Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 151–180 of 323 weaknesses

CWE-363

Race Condition Enabling Link Following

This weakness occurs when a program checks whether a file is safe to access for example, by verifying it's not a symbolic link pointing elsewhere, but an…

Read
CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

A TOCTOU race condition occurs when code checks a resource's state such as file permissions, account balance, or user role and then uses that resource later…

Read
CWE-369

Divide By Zero

Divide by zero occurs when a program attempts to divide a number by zero, which is mathematically undefined. In most programming languages, this causes an…

Read
CWE-377

Insecure Temporary File

Temporary files are often created with predictable names, world-readable permissions, or in shared directories where other users or processes can access or…

Read
CWE-378

Creation of Temporary File With Insecure Permissions

This weakness occurs when a program creates a temporary file but fails to restrict access to it properly, leaving it readable or writable by other users on the…

Read
CWE-379

Creation of Temporary File in Directory with Incorrect Permissions

This weakness occurs when an application creates temporary files in a directory that is world-readable or world-writable, allowing other users on the same…

Read
CWE-384

Session Fixation

Session fixation is a vulnerability where an attacker tricks a user into logging in with a session ID that the attacker already knows. Because the application…

Read
CWE-390

Detection of Error Condition Without Action

This weakness occurs when code detects that something has gone wrong—a failed authentication, a missing file, a database connection error—but then does nothing…

Read
CWE-391

Unchecked Error Condition

This weakness occurs when code calls a function or performs an operation but fails to check whether it succeeded or failed. When errors go undetected, the…

Read
CWE-392

Missing Report of Error Condition

This weakness occurs when software encounters an error but silently fails to log, report, or otherwise communicate that something went wrong. Without error…

Read
CWE-393

Return of Wrong Status Code

This weakness occurs when software returns an HTTP status code or function return value that doesn't match the actual outcome of an operation. For example…

Read
CWE-400

Uncontrolled Resource Consumption

Uncontrolled Resource Consumption occurs when an application fails to limit how much of a shared resource—such as memory, CPU time, disk space, or network…

Read
CWE-401

Missing Release of Memory after Effective Lifetime

A memory leak occurs when a program allocates memory but fails to release it after it is no longer needed. Over time, this causes memory consumption to grow…

Read
CWE-402

Transmission of Private Resources into a New Sphere ('Resource Leak')

Resource leak occurs when a program makes a private resource—such as a file handle, memory segment, database connection, or temporary file—accessible to a…

Read
CWE-404

Improper Resource Shutdown or Release

This weakness occurs when software fails to properly close or release resources—such as file handles, database connections, network sockets, or locks—after…

Read
CWE-405

Asymmetric Resource Consumption (Amplification)

This weakness occurs when a small, inexpensive action by an attacker triggers a much larger consumption of server resources, creating a denial-of-service…

Read
CWE-406

Insufficient Control of Network Message Volume (Amplification)

This weakness occurs when software responds to incoming network requests by generating disproportionately large or numerous outbound messages without proper…

Read
CWE-407

Inefficient Algorithmic Complexity

This weakness occurs when software uses an algorithm that consumes disproportionate CPU, memory, or time relative to the size of its input. An attacker can…

Read
CWE-409

Improper Handling of Highly Compressed Data

This weakness occurs when software decompresses data without validating the compression ratio or limiting resource consumption during decompression. An…

Read
CWE-410

Insufficient Resource Pool

This weakness occurs when an application fails to properly size, limit, or manage its resource pools—such as database connections, thread pools, or memory…

Read
CWE-415

Double Free

A double free occurs when a program attempts to deallocate the same memory address twice. This corrupts the memory allocator's internal bookkeeping…

Read
CWE-416

Use After Free

Use After Free occurs when a program continues to reference memory that has already been freed and returned to the system. This can cause the application to…

Read
CWE-421

Race Condition During Access to Alternate Channel

This weakness occurs when software protects a resource through one access path but leaves an alternate path unprotected or inadequately secured. An attacker…

Read
CWE-425

Direct Request ('Forced Browsing')

Direct Request, also called forced browsing, occurs when a web application fails to properly check whether a user has permission to access a specific URL…

Read
CWE-426

Untrusted Search Path

Untrusted Search Path occurs when an application searches for executables, libraries, or other critical resources using a path that an attacker can influence…

Read
CWE-427

Uncontrolled Search Path Element

This weakness occurs when an application searches for files, libraries, or other resources using a path that includes directories controlled by an untrusted…

Read
CWE-428

Unquoted Search Path or Element

This weakness occurs when a program searches for or executes files using a path that is not properly quoted, allowing an attacker to inject and execute a…

Read
CWE-434

Unrestricted Upload of File with Dangerous Type

This weakness occurs when a web application accepts file uploads without properly validating the file type, allowing an attacker to upload executable scripts…

Read
CWE-436

Interpretation Conflict

An interpretation conflict occurs when different components in a system parse or understand the same input in incompatible ways. A security control such as a…

Read
CWE-441

Unintended Proxy or Intermediary ('Confused Deputy')

A \"Confused Deputy\" vulnerability occurs when a trusted application or service is tricked into performing actions on behalf of an attacker, rather than the…

Read
Page 6 of 11
1 4 5 6 7 8 11