Common Weakness Enumeration — the root causes behind every CVE
CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.
Cleartext Storage in a File or on Disk
This weakness occurs when an application stores sensitive data—such as passwords, API keys, authentication tokens, or personal information—in plain…
Cleartext Storage of Sensitive Information in a Cookie
This weakness occurs when an application stores sensitive data—such as passwords, API keys, session tokens, or personal information—in plain text within a…
Cleartext Storage of Sensitive Information in Memory
This weakness occurs when an application stores sensitive data—such as passwords, API keys, or authentication tokens—in plaintext in memory without encryption…
Cleartext Storage of Sensitive Information in GUI
This weakness occurs when an application displays sensitive data—such as passwords, API keys, credit card numbers, or authentication tokens—in plain, readable…
Cleartext Storage of Sensitive Information in Executable
This weakness occurs when sensitive data—such as API keys, database credentials, encryption keys, or authentication tokens—is hardcoded or embedded in…
Cleartext Transmission of Sensitive Information
This weakness occurs when an application sends sensitive data—such as passwords, authentication tokens, payment information, or personal details—over an…
Key Management Errors
Key management errors occur when cryptographic keys are generated, stored, transmitted, or destroyed insecurely. Even strong encryption algorithms become…
Use of Hard-coded Cryptographic Key
This weakness occurs when a cryptographic key is embedded directly in source code, configuration files, or compiled binaries instead of being generated, stored…
Key Exchange without Entity Authentication
This weakness occurs when software exchanges cryptographic keys with another party without verifying that party's identity. An attacker positioned between the…
Reusing a Nonce, Key Pair in Encryption
This weakness occurs when software reuses a nonce a \"number used once\" or cryptographic key pair in encryption operations that cryptographically require unique…
Use of a Key Past its Expiration Date
This weakness occurs when software continues to use a cryptographic key or password after its intended expiration date. Cryptographic keys are typically…
Missing Cryptographic Step
This weakness occurs when a cryptographic algorithm or protocol is implemented incompletely—a required step is skipped, shortened, or omitted entirely. The…
Inadequate Encryption Strength
This weakness occurs when software encrypts sensitive data using an encryption algorithm or key size that is too weak to resist modern attack methods. Even if…
Use of a Broken or Risky Cryptographic Algorithm
This weakness occurs when software relies on cryptographic algorithms that are mathematically broken, computationally weak, or otherwise unsuitable for…
Use of Weak Hash
This weakness occurs when software relies on a hashing algorithm that is not cryptographically secure—such as MD5 or SHA-1—to protect sensitive data like…
Generation of Predictable IV with CBC Mode
CBC Cipher Block Chaining mode encryption requires a unique, unpredictable initialization vector IV for each message to maintain security. When an application…
Use of Insufficiently Random Values
This weakness occurs when software relies on random numbers or values for security purposes—such as session tokens, password reset links, or cryptographic…
Insufficient Entropy
Insufficient entropy occurs when software generates security-critical values—such as tokens, session IDs, or cryptographic keys—using a method that doesn't…
Same Seed in Pseudo-Random Number Generator (PRNG)
This weakness occurs when a program initializes a pseudo-random number generator PRNG with the same seed value every time it runs, causing it to produce…
Predictable Seed in Pseudo-Random Number Generator (PRNG)
This weakness occurs when a PRNG is initialized with a seed value that an attacker can predict or reproduce — such as the current time, process ID, or other…
Use of Cryptographically Weak PRNG
This weakness occurs when software uses a non-cryptographic random number generator like random or mtrand to create security-sensitive values such as session…
Small Seed Space in PRNG
This weakness occurs when a pseudo-random number generator PRNG is seeded with a value drawn from a small set of possibilities, allowing an attacker to predict…
Generation of Predictable Numbers or Identifiers
This weakness occurs when software generates security-sensitive values—such as session tokens, password-reset links, or API keys—using predictable methods like…
Insufficient Verification of Data Authenticity
This weakness occurs when software accepts data without properly verifying that it came from a trusted source or hasn't been tampered with. An attacker can…
Origin Validation Error
Origin validation errors occur when software fails to properly verify where a request or piece of data is coming from. This weakness allows attackers to bypass…
Improper Verification of Cryptographic Signature
This weakness occurs when software fails to properly verify cryptographic signatures on data, or skips signature verification entirely. An attacker can forge…
Cross-Site Request Forgery
Cross-Site Request Forgery CSRF is a vulnerability that allows an attacker to trick a logged-in user into performing unwanted actions on a website without…
Improper Validation of Integrity Check Value
This weakness occurs when software accepts data without properly verifying its integrity check value—such as a checksum, hash, or digital signature. An…
Exposure of Private Personal Information to an Unauthorized Actor
This weakness occurs when software fails to properly control who can access private or personally identifiable information PII — such as names, email…
Race Condition
A race condition occurs when the security or correctness of code depends on the precise timing or order of events across multiple threads or processes, and an…