Every vulnerability starts as a weakness.

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 1–30 of 323 weaknesses

CWE-15

External Control of System or Configuration Setting

This weakness occurs when user-supplied input is allowed to directly control or modify system or application configuration settings without proper validation or…

Read
CWE-16

Configuration

Configuration weaknesses occur when software settings, files, or environment variables are set up in ways that introduce security vulnerabilities. This includes…

Read
CWE-20

Improper Input Validation

Improper input validation occurs when a program fails to check or correctly verify data received from users, files, APIs, or other external sources before using…

Read
CWE-22

Path Traversal

Path traversal is a vulnerability that allows an attacker to access files or directories outside the intended restricted location by manipulating file paths wit…

Read
CWE-23

Relative Path Traversal

Relative path traversal occurs when an application constructs file paths using user-supplied input without properly validating or sanitizing relative path seque…

Read
CWE-35

Path Traversal (Multiple Leading Dots)

Path traversal using multiple leading dots is a file access vulnerability where an attacker manipulates file paths using sequences like ....// or ..../ to escap…

Read
CWE-41

Improper Resolution of Path Equivalence

Path equivalence weaknesses occur when software fails to recognize that different representations of the same file path should be treated identically. An attack…

Read
CWE-59

Improper Link Resolution Before File Access

This weakness occurs when software accesses a file by name without checking whether that name points to a symbolic link, shortcut, or other indirect reference t…

Read
CWE-73

External Control of File Name or Path

This weakness occurs when user-supplied input is used directly to construct file paths without proper validation or restriction. An attacker can manipulate the…

Read
CWE-74

Improper Neutralization of Special Elements in Output ('Injection')

Injection occurs when an application takes user-supplied input and uses it to construct a command, query, or code string without properly neutralizing special c…

Read
CWE-77

Command Injection

Command injection occurs when an application constructs system commands using untrusted user input without proper sanitization or validation. An attacker can in…

Read
CWE-78

OS Command Injection

OS Command Injection occurs when an application passes unsanitized user input directly to a system shell or command interpreter. An attacker can inject shell me…

Read
CWE-79

Cross-Site Scripting

Cross-Site Scripting XSS occurs when user input is displayed on a web page without being properly sanitized or encoded, allowing an attacker to inject malicious…

Read
CWE-80

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

This weakness occurs when user input is displayed on a web page without removing or escaping HTML tags and JavaScript event handlers. An attacker can inject mal…

Read
CWE-83

Improper Neutralization of Script in Attributes in a Web Page

This weakness occurs when user-controlled data is inserted into HTML attributes without proper escaping or validation, allowing an attacker to break out of the…

Read
CWE-87

Improper Neutralization of Alternate XSS Syntax

This weakness occurs when a developer tries to prevent cross-site scripting XSS attacks by blocking obvious patterns like <script> tags, but fails to account fo…

Read
CWE-88

Argument Injection

Argument injection occurs when an application constructs command-line arguments from user-supplied input without properly sanitizing or escaping special charact…

Read
CWE-89

SQL Injection

SQL injection occurs when an application constructs database queries by concatenating user input directly into SQL commands without proper sanitization or param…

Read
CWE-90

LDAP Injection

LDAP Injection occurs when an application constructs LDAP queries using unsanitized user input, allowing an attacker to alter the query logic and bypass authent…

Read
CWE-91

XML Injection

XML Injection occurs when user-supplied input is inserted into XML documents without proper sanitization or encoding. An attacker can inject malicious XML tags,…

Read
CWE-93

CRLF Injection

CRLF injection occurs when an application accepts user input and uses it to construct messages, headers, or records that rely on carriage return \r and line fee…

Read
CWE-94

Code Injection

Code injection occurs when an application constructs executable code using untrusted input without proper validation or sanitization. An attacker can inject mal…

Read
CWE-95

Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

Eval injection occurs when an application passes user-controlled input directly to code evaluation functions like eval, exec, or similar dynamic code execution…

Read
CWE-96

Improper Neutralization of Directives in Statically Included Code ('Static Code Injection')

Static code injection occurs when user input is directly embedded into code that is then parsed and executed as part of the application's logic, without sanitiz…

Read
CWE-97

Improper Neutralization of Server-Side Includes (SSI) Injection

Server-Side Includes SSI is a server feature that processes special directives embedded in HTML files before sending them to the browser. If a web application a…

Read
CWE-98

PHP Remote File Inclusion

Remote File Inclusion RFI occurs when a PHP application uses untrusted input to determine which file to include or require, allowing an attacker to load and exe…

Read
CWE-99

Resource Injection

Resource Injection occurs when an application allows user-controlled input to directly specify or influence the names, paths, or identifiers of system resources…

Read
CWE-112

Missing XML Validation

This weakness occurs when an application accepts XML input without validating it against a schema or DTD Document Type Definition. Without validation, an attack…

Read
CWE-113

HTTP Response Splitting

HTTP Response Splitting occurs when user-controlled input is inserted into HTTP response headers without removing or escaping carriage return and line feed char…

Read
CWE-114

Process Control

This weakness occurs when a program allows external input from a user, network request, file, or environment to directly influence which process is executed, wh…

Read
Page 1 of 11
Prev 1 2 3 11