Access of Remote Resource without Timeout
CWE-1104 - Use of Unmaintained Third Party Components
CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
CWE-1283 - Mutable Attestation or Measurement Reporting Data
CWE-1319 - Improper Protection against Electromagnetic Fault Injection