Every vulnerability starts as a weakness.
CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.
External Control of System or Configuration Setting
This weakness occurs when user-supplied input is allowed to directly control or modify system or application configuration settings without proper validation or…
Configuration
Configuration weaknesses occur when software settings, files, or environment variables are set up in ways that introduce security vulnerabilities. This includes…
Improper Input Validation
Improper input validation occurs when a program fails to check or correctly verify data received from users, files, APIs, or other external sources before using…
Path Traversal
Path traversal is a vulnerability that allows an attacker to access files or directories outside the intended restricted location by manipulating file paths wit…
Relative Path Traversal
Relative path traversal occurs when an application constructs file paths using user-supplied input without properly validating or sanitizing relative path seque…
Path Traversal (Multiple Leading Dots)
Path traversal using multiple leading dots is a file access vulnerability where an attacker manipulates file paths using sequences like ....// or ..../ to escap…
Improper Resolution of Path Equivalence
Path equivalence weaknesses occur when software fails to recognize that different representations of the same file path should be treated identically. An attack…
Improper Link Resolution Before File Access
This weakness occurs when software accesses a file by name without checking whether that name points to a symbolic link, shortcut, or other indirect reference t…
External Control of File Name or Path
This weakness occurs when user-supplied input is used directly to construct file paths without proper validation or restriction. An attacker can manipulate the…
Improper Neutralization of Special Elements in Output ('Injection')
Injection occurs when an application takes user-supplied input and uses it to construct a command, query, or code string without properly neutralizing special c…
Command Injection
Command injection occurs when an application constructs system commands using untrusted user input without proper sanitization or validation. An attacker can in…
OS Command Injection
OS Command Injection occurs when an application passes unsanitized user input directly to a system shell or command interpreter. An attacker can inject shell me…
Cross-Site Scripting
Cross-Site Scripting XSS occurs when user input is displayed on a web page without being properly sanitized or encoded, allowing an attacker to inject malicious…
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
This weakness occurs when user input is displayed on a web page without removing or escaping HTML tags and JavaScript event handlers. An attacker can inject mal…
Improper Neutralization of Script in Attributes in a Web Page
This weakness occurs when user-controlled data is inserted into HTML attributes without proper escaping or validation, allowing an attacker to break out of the…
Improper Neutralization of Alternate XSS Syntax
This weakness occurs when a developer tries to prevent cross-site scripting XSS attacks by blocking obvious patterns like <script> tags, but fails to account fo…
Argument Injection
Argument injection occurs when an application constructs command-line arguments from user-supplied input without properly sanitizing or escaping special charact…
SQL Injection
SQL injection occurs when an application constructs database queries by concatenating user input directly into SQL commands without proper sanitization or param…
LDAP Injection
LDAP Injection occurs when an application constructs LDAP queries using unsanitized user input, allowing an attacker to alter the query logic and bypass authent…
XML Injection
XML Injection occurs when user-supplied input is inserted into XML documents without proper sanitization or encoding. An attacker can inject malicious XML tags,…
CRLF Injection
CRLF injection occurs when an application accepts user input and uses it to construct messages, headers, or records that rely on carriage return \r and line fee…
Code Injection
Code injection occurs when an application constructs executable code using untrusted input without proper validation or sanitization. An attacker can inject mal…
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
Eval injection occurs when an application passes user-controlled input directly to code evaluation functions like eval, exec, or similar dynamic code execution…
Improper Neutralization of Directives in Statically Included Code ('Static Code Injection')
Static code injection occurs when user input is directly embedded into code that is then parsed and executed as part of the application's logic, without sanitiz…
Improper Neutralization of Server-Side Includes (SSI) Injection
Server-Side Includes SSI is a server feature that processes special directives embedded in HTML files before sending them to the browser. If a web application a…
PHP Remote File Inclusion
Remote File Inclusion RFI occurs when a PHP application uses untrusted input to determine which file to include or require, allowing an attacker to load and exe…
Resource Injection
Resource Injection occurs when an application allows user-controlled input to directly specify or influence the names, paths, or identifiers of system resources…
Missing XML Validation
This weakness occurs when an application accepts XML input without validating it against a schema or DTD Document Type Definition. Without validation, an attack…
HTTP Response Splitting
HTTP Response Splitting occurs when user-controlled input is inserted into HTTP response headers without removing or escaping carriage return and line feed char…
Process Control
This weakness occurs when a program allows external input from a user, network request, file, or environment to directly influence which process is executed, wh…