Common Weakness Enumeration (CWE) database

Common weakness enumeration (CWE) database is a categorized list of security related flaw in software. We use CWE identifiers to describe types of vulnerabilities in our database.

For more information about Common weakness enumeration (CWE) database please refer to the official MITRE website.

Below is the list of CWE identifiers we use to describe vulnerabilities:

CWE-16 - Configuration

CWE-19 - Data Handling

CWE-20 - Improper Input Validation

CWE-22 - Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-23 - Relative Path Traversal

CWE-46 - Path Equivalence: 'filename ' (Trailing Space)

CWE-59 - Improper Link Resolution Before File Access ('Link Following')

CWE-61 - UNIX Symbolic Link (Symlink) Following

CWE-62 - UNIX Hard Link

CWE-65 - Windows hard link

CWE-73 - External Control of File Name or Path

CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-87 - Improper Neutralization of Alternate XSS Syntax

CWE-88 - Argument Injection or Modification

CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

CWE-91 - XML Injection

CWE-93 - Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-94 - Improper Control of Generation of Code ('Code Injection')

CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program

CWE-99 - Improper Control of Resource Identifiers ('Resource Injection')

CWE-113 - Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

CWE-119 - Improper Restriction of Operations within the Bounds of a Memory Buffer

CWE-120 - Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

CWE-121 - Stack-based Buffer Overflow

CWE-122 - Heap-based Buffer Overflow

CWE-124 - Buffer Underwrite ('Buffer Underflow')

CWE-125 - Out-of-bounds Read

CWE-126 - Buffer Over-read

CWE-129 - Improper Validation of Array Index

CWE-130 - Improper Handling of Length Parameter Inconsistency

CWE-131 - Incorrect Calculation of Buffer Size

CWE-134 - Use of Externally-Controlled Format String

CWE-141 - Improper Neutralization of Parameter/Argument Delimiters

CWE-170 - Improper Null Termination

CWE-190 - Integer Overflow or Wraparound

CWE-191 - Integer Underflow (Wrap or Wraparound)

CWE-193 - Off-by-one Error

CWE-194 - Unexpected Sign Extension

CWE-199 - Information Management Errors

CWE-200 - Information Exposure

CWE-208 - Information Exposure Through Timing Discrepancy

CWE-209 - Information Exposure Through an Error Message

CWE-229 - Improper Handling of Values

CWE-233 - Improper Handling of Parameters

CWE-244 - Improper Clearing of Heap Memory Before Release ('Heap Inspection')

CWE-248 - Uncaught Exception

CWE-250 - Execution with Unnecessary Privileges

CWE-254 - Security Features

CWE-255 - Credentials Management

CWE-256 - Unprotected Storage of Credentials

CWE-257 - Storing Passwords in a Recoverable Format

CWE-258 - Empty password in configuration file

CWE-259 - Use of Hard-coded Password

CWE-260 - Password in Configuration File

CWE-261 - Weak Cryptography for Passwords

CWE-264 - Permissions, Privileges, and Access Controls

CWE-265 - Privilege / Sandbox Issues

CWE-266 - Incorrect Privilege Assignment

CWE-269 - Improper Privilege Management

CWE-271 - Privilege Dropping / Lowering Errors

CWE-272 - Least Privilege Violation

CWE-273 - Improper Check for Dropped Privileges

CWE-276 - Incorrect Default Permissions

CWE-284 - Improper Access Control

CWE-285 - Improper Authorization

CWE-287 - Improper Authentication

CWE-288 - Authentication Bypass Using an Alternate Path or Channel

CWE-290 - Authentication Bypass by Spoofing

CWE-294 - Authentication Bypass by Capture-replay

CWE-295 - Improper Certificate Validation

CWE-297 - Improper Validation of Certificate with Host Mismatch

CWE-300 - Channel Accessible by Non-Endpoint ('Man-in-the-Middle')

CWE-302 - Authentication Bypass by Assumed-Immutable Data

CWE-303 - Incorrect Implementation of Authentication Algorithm

CWE-306 - Missing Authentication for Critical Function

CWE-307 - Improper Restriction of Excessive Authentication Attempts

CWE-310 - Cryptographic Issues

CWE-311 - Missing Encryption of Sensitive Data

CWE-312 - Cleartext Storage of Sensitive Information

CWE-319 - Cleartext Transmission of Sensitive Information

CWE-320 - Key Management Errors

CWE-321 - Use of Hard-coded Cryptographic Key

CWE-323 - Reusing a Nonce, Key Pair in Encryption

CWE-326 - Inadequate Encryption Strength

CWE-327 - Use of a Broken or Risky Cryptographic Algorithm

CWE-330 - Use of Insufficiently Random Values

CWE-331 - Insufficient Entropy

CWE-332 - Insufficient Entropy in PRNG

CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

CWE-341 - Predictable from Observable State

CWE-343 - Predictable Value Range from Previous Values

CWE-345 - Insufficient Verification of Data Authenticity

CWE-346 - Origin Validation Error

CWE-347 - Improper Verification of Cryptographic Signature

CWE-352 - Cross-Site Request Forgery (CSRF)

CWE-354 - Improper Validation of Integrity Check Value

CWE-358 - Improperly Implemented Security Check for Standard

CWE-359 - Exposure of Private Information ('Privacy Violation')

