Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 301–323 of 323 weaknesses

CWE-1004

Sensitive Cookie Without 'HttpOnly' Flag

This weakness occurs when a web application stores sensitive data such as session tokens, authentication credentials, or user identifiers in a cookie without…

Read
CWE-1021

Improper Restriction of Rendered UI Layers or Frames (Clickjacking)

Clickjacking is a deceptive technique where an attacker embeds your website in a hidden frame on a malicious page, then overlays fake buttons or content on…

Read
CWE-1022

Use of Web Link to Untrusted Target with window.opener Access

When a web page links to an external site using a standard <a> tag without the rel=\"noopener\" attribute, the destination page gains access to the originating…

Read
CWE-1023

Incomplete Comparison with Missing Factors

This weakness occurs when code compares two entities such as users, files, or requests but checks only some of the required characteristics, ignoring others…

Read
CWE-1024

Comparison of Incompatible Types

This weakness occurs when a program compares values of different types without proper type checking or conversion, allowing the language's type coercion rules…

Read
CWE-1025

Comparison Using Wrong Factors

This weakness occurs when software compares two entities users, files, requests, etc. using incomplete or insufficient criteria, leading it to treat unrelated…

Read
CWE-1041

Use of Redundant Code

Redundant code — identical or near-identical logic duplicated across multiple locations in a codebase — creates a maintenance and security risk. When a…

Read
CWE-1069

Empty Exception Block

An empty exception block is code that catches an error but does nothing with it — no logging, no recovery, no user notification. This silently hides problems…

Read
CWE-1071

Empty Code Block

An empty code block—such as an if statement, loop, or exception handler with no body—often signals incomplete or abandoned logic. While not always a security…

Read
CWE-1077

Floating Point Comparison with Incorrect Operator

This weakness occurs when code compares floating-point numbers for exact equality, ignoring the inherent imprecision of how computers represent decimal values…

Read
CWE-1104

Use of Unmaintained Third Party Components

This weakness occurs when software depends on third-party libraries, frameworks, or plugins that are no longer actively maintained or supported by their…

Read
CWE-1188

Insecure Default Initialization of Resource

This weakness occurs when software ships with default settings that are unsafe—such as default credentials, overly permissive access controls, or disabled…

Read
CWE-1220

Insufficient Granularity of Access Control

This weakness occurs when a system groups multiple actions or resources under a single permission, forcing users to grant broad access when they only need…

Read
CWE-1236

Improper Neutralization of Formula Elements in a CSV File

This weakness occurs when user input is written directly into a CSV file without escaping formula characters. When a spreadsheet application Excel, Google…

Read
CWE-1275

Sensitive Cookie with Improper SameSite Attribute

This weakness occurs when a web application stores sensitive data such as session tokens or authentication credentials in a cookie but fails to set the…

Read
CWE-1284

Improper Validation of Specified Quantity in Input

This weakness occurs when software accepts a quantity value—such as a file size, array index, buffer length, or count—without properly checking whether it is…

Read
CWE-1287

Improper Validation of Specified Type of Input

This weakness occurs when software accepts input that should be a specific data type integer, email, URL, etc. but fails to properly verify that the input…

Read
CWE-1321

Improperly Controlled Modification of Object Prototype Attributes (Prototype Pollution)

Prototype pollution is a vulnerability in JavaScript applications where an attacker can modify the prototype of a base object like Object.prototype by…

Read
CWE-1333

Inefficient Regular Expression Complexity (ReDoS)

Regular expression denial of service ReDoS occurs when a poorly written regex pattern causes excessive CPU consumption when processing certain inputs. An…

Read
CWE-1336

Improper Neutralization of Special Elements Used in a Template Engine

Server-side template injection SSTI occurs when user input is embedded directly into a template engine without proper escaping or sanitization. An attacker can…

Read
CWE-1385

Missing Origin Validation in WebSockets Handshake

WebSocket connections begin with an HTTP handshake that includes an Origin header identifying where the request came from. If a server accepts WebSocket…

Read
CWE-1390

Weak Authentication

Weak authentication occurs when a system relies on easily defeated verification methods to confirm a user's identity. This might include simple passwords…

Read
CWE-1391

Use of Weak Credentials

This weakness occurs when software relies on credentials—passwords, API keys, encryption keys, or tokens—that are too simple, short, or predictable to resist…

Read
Page 11 of 11
1 9 10 11 Next