Common Weakness Enumeration (CWE) database

Common weakness enumeration (CWE) database is a categorized list of security related flaw in software. We use CWE identifiers to describe types of vulnerabilities in our database.

For more information about Common weakness enumeration (CWE) database please refer to the official MITRE website.

Below is the list of CWE identifiers we use to describe vulnerabilities:


CWE-16 - Configuration

CWE-19 - Data Handling

CWE-20 - Improper Input Validation

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23 - Relative Path Traversal

CWE-36 - Absolute Path Traversal

CWE-42 - Path Equivalence

CWE-46 - Path Equivalence: 'filename ' (Trailing Space)

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CWE-61 - UNIX Symbolic Link (Symlink) Following

CWE-62 - UNIX Hard Link

CWE-65 - Windows hard link

CWE-73 - External Control of File Name or Path

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-87 - Improper Neutralization of Alternate XSS Syntax

CWE-88 - Improper Neutralization of Argument Delimiters in a Command

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CWE-91 - XML Injection

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-94 - Improper Control of Generation of Code ('Code Injection')

CWE-95 - Eval Injection

CWE-97 - Improper Neutralization of Server-Side Includes (SSI) Within a Web Page

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')

CWE-112 - Missing XML Validation

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-117 - Improper Output Neutralization for Logs

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-121 - Stack-based Buffer Overflow

CWE-122 - Heap-based Buffer Overflow

CWE-123 - Write-what-where Condition

CWE-124 - Buffer Underwrite ('Buffer Underflow')

CWE-125 - Out-of-bounds Read

CWE-126 - Buffer Over-read

CWE-129 - Improper Validation of Array Index

CWE-130 - Improper Handling of Length Parameter Inconsistency

CWE-131 - Incorrect Calculation of Buffer Size

CWE-134 - Use of Externally-Controlled Format String

CWE-141 - Improper Neutralization of Parameter/Argument Delimiters

CWE-158 - Improper Neutralization of Null Byte or NUL Character

CWE-170 - Improper Null Termination

CWE-184 - Incomplete List of Disallowed Inputs

CWE-185 - Incorrect Regular Expression

CWE-190 - Integer Overflow or Wraparound

CWE-191 - Integer Underflow (Wrap or Wraparound)

CWE-192 - Integer Coercion Error

CWE-193 - Off-by-one Error

CWE-194 - Unexpected Sign Extension

CWE-196 - Unsigned to Signed Conversion Error

CWE-199 - Information Management Errors

CWE-200 - Information Exposure

CWE-203 - Observable discrepancy

CWE-204 - Observable Response Discrepancy

CWE-208 - Information Exposure Through Timing Discrepancy

CWE-209 - Information Exposure Through an Error Message

CWE-211 - Externally-generated error message containing sensitive information

CWE-228 - Improper Handling of Syntactically Invalid Structure

CWE-229 - Improper Handling of Values

CWE-233 - Improper Handling of Parameters

CWE-241 - Improper Handling of Unexpected Data Type

CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')

CWE-248 - Uncaught Exception

CWE-250 - Execution with Unnecessary Privileges

CWE-252 - Unchecked Return Value

CWE-254 - Security Features

CWE-255 - Credentials Management

CWE-256 - Unprotected Storage of Credentials

CWE-257 - Storing Passwords in a Recoverable Format

CWE-258 - Empty password in configuration file

CWE-259 - Use of Hard-coded Password

CWE-260 - Password in Configuration File

CWE-261 - Weak Cryptography for Passwords

CWE-262 - Not Using Password Aging

CWE-264 - Permissions, Privileges, and Access Controls

CWE-265 - Privilege / Sandbox Issues

CWE-266 - Incorrect Privilege Assignment

CWE-269 - Improper Privilege Management

CWE-271 - Privilege Dropping / Lowering Errors

CWE-272 - Least Privilege Violation

CWE-273 - Improper Check for Dropped Privileges

CWE-276 - Incorrect Default Permissions

CWE-277 - Insecure inherited permissions

CWE-281 - Improper preservation of permissions

CWE-284 - Improper Access Control

CWE-285 - Improper Authorization

CWE-286 - Incorrect User Management

CWE-287 - Improper Authentication

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

CWE-290 - Authentication Bypass by Spoofing

CWE-294 - Authentication Bypass by Capture-replay

CWE-295 - Improper Certificate Validation

CWE-297 - Improper Validation of Certificate with Host Mismatch

CWE-299 - Improper Check for Certificate Revocation

CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

CWE-302 - Authentication Bypass by Assumed-Immutable Data

CWE-303 - Incorrect Implementation of Authentication Algorithm

CWE-306 - Missing Authentication for Critical Function

CWE-307 - Improper Restriction of Excessive Authentication Attempts

CWE-309 - Use of Password System for Primary Authentication

CWE-310 - Cryptographic Issues

CWE-311 - Missing Encryption of Sensitive Data

CWE-312 - Cleartext Storage of Sensitive Information

CWE-319 - Cleartext Transmission of Sensitive Information

CWE-320 - Key Management Errors

CWE-321 - Use of Hard-coded Cryptographic Key

CWE-323 - Reusing a Nonce, Key Pair in Encryption

CWE-325 - Missing Required Cryptographic Step

CWE-326 - Inadequate Encryption Strength

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CWE-329 - Not Using an Unpredictable IV with CBC Mode

