Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 271–300 of 323 weaknesses

CWE-804

Guessable CAPTCHA

A guessable CAPTCHA is a human-verification challenge that can be solved or bypassed by automated tools, defeating its core purpose. When a CAPTCHA is too…

Read
CWE-807

Reliance on Untrusted Inputs in a Security Decision

This weakness occurs when an application makes a security-critical decision—such as granting access, approving a transaction, or determining user…

Read
CWE-822

Untrusted Pointer Dereference

Untrusted Pointer Dereference occurs when a program accepts a pointer value from an external source—user input, network data, or an untrusted library—and uses…

Read
CWE-829

Inclusion of Functionality from Untrusted Control Sphere

This weakness occurs when an application loads and executes code, libraries, or scripts from a source outside its intended control — such as a user-supplied…

Read
CWE-830

Inclusion of Web Functionality from an Untrusted Source

This weakness occurs when a website or application loads scripts, stylesheets, or other executable content from a source it does not control or verify. An…

Read
CWE-833

Deadlock

A deadlock occurs when two or more threads or processes become stuck waiting for resources that each other holds, preventing any of them from progressing. The…

Read
CWE-834

Excessive Iteration

Excessive Iteration occurs when code performs a loop or recursive operation without properly limiting how many times it runs. An attacker can exploit this to…

Read
CWE-835

Loop with Unreachable Exit Condition (Infinite Loop)

An infinite loop occurs when a program enters a loop that never terminates because its exit condition can never be met. This causes the application to consume…

Read
CWE-836

Use of Password Hash Instead of Password for Authentication

This weakness occurs when a system treats a password hash as if it were a password itself, rather than as a one-way cryptographic representation. If an…

Read
CWE-840

Business Logic Errors

Business logic errors occur when code works exactly as written, but the underlying logic itself is flawed in a way that violates the intended security or…

Read
CWE-841

Improper Enforcement of Behavioral Workflow

This weakness occurs when software fails to enforce the correct sequence or state transitions in a multi-step process. An attacker can skip steps, repeat…

Read
CWE-842

Placement of User into Incorrect Group

This weakness occurs when a user is assigned to the wrong group or role, causing them to receive permissions they shouldn't have or lose permissions they need…

Read
CWE-843

Access of Resource Using Incompatible Type ('Type Confusion')

Type confusion occurs when code treats a resource variable, object, or memory region as a different type than it actually is. This mismatch can cause the…

Read
CWE-862

Missing Authorization

Missing authorization occurs when a system verifies who a user is authentication but fails to check what they are allowed to do authorization. An authenticated…

Read
CWE-863

Incorrect Authorization

Incorrect authorization occurs when a system checks whether a user is allowed to perform an action, but the check itself is flawed—allowing unauthorized users…

Read
CWE-908

Use of Uninitialized Resource

This weakness occurs when a program uses a variable, object, or resource before it has been assigned a valid initial value. The result is unpredictable…

Read
CWE-909

Missing Initialization of Resource

Missing initialization of a resource occurs when a program fails to set up a critical variable, object, or system component before using it. This leaves the…

Read
CWE-912

Hidden Functionality

Hidden functionality is code or features present in software that are not documented, advertised, or known to system administrators and users. This undisclosed…

Read
CWE-913

Improper Control of Dynamically-Managed Code Resources

This weakness occurs when an application allows external input to influence how code is loaded, executed, or interpreted at runtime without proper validation…

Read
CWE-915

Improperly Controlled Modification of Dynamically-Determined Object Attributes

Mass assignment is a vulnerability where an application automatically binds user-supplied input directly to object properties without restricting which…

Read
CWE-916

Use of Password Hash With Insufficient Computational Effort

This weakness occurs when a password hashing algorithm is too fast or simple, allowing attackers who obtain a stolen password database to crack hashes offline…

Read
CWE-917

Improper Neutralization of Special Elements used in an Expression Language Statement

Expression Language EL is a templating mechanism used in Java web frameworks and other platforms to dynamically evaluate expressions within templates. When…

Read
CWE-918

Server-Side Request Forgery

Server-Side Request Forgery SSRF occurs when a web application fetches a URL or resource based on user input without properly validating the destination. An…

Read
CWE-920

Improper Restriction of Power Consumption

This weakness occurs when software fails to limit how much power or battery a device consumes, allowing an attacker or malicious process to drain the device's…

Read
CWE-922

Insecure Storage of Sensitive Information

This weakness occurs when sensitive data—such as passwords, API keys, authentication tokens, or personal information—is stored in a way that does not…

Read
CWE-924

Improper Enforcement of Message Integrity During Transmission in a Communication Channel

This weakness occurs when software sends sensitive data over a communication channel without verifying that the message hasn't been altered in transit. An…

Read
CWE-940

Improper Verification of Source of a Communication Channel

This weakness occurs when software accepts incoming requests or communications without properly verifying who or what initiated them. An attacker can…

Read
CWE-941

Incorrectly Specified Destination in a Communication Channel

This weakness occurs when software sends data to the wrong destination—a misconfigured server, an unintended recipient, or an attacker-controlled…

Read
CWE-942

Permissive Cross-domain Policy with Untrusted Domains

This weakness occurs when a web application's cross-origin resource sharing CORS policy or similar cross-domain mechanism is configured too broadly, allowing…

Read
CWE-943

Improper Neutralization of Special Elements in Data Query Logic

This weakness occurs when an application builds a data query SQL, NoSQL, LDAP, or similar using unsanitized user input, allowing an attacker to inject special…

Read
Page 10 of 11