CWE™

Summary

Common Weakness Enumeration is a community-developed list of software and hardware weakness types. It serves as a common language, a measuring stick for security tools, and as a baseline for weakness identification, mitigation and prevention efforts. - Version used: CWE™ List 4.13 - Last official version: CWE™ List 4.13

Definitions

Definition	Requirements
CWE-5. Data transmission without encryption	336. Disable insecure TLS versions
CWE-6. Misconfiguration - Insufficient session-ID length	030. Avoid object reutilization 032. Avoid session ID leakages
CWE-11. Creating debug binary	078. Disable debugging events
CWE-13. Misconfiguration - Password in configuration file	185. Encrypt sensitive information 026. Encrypt client-side session information
CWE-15. External control of system or configuration setting	320. Avoid client-side control enforcement 062. Define standard configurations
CWE-20. Improper input validation	173. Discard unsafe inputs
CWE-22. Improper limitation of a pathname to a restricted directory ("path traversal")	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters 037. Parameters without sensitive data
CWE-23. Relative path traversal	037. Parameters without sensitive data
CWE-36. Absolute path traversal	173. Discard unsafe inputs 320. Avoid client-side control enforcement 343. Respect the Do Not Track header 037. Parameters without sensitive data
CWE-73. External control of file name or path	320. Avoid client-side control enforcement 381. Use of absolute paths 037. Parameters without sensitive data
CWE-74. Improper neutralization of special elements in output used by a downstream component ("injection")	158. Use a secure programming language 173. Discard unsafe inputs
CWE-78. Improper neutralization of special elements used in an OS command ("OS command injection")	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
CWE-79. Improper neutralization of input during web page generation ("cross-site scripting")	173. Discard unsafe inputs 029. Cookies with security attributes
CWE-80. Improper neutralization of script-related HTML tags in a web page (basic XSS)	117. Do not interpret HTML code 173. Discard unsafe inputs
CWE-89. Improper neutralization of special elements used in an SQL command ("SQL injection")	169. Use parameterized queries 173. Discard unsafe inputs
CWE-90. Improper neutralization of special elements used in an LDAP query ('LDAP Injection')	173. Discard unsafe inputs
CWE-91. XML injection	173. Discard unsafe inputs
CWE-94. Improper control of generation of code ("code injection")	173. Discard unsafe inputs
CWE-95. Improper neutralization of directives in dynamically evaluated code ("eval injection")	173. Discard unsafe inputs 321. Avoid deserializing untrusted data 344. Avoid dynamic code execution
CWE-98. Improper control of filename for include/require statement in PHP program ("PHP remote file inclusion")	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities
CWE-112. Missing XML validation	173. Discard unsafe inputs
CWE-114. Process control	266. Disable insecure functionalities
CWE-116. Improper encoding or escaping of output	160. Encode system outputs 173. Discard unsafe inputs 348. Use consistent encoding 349. Include HTTP security headers
CWE-117. Improper output neutralization for logs	160. Encode system outputs
CWE-120. Buffer copy without checking size of input ("classic buffer overflow")	345. Establish protections against overflows
CWE-130. Buffer copy without checking size of input ("classic buffer overflow")	169. Use parameterized queries 342. Validate request parameters
CWE-134. Use of externally-controlled format string	345. Establish protections against overflows
CWE-138. Improper neutralization of special elements	173. Discard unsafe inputs 340. Use octet stream downloads
CWE-147. Improper neutralization of input terminators	173. Discard unsafe inputs
CWE-150. Improper neutralization of escape, meta, or control sequences	173. Discard unsafe inputs
CWE-170. Improper null termination	345. Establish protections against overflows
CWE-173. Improper handling of alternate encoding	160. Encode system outputs 044. Define an explicit charset
CWE-190. Integer overflow or wraparound	345. Establish protections against overflows
CWE-200. Exposure of sensitive information to an unauthorized actor	119. Hide recipients 181. Transmit data using secure protocols 261. Avoid exposing sensitive information 375. Remove sensitive data from client-side applications 032. Avoid session ID leakages
CWE-203. Observable discrepancy	225. Proper authentication responses