CWE-330 - Use of Insufficiently Random Values

CWE-331 - Insufficient Entropy

CWE-332 - Insufficient Entropy in PRNG

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-341 - Predictable from Observable State

CWE-342 - Predictable Exact Value from Previous Values

CWE-343 - Predictable Value Range from Previous Values

CWE-345 - Insufficient Verification of Data Authenticity

CWE-346 - Origin Validation Error

CWE-347 - Improper Verification of Cryptographic Signature

CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

CWE-352 - Cross-Site Request Forgery (CSRF)

CWE-353 - Missing Support for Integrity Check

CWE-354 - Improper Validation of Integrity Check Value

CWE-357 - Insufficient UI Warning of Dangerous Operations

CWE-358 - Improperly Implemented Security Check for Standard

CWE-359 - Exposure of Private Information ('Privacy Violation')

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-369 - Divide By Zero

CWE-371 - State Issues

CWE-372 - Incomplete Internal State Distinction

CWE-377 - Insecure Temporary File

CWE-378 - Creation of Temporary File With Insecure Permissions

CWE-384 - Session Fixation

CWE-385 - Covert Timing Channel

CWE-388 - Error Handling

CWE-390 - Detection of error condition without action

CWE-391 - Unchecked Error Condition

CWE-392 - Missing Report of Error Condition

CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference

CWE-399 - Resource Management Errors

CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

CWE-402 - Transmission of Private Resources into a New Sphere ('Resource Leak')

CWE-404 - Improper Resource Shutdown or Release

CWE-406 - Insufficient Control of Network Message Volume

CWE-407 - Inefficient Algorithmic Complexity

CWE-413 - Improper Resource Locking

CWE-415 - Double Free

CWE-416 - Use After Free

CWE-419 - Unprotected primary channel

CWE-424 - Improper Protection of Alternate Path

CWE-425 - Direct Request ('Forced Browsing')

CWE-426 - Untrusted Search Path

CWE-427 - Uncontrolled Search Path Element

CWE-428 - Unquoted Search Path or Element

CWE-431 - Missing Handler

CWE-434 - Unrestricted Upload of File with Dangerous Type

CWE-435 - Improper Interaction Between Multiple Correctly-Behaving Entities

CWE-440 - Expected Behavior Violation

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-448 - Obsolete Feature in UI

CWE-450 - Multiple Interpretations of UI Input

CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CWE-453 - Insecure Default Variable Initialization

CWE-454 - External Initialization of Trusted Variables or Data Stores

CWE-456 - Missing Initialization of a Variable

CWE-457 - Use of Uninitialized Variable

CWE-459 - Incomplete cleanup

CWE-460 - Improper Cleanup on Thrown Exception

CWE-466 - Return of pointer value outside of expected range

CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

CWE-471 - Modification of Assumed-Immutable Data

CWE-475 - Undefined Behavior for Input to API

CWE-476 - NULL Pointer Dereference

CWE-477 - Use of Obsolete Function

CWE-485 - Insufficient Encapsulation

CWE-489 - Active Debug Code

CWE-494 - Download of Code Without Integrity Check

CWE-502 - Deserialization of Untrusted Data

CWE-506 - Embedded Malicious Code

CWE-521 - Weak Password Requirements

CWE-522 - Insufficiently Protected Credentials

CWE-523 - Unprotected Transport of Credentials

CWE-525 - Use of Web Browser Cache Containing Sensitive Information

CWE-527 - Exposure of Version-Control Repository to an Unauthorized Control Sphere

CWE-532 - Information Exposure Through Log Files

CWE-538 - File And Directory Information Exposure

CWE-540 - Inclusion of Sensitive Information in Source Code

CWE-549 - Missing Password Field Masking

CWE-552 - Files or Directories Accessible to External Parties

CWE-564 - SQL Injection: Hibernate

CWE-565 - Reliance on Cookies without Validation and Integrity Checking

CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key

CWE-592 - Authentication Bypass Issues

CWE-598 - Information Exposure Through Query Strings in GET Request

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CWE-602 - Client-Side Enforcement of Server-Side Security

CWE-603 - Use of Client-Side Authentication

CWE-610 - Externally Controlled Reference to a Resource in Another Sphere

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CWE-613 - Insufficient Session Expiration

CWE-614 - Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

CWE-617 - Reachable Assertion

CWE-618 - Exposed Unsafe ActiveX Method

CWE-619 - Dangling Database Cursor ('Cursor Injection')

CWE-620 - Unverified Password Change

CWE-622 - Improper Validation of Function Hook Argument

CWE-626 - Null Byte Interaction Error (Poison Null Byte)

