Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 121–150 of 323 weaknesses

CWE-313

Cleartext Storage in a File or on Disk

This weakness occurs when an application stores sensitive data—such as passwords, API keys, authentication tokens, or personal information—in plain…

Read
CWE-315

Cleartext Storage of Sensitive Information in a Cookie

This weakness occurs when an application stores sensitive data—such as passwords, API keys, session tokens, or personal information—in plain text within a…

Read
CWE-316

Cleartext Storage of Sensitive Information in Memory

This weakness occurs when an application stores sensitive data—such as passwords, API keys, or authentication tokens—in plaintext in memory without encryption…

Read
CWE-317

Cleartext Storage of Sensitive Information in GUI

This weakness occurs when an application displays sensitive data—such as passwords, API keys, credit card numbers, or authentication tokens—in plain, readable…

Read
CWE-318

Cleartext Storage of Sensitive Information in Executable

This weakness occurs when sensitive data—such as API keys, database credentials, encryption keys, or authentication tokens—is hardcoded or embedded in…

Read
CWE-319

Cleartext Transmission of Sensitive Information

This weakness occurs when an application sends sensitive data—such as passwords, authentication tokens, payment information, or personal details—over an…

Read
CWE-320

Key Management Errors

Key management errors occur when cryptographic keys are generated, stored, transmitted, or destroyed insecurely. Even strong encryption algorithms become…

Read
CWE-321

Use of Hard-coded Cryptographic Key

This weakness occurs when a cryptographic key is embedded directly in source code, configuration files, or compiled binaries instead of being generated, stored…

Read
CWE-322

Key Exchange without Entity Authentication

This weakness occurs when software exchanges cryptographic keys with another party without verifying that party's identity. An attacker positioned between the…

Read
CWE-323

Reusing a Nonce, Key Pair in Encryption

This weakness occurs when software reuses a nonce a \"number used once\" or cryptographic key pair in encryption operations that cryptographically require unique…

Read
CWE-324

Use of a Key Past its Expiration Date

This weakness occurs when software continues to use a cryptographic key or password after its intended expiration date. Cryptographic keys are typically…

Read
CWE-325

Missing Cryptographic Step

This weakness occurs when a cryptographic algorithm or protocol is implemented incompletely—a required step is skipped, shortened, or omitted entirely. The…

Read
CWE-326

Inadequate Encryption Strength

This weakness occurs when software encrypts sensitive data using an encryption algorithm or key size that is too weak to resist modern attack methods. Even if…

Read
CWE-327

Use of a Broken or Risky Cryptographic Algorithm

This weakness occurs when software relies on cryptographic algorithms that are mathematically broken, computationally weak, or otherwise unsuitable for…

Read
CWE-328

Use of Weak Hash

This weakness occurs when software relies on a hashing algorithm that is not cryptographically secure—such as MD5 or SHA-1—to protect sensitive data like…

Read
CWE-329

Generation of Predictable IV with CBC Mode

CBC Cipher Block Chaining mode encryption requires a unique, unpredictable initialization vector IV for each message to maintain security. When an application…

Read
CWE-330

Use of Insufficiently Random Values

This weakness occurs when software relies on random numbers or values for security purposes—such as session tokens, password reset links, or cryptographic…

Read
CWE-331

Insufficient Entropy

Insufficient entropy occurs when software generates security-critical values—such as tokens, session IDs, or cryptographic keys—using a method that doesn't…

Read
CWE-336

Same Seed in Pseudo-Random Number Generator (PRNG)

This weakness occurs when a program initializes a pseudo-random number generator PRNG with the same seed value every time it runs, causing it to produce…

Read
CWE-337

Predictable Seed in Pseudo-Random Number Generator (PRNG)

This weakness occurs when a PRNG is initialized with a seed value that an attacker can predict or reproduce — such as the current time, process ID, or other…

Read
CWE-338

Use of Cryptographically Weak PRNG

This weakness occurs when software uses a non-cryptographic random number generator like random or mtrand to create security-sensitive values such as session…

Read
CWE-339

Small Seed Space in PRNG

This weakness occurs when a pseudo-random number generator PRNG is seeded with a value drawn from a small set of possibilities, allowing an attacker to predict…

Read
CWE-340

Generation of Predictable Numbers or Identifiers

This weakness occurs when software generates security-sensitive values—such as session tokens, password-reset links, or API keys—using predictable methods like…

Read
CWE-345

Insufficient Verification of Data Authenticity

This weakness occurs when software accepts data without properly verifying that it came from a trusted source or hasn't been tampered with. An attacker can…

Read
CWE-346

Origin Validation Error

Origin validation errors occur when software fails to properly verify where a request or piece of data is coming from. This weakness allows attackers to bypass…

Read
CWE-347

Improper Verification of Cryptographic Signature

This weakness occurs when software fails to properly verify cryptographic signatures on data, or skips signature verification entirely. An attacker can forge…

Read
CWE-352

Cross-Site Request Forgery

Cross-Site Request Forgery CSRF is a vulnerability that allows an attacker to trick a logged-in user into performing unwanted actions on a website without…

Read
CWE-354

Improper Validation of Integrity Check Value

This weakness occurs when software accepts data without properly verifying its integrity check value—such as a checksum, hash, or digital signature. An…

Read
CWE-359

Exposure of Private Personal Information to an Unauthorized Actor

This weakness occurs when software fails to properly control who can access private or personally identifiable information PII — such as names, email…

Read
CWE-362

Race Condition

A race condition occurs when the security or correctness of code depends on the precise timing or order of events across multiple threads or processes, and an…

Read
Page 5 of 11
1 3 4 5 6 7 11