Common Weakness Enumeration — the root causes behind every CVE
CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.
Partial String Comparison
Partial string comparison occurs when code checks only the beginning or a limited portion of a string instead of validating the entire value. This allows…
Integer Overflow or Wraparound
Integer overflow occurs when a calculation produces a result that exceeds the maximum value an integer variable can hold, causing the value to wrap around to a…
Integer Underflow
Integer underflow occurs when a calculation produces a result smaller than the minimum value that a data type can represent, causing the value to wrap around…
Off-by-one Error
An off-by-one error occurs when code miscalculates a boundary or index by exactly one unit, causing it to access memory or data one position beyond or before…
Numeric Truncation Error
Numeric truncation occurs when a program converts a number from one data type to another and loses precision or magnitude in the process. This happens most…
Exposure of Sensitive Information to an Unauthorized Actor
This weakness occurs when an application unintentionally reveals sensitive data—such as passwords, API keys, personal information, or internal system…
Insertion of Sensitive Information Into Sent Data
This weakness occurs when an application unintentionally includes sensitive information—such as internal IDs, file paths, API keys, or database details—in data…
Observable Discrepancy
Observable Discrepancy occurs when a system reveals sensitive information through differences in its behavior, response times, error messages, or other…
Observable Timing Discrepancy
Observable timing discrepancies occur when a system's response time reveals information about sensitive data—such as whether a password guess is correct, a…
Generation of Error Message Containing Sensitive Information
This weakness occurs when an application displays error messages that reveal sensitive details—such as database structure, file paths, usernames, API keys, or…
Improper Removal of Sensitive Information Before Storage or Transfer
This weakness occurs when sensitive data—such as passwords, API keys, authentication tokens, or personal information—is stored, cached, or transmitted without…
Exposure of Sensitive Information Due to Incompatible Policies
This weakness occurs when different parts of a software system enforce conflicting or inconsistent data-handling policies, allowing sensitive information to be…
Insertion of Sensitive Information Into Debugging Code
This weakness occurs when developers include sensitive data—such as passwords, API keys, database credentials, or personal information—directly in debugging…
Storage of File Under Web Root with Sensitive Data
This weakness occurs when an application stores sensitive information—such as database credentials, API keys, private keys, or user data—in files placed within…
Improper Handling of Extra Parameters
This weakness occurs when software accepts more parameters, fields, or arguments than it expects or validates, potentially allowing attackers to inject…
Improper Handling of Undefined Parameters
This weakness occurs when software fails to properly validate or handle cases where an expected parameter, field, or argument is missing from a request…
Improper Handling of Unexpected Data Type
This weakness occurs when code assumes input will always be a specific data type string, integer, array, etc. without validating or safely handling cases where…
Execution with Unnecessary Privileges
This weakness occurs when software runs with more permissions than it actually needs to perform its intended function. If that software is compromised—through…
Unchecked Return Value
This weakness occurs when code calls a function but ignores its return value, particularly when that return value indicates success or failure. Ignoring error…
Use of Hard-coded Password
Hard-coded passwords are authentication credentials embedded directly in source code, configuration files, or compiled binaries. This weakness exposes…
Permissions, Privileges, and Access Controls
CWE-264 describes weaknesses in how applications manage who can do what — the rules that decide whether a user, process, or system component is allowed to…
Incorrect Privilege Assignment
Incorrect Privilege Assignment occurs when a system grants a user, role, or process more or sometimes fewer permissions than intended. This can allow…
Privilege Defined With Unsafe Actions
This weakness occurs when a privilege, role, or permission is granted to perform a legitimate action, but the system also allows that same privilege to be…
Privilege Chaining
Privilege chaining occurs when two or more individually safe permissions or capabilities, when combined, allow an actor to perform actions that should be…
Improper Privilege Management
Improper privilege management occurs when software fails to correctly assign, enforce, or verify user permissions. This allows users to access features, data…
Privilege Dropping / Lowering Errors
This weakness occurs when software attempts to reduce its operating privileges for example, dropping from root to a regular user but fails to do so completely…
Least Privilege Violation
Least privilege violation occurs when software runs with more permissions, access rights, or capabilities than necessary to perform its intended function. This…
Improper Check for Dropped Privileges
This weakness occurs when a program attempts to reduce its permission level drop privileges but fails to verify that the operation succeeded. If the privilege…
Improper Handling of Insufficient Privileges
This weakness occurs when software fails to properly check or respond to permission errors before attempting restricted operations. Instead of gracefully…
Permission Issues
Permission issues occur when an application fails to properly assign, enforce, or validate access controls on sensitive resources. This can allow unauthorized…