Home › CWE weaknessesBrowse CVEs by CWE weakness type Every CVE stems from an underlying software weakness, classified by the Common Weakness Enumeration (CWE) — cross-site scripting, SQL injection, out-of-bounds writes, and hundreds more. Pick a weakness to see the CVEs that share it, ordered by CVSS severity.
Most common weaknesses CWE-79 — Cross-site Scripting (XSS) — 44,970 CVEsCWE-89 — SQL Injection — 17,949 CVEsCWE-787 — Out-of-bounds Write — 13,005 CVEsCWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer — 12,997 CVEsCWE-20 — Improper Input Validation — 11,758 CVEsCWE-200 — Exposure of Sensitive Information to an Unauthorized Actor — 9,382 CVEsCWE-22 — Path Traversal — 9,136 CVEsCWE-352 — Cross-Site Request Forgery (CSRF) — 9,133 CVEsCWE-125 — Out-of-bounds Read — 8,566 CVEsCWE-862 — Missing Authorization — 7,918 CVEsCWE-416 — Use After Free — 7,218 CVEsCWE-78 — OS Command Injection — 5,543 CVEsCWE-264 — Permissions, Privileges, and Access Controls — 5,229 CVEsCWE-476 — NULL Pointer Dereference — 5,145 CVEsCWE-94 — Code Injection — 4,999 CVEsCWE-284 — Improper Access Control — 4,252 CVEsCWE-287 — Improper Authentication — 4,080 CVEsCWE-434 — Unrestricted Upload of File with Dangerous Type — 3,749 CVEsCWE-120 — Classic Buffer Overflow — 3,496 CVEsCWE-74 — Improper Neutralization of Special Elements (Injection) — 3,078 CVEsCWE-190 — Integer Overflow or Wraparound — 2,968 CVEsCWE-77 — Command Injection — 2,968 CVEsCWE-863 — Incorrect Authorization — 2,795 CVEsCWE-400 — Uncontrolled Resource Consumption — 2,711 CVEsCWE-502 — Deserialization of Untrusted Data — 2,709 CVEsCWE-269 — Improper Privilege Management — 2,629 CVEsCWE-918 — Server-Side Request Forgery (SSRF) — 2,627 CVEsCWE-399 — Resource Management Errors — 2,558 CVEsCWE-310 — Cryptographic Issues — 2,429 CVEsCWE-362 — Race Condition — 2,287 CVEsCWE-306 — Missing Authentication for Critical Function — 2,179 CVEsCWE-401 — Missing Release of Memory after Effective Lifetime — 1,784 CVEsCWE-639 — Authorization Bypass Through User-Controlled Key (IDOR) — 1,735 CVEsCWE-770 — Allocation of Resources Without Limits or Throttling — 1,725 CVEsCWE-798 — Use of Hard-coded Credentials — 1,605 CVEsCWE-732 — Incorrect Permission Assignment for Critical Resource — 1,549 CVEsCWE-59 — Improper Link Resolution Before File Access (Link Following) — 1,494 CVEsCWE-601 — Open Redirect — 1,483 CVEsCWE-121 — Stack-based Buffer Overflow — 1,453 CVEsCWE-276 — Incorrect Default Permissions — 1,448 CVEsCWE-295 — Improper Certificate Validation — 1,389 CVEsCWE-122 — Heap-based Buffer Overflow — 1,381 CVEsCWE-611 — Improper Restriction of XML External Entity Reference (XXE) — 1,227 CVEsCWE-522 — Insufficiently Protected Credentials — 1,222 CVEsCWE-189 — Numeric Errors — 1,215 CVEsCWE-98 — PHP Remote File Inclusion — 1,202 CVEsCWE-427 — Uncontrolled Search Path Element — 1,113 CVEsCWE-532 — Insertion of Sensitive Information into Log File — 1,088 