CWE-208. Observable timing discrepancy	368. Use of indistinguishable response time
CWE-209. Generation of error message containing sensitive information	077. Avoid disclosing technical information
CWE-210. Self-generated error message containing sensitive information	077. Avoid disclosing technical information 078. Disable debugging events
CWE-212. Improper removal of sensitive information before storage or transfer	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
CWE-219. Storage of file with sensitive data under web root	339. Avoid storing sensitive files in the web root
CWE-221. Information loss or omission	376. Register severity level 075. Record exceptional events in logs
CWE-223. Omission of security-relevant information	376. Register severity level
CWE-226. Sensitive information in resource not removed before reuse	183. Delete sensitive data securely 360. Remove unnecessary sensitive information
CWE-233. Improper handling of parameters	342. Validate request parameters
CWE-235. Improper handling of extra parameters	342. Validate request parameters
CWE-250. Execution with unnecessary privileges	186. Use the principle of least privilege 095. Define users with privileges 096. Set user's required privileges
CWE-256. Plaintext storage of a password	127. Store hashed passwords 380. Define a password management tool
CWE-257. Storing passwords in a recoverable format	238. Establish safe recovery
CWE-259. Use of hard-coded password	156. Source code without sensitive information 172. Encrypt connection strings
CWE-263. Password aging with long expiration	130. Limit password lifespan 138. Define lifespan for temporary passwords 367. Proper generation of temporary passwords
CWE-266. Incorrect privilege assignment	095. Define users with privileges
CWE-267. Privilege defined with unsafe actions	035. Manage privilege modifications
CWE-269. Improper privilege management	186. Use the principle of least privilege 035. Manage privilege modifications
CWE-272. Least privilege violation	186. Use the principle of least privilege
CWE-276. Incorrect default permissions	186. Use the principle of least privilege 341. Use the principle of deny by default 095. Define users with privileges 096. Set user's required privileges
CWE-284. Improper access control	176. Restrict system objects 229. Request access credentials 266. Disable insecure functionalities 320. Avoid client-side control enforcement
CWE-285. Improper authorization	177. Avoid caching and temporary files 320. Avoid client-side control enforcement 341. Use the principle of deny by default 095. Define users with privileges
CWE-287. Improper authentication	122. Validate credential ownership 228. Authenticate using standard protocols 236. Establish authentication time 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 362. Assign MFA mechanisms to a single account
CWE-290. Authentication bypass by spoofing	173. Discard unsafe inputs 320. Avoid client-side control enforcement 342. Validate request parameters
CWE-294. Authentication bypass by capture-replay	335. Define out of band token lifespan 030. Avoid object reutilization
CWE-295. Improper certificate validation	364. Provide extended validation (EV) certificates 089. Limit validity of certificates 091. Use internally signed certificates 093. Use consistent certificates
CWE-297. Improper validation of certificate with host mismatch	373. Use certificate pinning 093. Use consistent certificates
CWE-298. Improper validation of certificate expiration	364. Provide extended validation (EV) certificates 089. Limit validity of certificates 090. Use valid certificates
CWE-299. Improper check for certificate revocation	088. Request client certificates 089. Limit validity of certificates 090. Use valid certificates
CWE-306. Missing authentication for critical function	229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 319. Make authentication options equally secure
CWE-307. Improper restriction of excessive authentication attempts	210. Delete information from mobile devices 237. Ascertain human interaction 327. Set a rate limit
CWE-308. Use of single-factor authentication	231. Implement a biometric verification component 030. Avoid object reutilization
CWE-311. Missing encryption of sensitive data	172. Encrypt connection strings 181. Transmit data using secure protocols 185. Encrypt sensitive information
CWE-319. Cleartext transmission of sensitive information	181. Transmit data using secure protocols 338. Implement perfect forward secrecy
CWE-321. Use of hard-coded cryptographic key	145. Protect system cryptographic keys 224. Use secure cryptographic mechanisms