CWE-362 - Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-369 - Divide By Zero

CWE-371 - State Issues

CWE-377 - Insecure Temporary File

CWE-384 - Session Fixation

CWE-385 - Covert Timing Channel

CWE-388 - Error Handling

CWE-391 - Unchecked Error Condition

CWE-392 - Missing Report of Error Condition

CWE-395 - Use of NullPointerException Catch to Detect NULL Pointer Dereference

CWE-399 - Resource Management Errors

CWE-400 - Uncontrolled Resource Consumption ('Resource Exhaustion')

CWE-401 - Improper Release of Memory Before Removing Last Reference ('Memory Leak')

CWE-404 - Improper Resource Shutdown or Release

CWE-406 - Insufficient Control of Network Message Volume (Network Amplification)

CWE-413 - Improper Resource Locking

CWE-415 - Double Free

CWE-416 - Use After Free

CWE-425 - Direct Request ('Forced Browsing')

CWE-426 - Untrusted Search Path

CWE-427 - Uncontrolled Search Path Element

CWE-428 - Unquoted Search Path or Element

CWE-434 - Unrestricted Upload of File with Dangerous Type

CWE-440 - Expected Behavior Violation

CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')

CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

CWE-451 - User Interface (UI) Misrepresentation of Critical Information (Clickjacking, spoofing)

CWE-457 - Use of Uninitialized Variable

CWE-471 - Modification of Assumed-Immutable Data

CWE-476 - NULL Pointer Dereference

CWE-477 - Use of Obsolete Function

CWE-485 - Insufficient Encapsulation

CWE-494 - Download of Code Without Integrity Check

CWE-502 - Deserialization of Untrusted Data

CWE-521 - Weak Password Requirements

CWE-522 - Insufficiently Protected Credentials

CWE-523 - Unprotected Transport of Credentials

CWE-532 - Information Exposure Through Log Files

CWE-538 - File And Directory Information Exposure

CWE-564 - SQL Injection: Hibernate

CWE-565 - Reliance on Cookies without Validation and Integrity Checking

CWE-566 - Authorization Bypass Through User-Controlled SQL Primary Key

CWE-592 - Authentication Bypass Issues

CWE-598 - Information Exposure Through Query Strings in GET Request

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')

CWE-602 - Client-Side Enforcement of Server-Side Security

CWE-603 - Use of Client-Side Authentication

CWE-611 - Improper Restriction of XML External Entity Reference ('XXE')

CWE-613 - Insufficient Session Expiration

CWE-617 - Reachable Assertion

CWE-618 - Exposed Unsafe ActiveX Method

CWE-619 - Dangling Database Cursor ('Cursor Injection')

CWE-620 - Unverified Password Change

CWE-622 - Improper Validation of Function Hook Argument

CWE-626 - Null Byte Interaction Error (Poison Null Byte)

CWE-661 - Weaknesses in Software Written in PHP

CWE-665 - Improper Initialization

CWE-667 - Improper Locking

CWE-674 - Uncontrolled Recursion

CWE-676 - Use of Potentially Dangerous Function

CWE-682 - Incorrect Calculation

CWE-692 - Incomplete Blacklist to Cross-Site Scripting

CWE-693 - Protection Mechanism Failure

CWE-696 - Incorrect Behavior Order

CWE-703 - Improper Check or Handling of Exceptional Conditions

CWE-704 - Incorrect Type Conversion or Cast (Type Conversion)

CWE-732 - Incorrect Permission Assignment for Critical Resource

CWE-749 - Exposed Dangerous Method or Function

CWE-757 - Selection of Less-Secure Algorithm During Negotiat

CWE-759 - Use of a One-Way Hash without a Salt

CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

CWE-778 - Insufficient Logging

CWE-782 - Exposed IOCTL with Insufficient Access Control

CWE-785 - Use of Path Manipulation Function without Maximum-sized Buffer

CWE-787 - Out-of-bounds Write

CWE-789 - Uncontrolled Memory Allocation

CWE-798 - Use of Hard-coded Credentials

CWE-799 - Improper Control of Interaction Frequency

CWE-805 - Buffer Access with Incorrect Length Value

CWE-807 - Reliance on Untrusted Inputs in a Security Decision

CWE-822 - Untrusted Pointer Dereference

CWE-823 - Use of Out-of-range Pointer Offset

CWE-824 - Access of Uninitialized Pointer

CWE-829 - Inclusion of Functionality from Untrusted Control Sphere

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

CWE-840 - Business Logic Errors (3.0)

CWE-843 - Access of Resource Using Incompatible Type ('Type Confusion')

CWE-862 - Missing Authorization

CWE-863 - Incorrect Authorization

CWE-908 - Use of Uninitialized Resource

CWE-911 - Improper Update of Reference Count

CWE-912 - Hidden Functionality (Backdoor)

CWE-916 - Use of Password Hash With Insufficient Computational Effort

CWE-918 - Server-Side Request Forgery (SSRF)

CWE-922 - Insecure Storage of Sensitive Information

CWE-923 - Improper Restriction of Communication Channel to Intended Endpoints

CWE-942 - Overly Permissive Cross-domain Whitelist

CWE-943 - Improper Neutralization of Special Elements in Data Query Logic

CWE-1022 - Use of Web Link to Untrusted Target with window.opener Access