Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 91–120 of 323 weaknesses

CWE-276

Incorrect Default Permissions

Incorrect default permissions occur when software is installed or configured with overly permissive access controls on files, directories, databases, or…

Read
CWE-277

Insecure Inherited Permissions

This weakness occurs when a newly created resource file, directory, process, or object automatically inherits overly permissive access controls from its parent…

Read
CWE-279

Incorrect Execution-Assigned Permissions

This weakness occurs when software runs with permissions that differ from what the administrator or developer intended, usually because the runtime environment…

Read
CWE-280

Improper Handling of Insufficient Permissions or Privileges

This weakness occurs when software fails to properly check or respond to permission errors before attempting a sensitive operation. Instead of gracefully…

Read
CWE-281

Improper Preservation of Permissions

This weakness occurs when software copies, restores, or transfers a file but fails to preserve its original access permissions. The result is that a file may…

Read
CWE-282

Improper Ownership Management

Improper ownership management occurs when software fails to correctly assign or maintain ownership of critical resources—such as files, directories, processes…

Read
CWE-283

Unverified Ownership

This weakness occurs when software allows an operation on a resource—such as a file, database record, or user account—without first confirming that the person…

Read
CWE-284

Improper Access Control

Improper access control occurs when software fails to enforce or correctly implements restrictions on who can access specific resources, features, or data…

Read
CWE-285

Improper Authorization

Improper authorization occurs when software fails to correctly verify whether a user has permission to perform a requested action or access a resource. This…

Read
CWE-286

Incorrect User Management

Incorrect user management occurs when software fails to properly handle the creation, modification, or removal of user accounts in a way that maintains…

Read
CWE-287

Improper Authentication

Improper authentication occurs when software fails to adequately verify that a user is who they claim to be. Instead of properly validating credentials, the…

Read
CWE-288

Authentication Bypass Using an Alternate Path or Channel

This weakness occurs when a web application or service requires authentication to access a resource or feature, but an alternate path, API endpoint, or…

Read
CWE-289

Authentication Bypass by Alternate Name

This weakness occurs when an application authenticates users based on a name or identifier, but fails to account for alternate forms of that same name—such as…

Read
CWE-290

Authentication Bypass by Spoofing

This weakness occurs when an application uses easily-forged characteristics—such as IP addresses, hostnames, or HTTP headers—as the primary basis for…

Read
CWE-291

Reliance on IP Address for Authentication

This weakness occurs when software treats an IP address as sufficient proof of a user's identity. Because IP addresses can be spoofed, shared across multiple…

Read
CWE-294

Authentication Bypass by Capture-replay

A capture-replay vulnerability occurs when an attacker can record a legitimate user's authentication traffic and replay it later to gain unauthorized access…

Read
CWE-295

Improper Certificate Validation

Improper certificate validation occurs when software fails to verify that a TLS/SSL certificate is legitimate before trusting it. This allows an attacker…

Read
CWE-297

Improper Validation of Certificate with Host Mismatch

This weakness occurs when software connects to a remote host over HTTPS or another certificate-based protocol but fails to verify that the certificate's…

Read
CWE-300

Channel Accessible by Non-Endpoint

This weakness occurs when software fails to properly verify the identity of both parties in a communication channel, leaving it vulnerable to man-in-the-middle…

Read
CWE-302

Authentication Bypass by Assumed-Immutable Data

This weakness occurs when an application trusts data it shouldn't—typically information stored on the client side or in places an attacker can modify—to verify…

Read
CWE-303

Incorrect Implementation of Authentication Algorithm

This weakness occurs when a system implements an authentication mechanism that deviates from its intended design, weakening the security it should provide…

Read
CWE-304

Missing Critical Step in Authentication

This weakness occurs when an authentication system skips or incompletely implements a security step that is essential to the authentication method. Even if…

Read
CWE-305

Authentication Bypass by Primary Weakness

This weakness describes a fundamental flaw in how an application verifies user identity — one so broken that it can be bypassed entirely, regardless of how…

Read
CWE-306

Missing Authentication for Critical Function

Missing authentication for critical functions allows anyone—authenticated user or complete stranger—to perform sensitive operations without proving their…

Read
CWE-307

Improper Restriction of Excessive Authentication Attempts

This weakness occurs when a system allows an attacker to make unlimited login attempts without penalty. Without rate limiting or account lockouts, an attacker…

Read
CWE-308

Use of Single-Factor Authentication

Single-factor authentication relies on only one method—typically a password—to verify a user's identity. This approach is inherently weaker than multi-factor…

Read
CWE-309

Use of Password System for Primary Authentication

This weakness occurs when an application relies solely on passwords to verify user identity, without additional verification methods. Passwords alone are…

Read
CWE-310

Cryptographic Issues

Cryptographic Issues encompass weaknesses in how software chooses, configures, and implements cryptographic algorithms and protocols. These flaws can range…

Read
CWE-311

Missing Encryption of Sensitive Data

This weakness occurs when an application stores or transmits sensitive information—such as passwords, payment card data, API keys, or personal…

Read
CWE-312

Cleartext Storage of Sensitive Information

This weakness occurs when sensitive data—such as passwords, API keys, authentication tokens, or personal information—is stored in plain, unencrypted form where…

Read
Page 4 of 11