All Known CWE
Below is a list of CWE (Common Weakness Enumerations). Use the search box to filter by ID or name.
| CWE ID | Description |
|---|---|
| CWE-20 | Improper Input Validation |
| CWE-74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
| CWE-75 | Failure to Sanitize Special Elements into a Different Plane (Special Element Injection) |
| CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| CWE-99 | Improper Control of Resource Identifiers ('Resource Injection') |
| CWE-114 | Process Control |
| CWE-116 | Improper Encoding or Escaping of Output |
| CWE-118 | Incorrect Access of Indexable Resource ('Range Error') |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| CWE-138 | Improper Neutralization of Special Elements |
| CWE-159 | Improper Handling of Invalid Use of Special Elements |
| CWE-172 | Encoding Error |
| CWE-185 | Incorrect Regular Expression |
| CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| CWE-221 | Information Loss or Omission |
| CWE-228 | Improper Handling of Syntactically Invalid Structure |
| CWE-269 | Improper Privilege Management |
| CWE-271 | Privilege Dropping / Lowering Errors |
| CWE-282 | Improper Ownership Management |
| CWE-285 | Improper Authorization |
| CWE-286 | Incorrect User Management |
| CWE-287 | Improper Authentication |
| CWE-300 | Channel Accessible by Non-Endpoint |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-326 | Inadequate Encryption Strength |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| CWE-330 | Use of Insufficiently Random Values |
| CWE-340 | Generation of Predictable Numbers or Identifiers |
| CWE-345 | Insufficient Verification of Data Authenticity |
| CWE-346 | Origin Validation Error |
| CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
| CWE-377 | Insecure Temporary File |
| CWE-400 | Uncontrolled Resource Consumption |
| CWE-402 | Transmission of Private Resources into a New Sphere ('Resource Leak') |
| CWE-404 | Improper Resource Shutdown or Release |
| CWE-405 | Asymmetric Resource Consumption (Amplification) |
| CWE-406 | Insufficient Control of Network Message Volume (Network Amplification) |
| CWE-407 | Inefficient Algorithmic Complexity |
| CWE-424 | Improper Protection of Alternate Path |
| CWE-436 | Interpretation Conflict |
| CWE-441 | Unintended Proxy or Intermediary ('Confused Deputy') |
| CWE-446 | UI Discrepancy for Security Feature |
| CWE-451 | User Interface (UI) Misrepresentation of Critical Information |
| CWE-506 | Embedded Malicious Code |
| CWE-514 | Covert Channel |
| CWE-522 | Insufficiently Protected Credentials |
| CWE-573 | Improper Following of Specification by Caller |
| CWE-602 | Client-Side Enforcement of Server-Side Security |
| CWE-610 | Externally Controlled Reference to a Resource in Another Sphere |
| CWE-636 | Not Failing Securely ('Failing Open') |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') |
| CWE-638 | Not Using Complete Mediation |
| CWE-642 | External Control of Critical State Data |
| CWE-653 | Improper Isolation or Compartmentalization |
| CWE-655 | Insufficient Psychological Acceptability |
| CWE-656 | Reliance on Security Through Obscurity |
| CWE-657 | Violation of Secure Design Principles |
| CWE-662 | Improper Synchronization |
| CWE-665 | Improper Initialization |
| CWE-666 | Operation on Resource in Wrong Phase of Lifetime |
| CWE-667 | Improper Locking |
| CWE-668 | Exposure of Resource to Wrong Sphere |
| CWE-669 | Incorrect Resource Transfer Between Spheres |
| CWE-670 | Always-Incorrect Control Flow Implementation |
| CWE-671 | Lack of Administrator Control over Security |
| CWE-672 | Operation on a Resource after Expiration or Release |
| CWE-673 | External Influence of Sphere Definition |
| CWE-674 | Uncontrolled Recursion |
| CWE-675 | Multiple Operations on Resource in Single-Operation Context |
| CWE-684 | Incorrect Provision of Specified Functionality |
| CWE-696 | Incorrect Behavior Order |
| CWE-704 | Incorrect Type Conversion or Cast |
| CWE-705 | Incorrect Control Flow Scoping |
| CWE-706 | Use of Incorrectly-Resolved Name or Reference |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
| CWE-754 | Improper Check for Unusual or Exceptional Conditions |
| CWE-755 | Improper Handling of Exceptional Conditions |
| CWE-758 | Reliance on Undefined, Unspecified, or Implementation-Defined Behavior |
| CWE-790 | Improper Filtering of Special Elements |
| CWE-799 | Improper Control of Interaction Frequency |
| CWE-834 | Excessive Iteration |
| CWE-862 | Missing Authorization |
| CWE-863 | Incorrect Authorization |
| CWE-909 | Missing Initialization of Resource |
| CWE-912 | Hidden Functionality |
| CWE-913 | Improper Control of Dynamically-Managed Code Resources |
| CWE-922 | Insecure Storage of Sensitive Information |
| CWE-923 | Improper Restriction of Communication Channel to Intended Endpoints |
| CWE-943 | Improper Neutralization of Special Elements in Data Query Logic |
| CWE-1023 | Incomplete Comparison with Missing Factors |
| CWE-1038 | Insecure Automated Optimizations |
| CWE-1039 | Automated Recognition Mechanism with Inadequate Detection or Handling of Adversarial Input Perturbations |
| CWE-1059 | Insufficient Technical Documentation |
| CWE-1061 | Insufficient Encapsulation |
| CWE-1076 | Insufficient Adherence to Expected Conventions |
| CWE-1078 | Inappropriate Source Code Style or Formatting |
| CWE-1093 | Excessively Complex Data Representation |
| CWE-1120 | Excessive Code Complexity |
| CWE-1164 | Irrelevant Code |
| CWE-1176 | Inefficient CPU Computation |
| CWE-1177 | Use of Prohibited Code |
| CWE-1229 | Creation of Emergent Resource |
| CWE-1263 | Improper Physical Access Control |
| CWE-1294 | Insecure Security Identifier Mechanism |
| CWE-1357 | Reliance on Insufficiently Trustworthy Component |
| CWE-1384 | Improper Handling of Physical or Environmental Conditions |
| CWE-1390 | Weak Authentication |
| CWE-1391 | Use of Weak Credentials |
| CWE-1395 | Dependency on Vulnerable Third-Party Component |
| CWE-1419 | Incorrect Initialization of Resource |