Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 61–90 of 323 weaknesses

CWE-187

Partial String Comparison

Partial string comparison occurs when code checks only the beginning or a limited portion of a string instead of validating the entire value. This allows…

Read
CWE-190

Integer Overflow or Wraparound

Integer overflow occurs when a calculation produces a result that exceeds the maximum value an integer variable can hold, causing the value to wrap around to a…

Read
CWE-191

Integer Underflow

Integer underflow occurs when a calculation produces a result smaller than the minimum value that a data type can represent, causing the value to wrap around…

Read
CWE-193

Off-by-one Error

An off-by-one error occurs when code miscalculates a boundary or index by exactly one unit, causing it to access memory or data one position beyond or before…

Read
CWE-197

Numeric Truncation Error

Numeric truncation occurs when a program converts a number from one data type to another and loses precision or magnitude in the process. This happens most…

Read
CWE-200

Exposure of Sensitive Information to an Unauthorized Actor

This weakness occurs when an application unintentionally reveals sensitive data—such as passwords, API keys, personal information, or internal system…

Read
CWE-201

Insertion of Sensitive Information Into Sent Data

This weakness occurs when an application unintentionally includes sensitive information—such as internal IDs, file paths, API keys, or database details—in data…

Read
CWE-203

Observable Discrepancy

Observable Discrepancy occurs when a system reveals sensitive information through differences in its behavior, response times, error messages, or other…

Read
CWE-208

Observable Timing Discrepancy

Observable timing discrepancies occur when a system's response time reveals information about sensitive data—such as whether a password guess is correct, a…

Read
CWE-209

Generation of Error Message Containing Sensitive Information

This weakness occurs when an application displays error messages that reveal sensitive details—such as database structure, file paths, usernames, API keys, or…

Read
CWE-212

Improper Removal of Sensitive Information Before Storage or Transfer

This weakness occurs when sensitive data—such as passwords, API keys, authentication tokens, or personal information—is stored, cached, or transmitted without…

Read
CWE-213

Exposure of Sensitive Information Due to Incompatible Policies

This weakness occurs when different parts of a software system enforce conflicting or inconsistent data-handling policies, allowing sensitive information to be…

Read
CWE-215

Insertion of Sensitive Information Into Debugging Code

This weakness occurs when developers include sensitive data—such as passwords, API keys, database credentials, or personal information—directly in debugging…

Read
CWE-219

Storage of File Under Web Root with Sensitive Data

This weakness occurs when an application stores sensitive information—such as database credentials, API keys, private keys, or user data—in files placed within…

Read
CWE-235

Improper Handling of Extra Parameters

This weakness occurs when software accepts more parameters, fields, or arguments than it expects or validates, potentially allowing attackers to inject…

Read
CWE-236

Improper Handling of Undefined Parameters

This weakness occurs when software fails to properly validate or handle cases where an expected parameter, field, or argument is missing from a request…

Read
CWE-241

Improper Handling of Unexpected Data Type

This weakness occurs when code assumes input will always be a specific data type string, integer, array, etc. without validating or safely handling cases where…

Read
CWE-250

Execution with Unnecessary Privileges

This weakness occurs when software runs with more permissions than it actually needs to perform its intended function. If that software is compromised—through…

Read
CWE-252

Unchecked Return Value

This weakness occurs when code calls a function but ignores its return value, particularly when that return value indicates success or failure. Ignoring error…

Read
CWE-259

Use of Hard-coded Password

Hard-coded passwords are authentication credentials embedded directly in source code, configuration files, or compiled binaries. This weakness exposes…

Read
CWE-264

Permissions, Privileges, and Access Controls

CWE-264 describes weaknesses in how applications manage who can do what — the rules that decide whether a user, process, or system component is allowed to…

Read
CWE-266

Incorrect Privilege Assignment

Incorrect Privilege Assignment occurs when a system grants a user, role, or process more or sometimes fewer permissions than intended. This can allow…

Read
CWE-267

Privilege Defined With Unsafe Actions

This weakness occurs when a privilege, role, or permission is granted to perform a legitimate action, but the system also allows that same privilege to be…

Read
CWE-268

Privilege Chaining

Privilege chaining occurs when two or more individually safe permissions or capabilities, when combined, allow an actor to perform actions that should be…

Read
CWE-269

Improper Privilege Management

Improper privilege management occurs when software fails to correctly assign, enforce, or verify user permissions. This allows users to access features, data…

Read
CWE-271

Privilege Dropping / Lowering Errors

This weakness occurs when software attempts to reduce its operating privileges for example, dropping from root to a regular user but fails to do so completely…

Read
CWE-272

Least Privilege Violation

Least privilege violation occurs when software runs with more permissions, access rights, or capabilities than necessary to perform its intended function. This…

Read
CWE-273

Improper Check for Dropped Privileges

This weakness occurs when a program attempts to reduce its permission level drop privileges but fails to verify that the operation succeeded. If the privilege…

Read
CWE-274

Improper Handling of Insufficient Privileges

This weakness occurs when software fails to properly check or respond to permission errors before attempting restricted operations. Instead of gracefully…

Read
CWE-275

Permission Issues

Permission issues occur when an application fails to properly assign, enforce, or validate access controls on sensitive resources. This can allow unauthorized…

Read
Page 3 of 11