The Common Weakness Enumeration
The Common Weakness Enumeration (CWE) is a standardized list of software flaws, such as defects in code, architecture, or design, which can lead to vulnerabilities exploited by internal or external forces. These flaws may impact software performance and security, making them crucial for organizations to identify and address. Established in 2005, CWE was developed as a community-driven effort to provide a common baseline for identifying and categorizing software weaknesses. By using CWE, organizations can leverage measurable security technologies to detect, mitigate, and prevent exploitation of their systems. This is especially important as more companies transition to cloud computing. Although CWE is widely used by both government and private sector organizations as a "universal" standard for identifying software weaknesses, it is not yet part of the Security Content Automation Protocol (SCAP). The National Vulnerability Database (NVD) uses CWE to classify Common Vulnerabilities and Exposures (CVEs) based on the type of weakness they represent. CWE employs standardized language and identifiers to provide consistent and reliable data, ensuring that it is accessible to anyone, from researchers to engineers to home users, without restrictions. .
CWE Information
| CWE ID | CWE Name | Category |
|---|---|---|
| CWE-264 | Permissions, Privileges, and Access Control | Access Control |
| CWE-269 | Improper Privilege Management | Access Control |
| CWE-284 | Improper Access Control | Access Control |
| CWE-285 | Improper Authorization | Access Control |
| CWE-287 | Improper Authentication | Access Control |
| CWE-306 | Missing Authentication for Critical Function | Access Control |
| CWE-352 | Cross-Site Request Forgery (CSRF) | Access Control |
| CWE-16 | Configuration | Configuration |
| CWE-455 | Improper Initialization | Configuration |
| CWE-504 | Use of Uninitialized Resource | Configuration |
| CWE-927 | Use of Implicit Intent for Sensitive Communication | Configuration |
| CWE-310 | Cryptographic Issues | Cryptography |
| CWE-326 | Inadequate Encryption Strength | Cryptography |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Cryptography |
| CWE-328 | Reversible One-Way Hash | Cryptography |
| CWE-330 | Use of Insufficiently Random Values | Cryptography |
| CWE-338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | Cryptography |
| CWE-400 | Uncontrolled Resource Consumption | Denial of Service |
| CWE-404 | Improper Resource Shutdown or Release | Denial of Service |
| CWE-703 | Improper Check or Handling of Exceptional Conditions | Denial of Service |
| CWE-770 | Allocation of Resources Without Limits or Throttling | Denial of Service |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere | Denial of Service |
| CWE-1284 | Improper Validation of Message Integrity During Deserialization | Deserialization |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm | Deserialization |
| CWE-502 | Deserialization of Untrusted Data | Deserialization |
| CWE-23 | Relative Path Traversal | File Handling |
| CWE-276 | Incorrect Default Permissions | File Handling |
| CWE-434 | Unrestricted Upload of File with Dangerous Type | File Handling |
| CWE-552 | Files or Directories Accessible to External Parties | File Handling |
| CWE-73 | External Control of File Name or Path | File Handling |
| CWE-20 | Improper Input Validation | Improper Input Handling |
| CWE-209 | Generation of Error Message Containing Sensitive Information | Improper Input Handling |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | Improper Input Handling |
| CWE-91 | XML Injection | Improper Input Handling |
| CWE-200 | Information Exposure | Information Disclosure |
| CWE-201 | Exposure of Sensitive Information Through Sent Data | Information Disclosure |
| CWE-202 | Exposure of Sensitive Data to an Unauthorized Actor | Information Disclosure |
| CWE-522 | Insufficiently Protected Credentials | Information Disclosure |
| CWE-532 | Information Exposure Through Log Files | Information Disclosure |
| CWE-538 | Inclusion of Sensitive Information in Debugging Output | Information Disclosure |
| CWE-564 | SQL Injection in Web Applications | Injection |
| CWE-564 | SQL Injection through SOAP Parameter Tampering | Injection |
| CWE-643 | XPath Injection | Injection |
| CWE-77 | Command Injection | Injection |
| CWE-89 | SQL Injection | Injection |
| CWE-94 | Code Injection | Injection |
| CWE-98 | Server-Side Include (SSI) Injection | Injection |
| CWE-264 | Permissions, Privileges, and Access Controls | Insecure Data Handling |
| CWE-309 | Use of Hard-coded Credentials | Insecure Data Handling |
| CWE-602 | Client-Side Enforcement of Server-Side Security | Insecure Data Handling |
| CWE-640 | Weak Password Recovery Mechanism for Forgotten Password | Insecure Data Handling |
| CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Memory |
| CWE-120 | Buffer Copy without Checking Size of Input (Classic Buffer Overflow) | Memory |
| CWE-125 | Out-of-bounds Read | Memory |
| CWE-362 | Race Condition | Memory |
| CWE-415 | Double Free | Memory |
| CWE-416 | Use After Free | Memory |
| CWE-787 | Out-of-bounds Write | Memory |
| CWE-250 | Execution with Unnecessary Privileges | Privilege Escalation |
| CWE-266 | Incorrect Privilege Assignment | Privilege Escalation |
| CWE-269 | Improper Privilege Management | Privilege Escalation |
| CWE-276 | Incorrect Default Permissions | Privilege Escalation |
| CWE-20 | Improper Input Validation | RCE |
| CWE-502 | Deserialization of Untrusted Data | RCE |
| CWE-77 | Command Injection | RCE |
| CWE-88 | Argument Injection or Modification | RCE |
| CWE-94 | Improper Control of Generation of Code (Code Injection) | RCE |
| CWE-287 | Improper Authentication | Weak Authentication |
| CWE-294 | Authentication Bypass by Capture-replay | Weak Authentication |
| CWE-308 | Use of Incorrectly Implemented Security Mechanism | Weak Authentication |
| CWE-521 | Weak Password Requirements | Weak Authentication |
| CWE-523 | Unprotected Transport of Credentials | Weak Authentication |
| CWE-613 | Insufficient Session Expiration | Weak Authentication |
| CWE-116 | Improper Encoding or Escaping of Output | XSS |
| CWE-601 | Open Redirect | XSS |
| CWE-705 | Double Encoding of Input | XSS |
| CWE-79 | Cross-Site Scripting (XSS) | XSS |
| CWE-80 | Improper Neutralization of Script in Attribute Context | XSS |
About Us
Contact Info
vunerability-insight.com © 2023 - 2025. All Rights Reserved.
Vulnerability Data Repositories v