CWE-322. Key exchange without entity authentication	145. Protect system cryptographic keys
CWE-323. Reusing a nonce, key Pair in encryption	145. Protect system cryptographic keys
CWE-324. Use of a key past its expiration date	361. Replace cryptographic keys
CWE-326. Inadequate encryption strength	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms 346. Use initialization vectors once
CWE-327. Use of a broken or risky cryptographic algorithm	147. Use pre-existent mechanisms 224. Use secure cryptographic mechanisms
CWE-328. Use of weak hash	150. Set minimum size for hash functions
CWE-330. Use of insufficiently random values	223. Uniform distribution in random numbers
CWE-331. Insufficient entropy	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
CWE-334. Small space of random values	223. Uniform distribution in random numbers
CWE-340. Generation of predictable numbers or identifiers	223. Uniform distribution in random numbers 224. Use secure cryptographic mechanisms
CWE-345. Insufficient verification of data authenticity	178. Use digital signatures 238. Establish safe recovery 030. Avoid object reutilization
CWE-346. Origin validation error	128. Define unique data source
CWE-347. Improper verification of cryptographic signature	178. Use digital signatures
CWE-350. Reliance on reverse DNS resolution for a security-critical action	356. Verify sub-domain names 062. Define standard configurations
CWE-352. Cross-site request forgery (CSRF)	174. Transactions without a distinguishable pattern 029. Cookies with security attributes
CWE-353. Missing support for integrity check	178. Use digital signatures 262. Verify third-party components 330. Verify Subresource Integrity
CWE-359. Exposure of private personal information to an unauthorized actor	180. Use mock data 184. Obfuscate application data 261. Avoid exposing sensitive information 300. Mask sensitive data
CWE-362. Concurrent execution using shared resource with improper synchronization ("race condition")	337. Make critical logic flows thread safe
CWE-367. Time-of-check time-of-use (TOCTOU) race condition	337. Make critical logic flows thread safe 353. Schedule firmware updates
CWE-377. Insecure temporary file	177. Avoid caching and temporary files 036. Do not deploy temporary files
CWE-384. Session fixation	030. Avoid object reutilization
CWE-390. Detection of error condition without action	075. Record exceptional events in logs
CWE-396. Declaration of catch for generic exception	359. Avoid using generic exceptions
CWE-397. Declaration of throws for generic exception	359. Avoid using generic exceptions
CWE-400. Uncontrolled resource consumption	158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs 072. Set maximum response time
CWE-404. Improper resource shutdown or release	167. Close unused resources 023. Terminate inactive user sessions
CWE-409. Improper handling of highly compressed data (data amplification)	039. Define maximum file size
CWE-419. Unprotected primary channel	033. Restrict administrative access
CWE-434. Unrestricted upload of file with dangerous type	040. Compare file format and extension
CWE-444. Inconsistent interpretation of HTTP requests ("HTTP request smuggling")	173. Discard unsafe inputs 266. Disable insecure functionalities 062. Define standard configurations
CWE-453. Insecure default variable initialization	161. Define secure default options
CWE-456. Missing initialization of a variable	168. Initialize variables explicitly
CWE-457. Use of uninitialized variable	168. Initialize variables explicitly
CWE-459. Incomplete cleanup	183. Delete sensitive data securely 210. Delete information from mobile devices
CWE-494. Download of code without integrity check	330. Verify Subresource Integrity
CWE-497. Exposure of sensitive system information to an unauthorized control sphere	078. Disable debugging events 095. Define users with privileges
CWE-502. Deserialization of untrusted data	321. Avoid deserializing untrusted data
CWE-507. Trojan horse	155. Application free of malicious code 262. Verify third-party components
CWE-509. Replicating malicious code (virus or worm)	118. Inspect attachments 041. Scan files for malicious code
CWE-510. Trapdoor	154. Eliminate backdoors 155. Application free of malicious code
CWE-511. Logic/Time bomb	155. Application free of malicious code
CWE-512. Spyware	273. Define a fixed security suite
CWE-521. Weak password requirements	127. Store hashed passwords 129. Validate previous passwords 130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 332. Prevent the use of breached passwords