CWE-639 - Authorization Bypass Through User-Controlled Key

CWE-640 - Weak password recovery mechanism

CWE-642 - External Control of Critical State Data

CWE-643 - Improper Neutralization of Data within XPath Expressions

CWE-644 - Improper Neutralization of HTTP Headers for Scripting Syntax

CWE-645 - Overly Restrictive Account Lockout Mechanism

CWE-648 - Incorrect Use of Privileged APIs

CWE-653 - Improper isolation or compartmentalization

CWE-661 - Weaknesses in Software Written in PHP

CWE-664 - Improper control of a resource through its lifetime

CWE-665 - Improper Initialization

CWE-667 - Improper Locking

CWE-668 - Exposure of resource to wrong sphere

CWE-669 - Incorrect Resource Transfer Between Spheres

CWE-670 - Always-Incorrect Control Flow Implementation

CWE-672 - Operation on a Resource after Expiration or Release

CWE-674 - Uncontrolled Recursion

CWE-676 - Use of Potentially Dangerous Function

CWE-681 - Incorrect Conversion between Numeric Types

CWE-682 - Incorrect Calculation

CWE-688 - Function Call With Incorrect Variable or Reference as Argument

CWE-691 - Insufficient Control Flow Management

CWE-692 - Incomplete Blacklist to Cross-Site Scripting

CWE-693 - Protection Mechanism Failure

CWE-696 - Incorrect Behavior Order

CWE-697 - Incorrect Comparison

CWE-703 - Improper Check or Handling of Exceptional Conditions

CWE-704 - Incorrect Type Conversion or Cast (Type Conversion)

CWE-708 - Incorrect Ownership Assignment

CWE-732 - Incorrect Permission Assignment for Critical Resource

CWE-749 - Exposed Dangerous Method or Function

CWE-754 - Improper Check for Unusual or Exceptional Conditions

CWE-755 - Improper Handling of Exceptional Conditions

CWE-757 - Selection of Less-Secure Algorithm During Negotiat

CWE-759 - Use of a One-Way Hash without a Salt

CWE-760 - Use of a One-Way Hash with a Predictable Salt

CWE-763 - Release of invalid pointer or reference

CWE-770 - Allocation of Resources Without Limits or Throttling

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-777 - Regular Expression without Anchors

CWE-778 - Insufficient Logging

CWE-782 - Exposed IOCTL with Insufficient Access Control

CWE-785 - Use of Path Manipulation Function without Maximum-sized Buffer

CWE-787 - Out-of-bounds Write

CWE-788 - Access of Memory Location After End of Buffer

CWE-789 - Uncontrolled Memory Allocation

CWE-791 - Incomplete Filtering of Special Elements

CWE-798 - Use of Hard-coded Credentials

CWE-799 - Improper Control of Interaction Frequency

CWE-805 - Buffer Access with Incorrect Length Value

CWE-807 - Reliance on Untrusted Inputs in a Security Decision

CWE-820 - Missing Synchronization

CWE-822 - Untrusted Pointer Dereference

CWE-823 - Use of Out-of-range Pointer Offset

CWE-824 - Access of Uninitialized Pointer

CWE-825 - Expired pointer dereference

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CWE-833 - Deadlock

CWE-834 - Excessive Iteration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-836 - Use of Password Hash Instead of Password for Authentication

CWE-840 - Business Logic Errors

CWE-841 - Improper Enforcement of Behavioral Workflow

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

CWE-862 - Missing Authorization

CWE-863 - Incorrect Authorization

CWE-908 - Use of Uninitialized Resource

CWE-909 - Missing initialization of resource

CWE-910 - Use of Expired File Descriptor

CWE-911 - Improper Update of Reference Count

CWE-912 - Hidden Functionality (Backdoor)

CWE-913 - Improper Control of Dynamically-Managed Code Resources

CWE-916 - Use of Password Hash With Insufficient Computational Effort

CWE-917 - Improper Neutralization of Special Elements used in an Expression Language Statement

CWE-918 - Server-Side Request Forgery (SSRF)

CWE-922 - Insecure Storage of Sensitive Information

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints

CWE-924 - Improper Enforcement of Message Integrity During Transmission in a Communication Channel

CWE-939 - Improper Authorization in Handler for Custom URL Scheme

CWE-940 - Improper Verification of Source of a Communication Channel

CWE-941 - Incorrectly Specified Destination in a Communication Channel

CWE-942 - Overly Permissive Cross-domain Whitelist

CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CWE-1004 - Sensitive Cookie Without 'HttpOnly' Flag

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access

CWE-1025 - Comparison using wrong factors

CWE-1037 - Processor optimization removal or modification of security-critical code

CWE-1088 - Synchronous Access of Remote Resource without Timeout

CWE-1104 - Use of Unmaintained Third Party Components

CWE-1236 - Improper Neutralization of Formula Elements in a CSV File

CWE-1256 - Improper restriction of software interfaces to hardware features

CWE-1278 - Missing Protection Against Hardware Reverse Engineering Using Integrated Circuit (IC) Imaging Techni

CWE-1283 - Mutable Attestation or Measurement Reporting Data

CWE-1319 - Improper Protection against Electromagnetic Fault Injection

CWE-1329 - Reliance on Component That is Not Updateable