CVEsCWE-266 — Incorrect Privilege Assignment — 875 CVEsCWE-285 — Improper Authorization — 839 CVEsCWE-319 — Cleartext Transmission of Sensitive Information — 830 CVEsCWE-835 — Loop with Unreachable Exit Condition (Infinite Loop) — 777 CVEsCWE-415 — Double Free — 769 CVEsCWE-312 — Cleartext Storage of Sensitive Information — 751 CVEsCWE-255 — Credentials Management Errors — 725 CVEsCWE-617 — Reachable Assertion — 721 CVEsCWE-908 — Use of Uninitialized Resource — 708 CVEsCWE-203 — Observable Discrepancy — 705 CVEsCWE-668 — Exposure of Resource to Wrong Sphere — 667 CVEsCWE-843 — 660 CVEsCWE-667 — Improper Locking — 658 CVEsCWE-347 — Improper Verification of Cryptographic Signature — 641 CVEsCWE-327 — Use of a Broken or Risky Cryptographic Algorithm — 625 CVEsCWE-426 — Untrusted Search Path — 622 CVEsCWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition — 607 CVEsCWE-404 — 606 CVEsCWE-290 — 572 CVEsCWE-307 — Improper Restriction of Excessive Authentication Attempts — 569 CVEsCWE-129 — Improper Validation of Array Index — 559 CVEsCWE-345 — Insufficient Verification of Data Authenticity — 537 CVEsCWE-754 — Improper Check for Unusual or Exceptional Conditions — 536 CVEsCWE-346 — 532 CVEsCWE-209 — Generation of Error Message Containing Sensitive Information — 529 CVEsCWE-755 — Improper Handling of Exceptional Conditions — 528 CVEsCWE-613 — Insufficient Session Expiration — 524 CVEsCWE-693 — Protection Mechanism Failure — 492 CVEsCWE-1321 — Prototype Pollution — 475 CVEsCWE-369 — Divide By Zero — 442 CVEsCWE-772 — 439 CVEsCWE-288 — 437 CVEsCWE-428 — 437 CVEsCWE-326 — Inadequate Encryption Strength — 420 CVEsCWE-674 — Uncontrolled Recursion — 413 CVEsCWE-552 — Files or Directories Accessible to External Parties — 407 CVEsCWE-191 — Integer Underflow — 406 CVEsCWE-1333 — 391 CVEsCWE-384 — Session Fixation — 389 CVEsCWE-134 — 384 CVEsCWE-1021 — 381 CVEsCWE-254 — 380 CVEsCWE-330 — Use of Insufficiently Random Values — 343 CVEsCWE-88 — Argument Injection — 338 CVEsCWE-73 — 325 CVEsCWE-497 — 322 CVEsCWE-665 — Improper Initialization — 321 CVEsCWE-444 — HTTP Request/Response Smuggling — 320 CVEsCWE-311 — Missing Encryption of Sensitive Data — 319 CVEsCWE-116 — 316 CVEsCWE-281 — Improper Preservation of Permissions — 312 CVEsCWE-201 — 308 CVEsCWE-1284 — Improper Validation of Specified Quantity in Input — 294 CVEsCWE-922 — 292 CVEsCWE-16 — 287 CVEsCWE-1236 — Improper Neutralization of Formula Elements in a CSV File — 285 CVEsCWE-451 — 267 CVEsCWE-824 — 266 CVEsCWE-640 — 254 CVEsCWE-250 — 252 CVEsCWE-704 — Incorrect Type Conversion or Cast — 249 CVEsCWE-1188 — Insecure Default Initialization of Resource — 244 CVEsCWE-521 — Weak Password Requirements — 240 CVEsCWE-80 — 240 CVEsCWE-19 — 230 CVEsCWE-23 — 230 CVEsCWE-126 — Buffer Over-read — 220 CVEsCWE-829 — 216 CVEsCWE-425 — 213 CVEsCWE-610 — 209 CVEsCWE-294 — Authentication Bypass by Capture-replay — 206 CVEsCWE-193 — Off-by-one Error — 187 CVEs