CWE-522. Insufficiently protected credentials	132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 134. Store passwords with salt 135. Passwords with random salt 139. Set minimum OTP length 150. Set minimum size for hash functions
CWE-523. Unprotected transport of credentials	153. Out of band transactions 181. Transmit data using secure protocols
CWE-524. Use of cache containing sensitive information	177. Avoid caching and temporary files 209. Manage passwords in cache
CWE-525. Use of web browser cache containing sensitive information	177. Avoid caching and temporary files 349. Include HTTP security headers
CWE-526. Cleartext Storage of Sensitive Information in an Environment Variable	185. Encrypt sensitive information 300. Mask sensitive data
CWE-532. Insertion of sensitive information into log file	083. Avoid logging sensitive data
CWE-539. Use of persistent cookies containing sensitive information	342. Validate request parameters 029. Cookies with security attributes
CWE-540. Inclusion of sensitive information in source code	156. Source code without sensitive information
CWE-548. Exposure of information through directory listing	176. Restrict system objects 266. Disable insecure functionalities
CWE-549. Missing password field masking	300. Mask sensitive data
CWE-598. Use of GET request method with sensitive query strings	169. Use parameterized queries 342. Validate request parameters
CWE-601. URL redirection to untrusted site ("open redirect")	324. Control redirects
CWE-602. Client-side enforcement of server-side security	266. Disable insecure functionalities 320. Avoid client-side control enforcement
CWE-603. Use of client-side authentication	264. Request authentication
CWE-611. Improper restriction of XML External Entity reference	157. Use the strict mode 173. Discard unsafe inputs
CWE-613. Insufficient session expiration	369. Set a maximum lifetime in sessions 023. Terminate inactive user sessions 030. Avoid object reutilization 031. Discard user session data
CWE-614. Sensitive cookie in HTTPS session without 'secure' attribute	029. Cookies with security attributes
CWE-615. Inclusion of sensitive information in source code comments	156. Source code without sensitive information
CWE-620. Unverified password change	131. Deny multiple password changing attempts 238. Establish safe recovery 301. Notify configuration changes
CWE-639. Authorization bypass through user-controlled key	176. Restrict system objects 320. Avoid client-side control enforcement 035. Manage privilege modifications
CWE-640. Weak password recovery mechanism for forgotten password	126. Set a password regeneration mechanism 130. Limit password lifespan 131. Deny multiple password changing attempts 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 139. Set minimum OTP length 238. Establish safe recovery 332. Prevent the use of breached passwords 334. Avoid knowledge-based authentication 367. Proper generation of temporary passwords
CWE-642. External control of critical state data	026. Encrypt client-side session information
CWE-643. Improper neutralization of data within XPath expressions ("XPath injection")	173. Discard unsafe inputs
CWE-644. Improper neutralization of HTTP headers for scripting syntax	349. Include HTTP security headers
CWE-645. Overly restrictive account lockout mechanism	226. Avoid account lockouts
CWE-646. Reliance on file name or extension of externally-supplied file	340. Use octet stream downloads 040. Compare file format and extension 042. Validate file format
CWE-651. Exposure of WSDL file containing sensitive information	325. Protect WSDL files
CWE-693. Protection mechanism failure	266. Disable insecure functionalities 326. Detect rooted devices 351. Assign unique keys to each device 352. Enable trusted execution 354. Prevent firmware downgrades
CWE-710. Improper adherence to coding standards	158. Use a secure programming language 366. Associate type to variables 381. Use of absolute paths
CWE-732. Incorrect permission assignment for critical resource	186. Use the principle of least privilege 341. Use the principle of deny by default
CWE-749. Exposed dangerous method or function	266. Disable insecure functionalities 041. Scan files for malicious code
CWE-759. Use of a one-way hash without a salt	134. Store passwords with salt 135. Passwords with random salt
CWE-760. Use of a one-way hash with a predictable salt	134. Store passwords with salt 135. Passwords with random salt
CWE-770. Allocation of resources without limits or throttling	327. Set a rate limit 039. Define maximum file size 072. Set maximum response time
