Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 31–60 of 323 weaknesses

CWE-115

Misinterpretation of Input

Misinterpretation of input occurs when software processes user-supplied or external data in a way that differs from the developer's intent, leading to a…

Read
CWE-116

Improper Encoding or Escaping of Output

This weakness occurs when an application fails to properly encode or escape data before sending it to another component—such as a web browser, database, or…

Read
CWE-117

Improper Output Neutralization for Logs

Log injection occurs when user-controlled data is written directly to application logs without sanitization, allowing an attacker to forge log entries or…

Read
CWE-119

Improper Restriction of Operations within Memory Buffer

This weakness occurs when software reads from or writes to memory locations outside the boundaries of an allocated buffer. An attacker who can control the data…

Read
CWE-120

Buffer Copy without Checking Size of Input

This weakness occurs when a program copies data from one buffer to another without first checking whether the source data will fit in the destination. If the…

Read
CWE-121

Stack-based Buffer Overflow

A stack-based buffer overflow occurs when a program writes more data into a buffer than it can hold, and that buffer is stored on the stack. Because the stack…

Read
CWE-122

Heap-based Buffer Overflow

A heap-based buffer overflow occurs when a program writes more data to a dynamically allocated memory buffer than it can hold, overwriting adjacent heap…

Read
CWE-123

Write-what-Where Condition

A write-what-where condition occurs when an attacker can control both where data is written in memory and what data is written there. This is one of the most…

Read
CWE-125

Out-of-bounds Read

An out-of-bounds read occurs when a program accesses memory outside the allocated boundaries of a buffer or array. This can expose sensitive data stored in…

Read
CWE-129

Improper Validation of Array Index

This weakness occurs when a program uses user-supplied input as an array index without checking whether that index is within the valid range of the array. An…

Read
CWE-131

Incorrect Calculation of Buffer Size

This weakness occurs when code allocates a buffer but miscalculates its required size, resulting in a buffer that is too small for the data it will hold. An…

Read
CWE-134

Use of Externally-Controlled Format String

A format string vulnerability occurs when user-supplied input is passed directly as a format string to functions like printf, sprintf, or similar formatting…

Read
CWE-138

Improper Neutralization of Special Elements

This weakness occurs when software fails to properly handle special characters or reserved words before passing data to another system or component. When…

Read
CWE-140

Improper Neutralization of Delimiters

This weakness occurs when software fails to properly handle or escape delimiter characters such as quotes, commas, newlines, or pipes that are used to…

Read
CWE-150

Improper Neutralization of Escape, Meta, or Control Sequences

This weakness occurs when software fails to properly handle or remove escape sequences, meta-characters, and control characters before passing data to another…

Read
CWE-158

Improper Neutralization of Null Byte or NUL Character

This weakness occurs when software fails to remove or properly handle null bytes \0 in user input. Because many C-based file and string functions treat the…

Read
CWE-160

Improper Neutralization of Leading Special Elements

This weakness occurs when software fails to properly handle special characters or sequences at the start of user input, allowing an attacker to prepend data…

Read
CWE-166

Improper Handling of Missing Special Elements

This weakness occurs when software expects certain special characters or delimiters like quotes, brackets, newlines, or terminators in input but fails to…

Read
CWE-167

Improper Handling of Additional Special Elements

This weakness occurs when software fails to properly account for unexpected special characters or elements in input data, leading to parsing errors or…

Read
CWE-170

Improper Null Termination

Improper null termination occurs when a string is not correctly terminated with a null character or equivalent terminator, causing the software to read beyond…

Read
CWE-172

Encoding Error

An encoding error occurs when software fails to properly convert data between different character sets, formats, or representations. This mismatch can cause…

Read
CWE-178

Improper Handling of Case Sensitivity

This weakness occurs when software compares or validates user input without properly accounting for case differences uppercase vs. lowercase. An attacker can…

Read
CWE-179

Incorrect Behavior Order: Early Validation

This weakness occurs when software validates user input at one point, but later processing steps modify or reinterpret that input in ways that bypass the…

Read
CWE-180

Incorrect Behavior Order: Validate Before Canonicalize

This weakness occurs when software validates user input before converting it to its canonical standard form. An attacker can craft input using alternate…

Read
CWE-181

Incorrect Behavior Order: Validate Before Filter

This weakness occurs when a program validates user input before sanitizing or filtering it, rather than the other way around. If the sanitization step…

Read
CWE-182

Collapse of Data into Unsafe Value

This weakness occurs when input filtering or transformation logic unintentionally converts multiple different inputs into a single output value, and that…

Read
CWE-183

Permissive List of Allowed Inputs

This weakness occurs when a developer creates an allowlist a set of \"approved\" inputs to protect against malicious data, but the allowlist is too broad or…

Read
CWE-184

Incomplete Blocklist

An incomplete blocklist is a security control that attempts to block dangerous or unwanted values, but fails to account for all variants or bypass techniques…

Read
CWE-185

Incorrect Regular Expression

Regular expressions are a powerful tool for validating and filtering input, but a poorly written regex can silently accept dangerous data or reject legitimate…

Read
CWE-186

Overly Restrictive Regular Expression

This weakness occurs when a regular expression is written so strictly that it rejects legitimate input that should be accepted. While the intent is often to…

Read
Page 2 of 11