Common Weakness Enumeration — the root causes behind every CVE
CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.
Sensitive Cookie Without 'HttpOnly' Flag
This weakness occurs when a web application stores sensitive data such as session tokens, authentication credentials, or user identifiers in a cookie without…
Improper Restriction of Rendered UI Layers or Frames (Clickjacking)
Clickjacking is a deceptive technique where an attacker embeds your website in a hidden frame on a malicious page, then overlays fake buttons or content on…
Use of Web Link to Untrusted Target with window.opener Access
When a web page links to an external site using a standard <a> tag without the rel=\"noopener\" attribute, the destination page gains access to the originating…
Incomplete Comparison with Missing Factors
This weakness occurs when code compares two entities such as users, files, or requests but checks only some of the required characteristics, ignoring others…
Comparison of Incompatible Types
This weakness occurs when a program compares values of different types without proper type checking or conversion, allowing the language's type coercion rules…
Comparison Using Wrong Factors
This weakness occurs when software compares two entities users, files, requests, etc. using incomplete or insufficient criteria, leading it to treat unrelated…
Use of Redundant Code
Redundant code — identical or near-identical logic duplicated across multiple locations in a codebase — creates a maintenance and security risk. When a…
Empty Exception Block
An empty exception block is code that catches an error but does nothing with it — no logging, no recovery, no user notification. This silently hides problems…
Empty Code Block
An empty code block—such as an if statement, loop, or exception handler with no body—often signals incomplete or abandoned logic. While not always a security…
Floating Point Comparison with Incorrect Operator
This weakness occurs when code compares floating-point numbers for exact equality, ignoring the inherent imprecision of how computers represent decimal values…
Use of Unmaintained Third Party Components
This weakness occurs when software depends on third-party libraries, frameworks, or plugins that are no longer actively maintained or supported by their…
Insecure Default Initialization of Resource
This weakness occurs when software ships with default settings that are unsafe—such as default credentials, overly permissive access controls, or disabled…
Insufficient Granularity of Access Control
This weakness occurs when a system groups multiple actions or resources under a single permission, forcing users to grant broad access when they only need…
Improper Neutralization of Formula Elements in a CSV File
This weakness occurs when user input is written directly into a CSV file without escaping formula characters. When a spreadsheet application Excel, Google…
Sensitive Cookie with Improper SameSite Attribute
This weakness occurs when a web application stores sensitive data such as session tokens or authentication credentials in a cookie but fails to set the…
Improper Validation of Specified Quantity in Input
This weakness occurs when software accepts a quantity value—such as a file size, array index, buffer length, or count—without properly checking whether it is…
Improper Validation of Specified Type of Input
This weakness occurs when software accepts input that should be a specific data type integer, email, URL, etc. but fails to properly verify that the input…
Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)
Prototype pollution is a vulnerability in JavaScript applications where an attacker can modify the prototype of a base object like Object.prototype by…
Inefficient Regular Expression Complexity (ReDoS)
Regular expression denial of service ReDoS occurs when a poorly written regex pattern causes excessive CPU consumption when processing certain inputs. An…
Improper Neutralization of Special Elements Used in a Template Engine
Server-side template injection SSTI occurs when user input is embedded directly into a template engine without proper escaping or sanitization. An attacker can…
Missing Origin Validation in WebSockets Handshake
WebSocket connections begin with an HTTP handshake that includes an Origin header identifying where the request came from. If a server accepts WebSocket…
Weak Authentication
Weak authentication occurs when a system relies on easily defeated verification methods to confirm a user's identity. This might include simple passwords…
Use of Weak Credentials
This weakness occurs when software relies on credentials—passwords, API keys, encryption keys, or tokens—that are too simple, short, or predictable to resist…