CWE-778. Insufficient logging	376. Register severity level 075. Record exceptional events in logs
CWE-779. Logging of excessive data	322. Avoid excessive logging
CWE-780. Use of RSA algorithm without OAEP	370. Use OAEP padding with RSA
CWE-798. Use of hard-coded credentials	156. Source code without sensitive information 172. Encrypt connection strings 357. Use stateless session tokens
CWE-799. Improper control of interaction frequency	237. Ascertain human interaction 327. Set a rate limit
CWE-804. Guessable CAPTCHA	237. Ascertain human interaction
CWE-830. Inclusion of web functionality from an untrusted source	353. Schedule firmware updates 050. Control calls to interpreted code
CWE-838. Inappropriate encoding for output context	348. Use consistent encoding
CWE-862. Missing authorization	319. Make authentication options equally secure
CWE-915. Improperly controlled modification of dynamically-determined object attributes	342. Validate request parameters 344. Avoid dynamic code execution
CWE-916. Use of password hash with insufficient computational effort	127. Store hashed passwords 134. Store passwords with salt 135. Passwords with random salt 333. Store salt values separately
CWE-918. Server-side request forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects
CWE-922. Insecure storage of sensitive information	329. Keep client-side storage without sensitive data 339. Avoid storing sensitive files in the web root
CWE-923. Improper restriction of communication channel to intended endpoints	259. Segment the organization network 273. Define a fixed security suite
CWE-1004. Sensitive cookie without 'HttpOnly' flag	029. Cookies with security attributes
CWE-1021. Improper restriction of rendered UI layers or frames	340. Use octet stream downloads 349. Include HTTP security headers
CWE-1022. Use of web link to untrusted target with window.opener access	324. Control redirects
CWE-1041. Use of redundant code	171. Remove commented-out code
CWE-1085. Invokable control element with excessive volume of commented-out code	171. Remove commented-out code
CWE-1120. Excessive code complexity	379. Keep low McCabe cyclomatic complexity
CWE-1121. Excessive McCabe cyclomatic complexity	379. Keep low McCabe cyclomatic complexity
CWE-1192. System-on-Chip (SoC) using components without unique identifiers	352. Enable trusted execution
CWE-1204. Generation of weak initialization vector (IV)	372. Proper Use of Initialization Vector (IV)
CWE-1230. Exposure of sensitive information through metadata	045. Remove metadata when sharing files
CWE-1233. Improper hardware lock protection for security sensitive controls	351. Assign unique keys to each device 352. Enable trusted execution
CWE-1262. Improper access control for register interface	235. Define credential interface 252. Configure key encryption
CWE-1269. Product released in non-release configuration	154. Eliminate backdoors 159. Obfuscate code 078. Disable debugging events
CWE-1272. Sensitive information uncleared before debug/power state transition	360. Remove unnecessary sensitive information
CWE-1275. Sensitive cookie with improper sameSite attribute	029. Cookies with security attributes
CWE-1284. Improper validation of specified quantity in input	173. Discard unsafe inputs
CWE-1287. Improper validation of specified type of input	173. Discard unsafe inputs
CWE-1295. Debug messages revealing unnecessary information	083. Avoid logging sensitive data
CWE-1325. Improperly controlled sequential memory allocation	158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs 072. Set maximum response time
CWE-1390. Weak Authentication	228. Authenticate using standard protocols 264. Request authentication 319. Make authentication options equally secure 334. Avoid knowledge-based authentication 362. Assign MFA mechanisms to a single account
CWE-1391. Use of Weak Credentials	130. Limit password lifespan 132. Passphrases with at least 4 words 133. Passwords with at least 20 characters 135. Passwords with random salt 139. Set minimum OTP length 332. Prevent the use of breached passwords
CWE-1392. Use of Default Credentials	142. Change system default credentials 266. Disable insecure functionalities
CWE-1393. Use of Default Password	142. Change system default credentials 266. Disable insecure functionalities
CWE-1394. Use of Default Cryptographic Key	142. Change system default credentials 266. Disable insecure functionalities
CWE-1395. Dependency on Vulnerable Third-Party Component	262. Verify third-party components
CWE-1419. Incorrect Initialization of Resource	366. Associate type to variables

Last updated

2025/07/08