Common Weakness Enumeration — the root causes behind every CVE
CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.
Inconsistent Interpretation of HTTP Requests (Request Smuggling)
HTTP request smuggling occurs when a proxy, load balancer, or firewall interprets the boundaries of an HTTP request differently than the backend server it…
User Interface (UI) Misrepresentation of Critical Information
This weakness occurs when a user interface displays information in a way that contradicts how the system actually processes it, causing users to make decisions…
Incomplete Cleanup
Incomplete cleanup occurs when an application fails to properly remove or clear temporary files, database connections, cached data, or other resources after…
Improper Cleanup on Thrown Exception
When code throws an exception without properly releasing resources or restoring state, it can leave the application in an unstable or insecure condition. This…
Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)
This weakness occurs when an application uses user-supplied input to dynamically load or instantiate classes, invoke methods, or execute code via reflection…
Modification of Assumed-Immutable Data (MAID)
This weakness occurs when software assumes a value cannot be changed—such as a user ID, file path, or security token—but fails to enforce that assumption. An…
External Control of Assumed-Immutable Web Parameter
This weakness occurs when a web application trusts that certain inputs—typically hidden form fields, cookies, or URL parameters marked as \"internal\"—cannot be…
NULL Pointer Dereference
A NULL pointer dereference occurs when code attempts to access memory through a pointer that has not been initialized or has been set to NULL. This typically…
Use of Obsolete Function
This weakness occurs when software relies on functions, APIs, or libraries that have been deprecated or marked obsolete by their maintainers. Obsolete…
Missing Default Case in Switch Statement
A switch statement without a default case leaves the program unable to handle unexpected input values. When a value doesn't match any case, execution may…
Active Debug Code
Debug code left enabled in production exposes sensitive information and unintended functionality to attackers. This includes verbose error messages, diagnostic…
Exposure of Sensitive System Information to an Unauthorized Control Sphere
This weakness occurs when an application or system leaks internal details—such as software versions, file paths, configuration settings, or environment…
Trust Boundary Violation
Trust boundary violation occurs when a program mixes validated trusted and unvalidated untrusted data in the same variable, object, or data structure without…
Deserialization of Untrusted Data
Deserialization is the process of converting serialized data often a byte stream or string back into an object or data structure. When an application…
Weak Password Requirements
This weakness occurs when a system allows users to set passwords that are too simple, short, or predictable — making accounts vulnerable to guessing and…
Insufficiently Protected Credentials
This weakness occurs when authentication credentials—usernames, passwords, API keys, tokens, or other secrets—are transmitted or stored without adequate…
Unprotected Transport of Credentials
This weakness occurs when login credentials, API keys, authentication tokens, or other sensitive authentication data are transmitted over unencrypted…
Use of Cache Containing Sensitive Information
This weakness occurs when an application stores sensitive data passwords, tokens, personal information, etc. in a cache that is accessible to unauthorized…
Use of Web Browser Cache Containing Sensitive Information
This weakness occurs when a web application stores sensitive data passwords, authentication tokens, personal information, financial details in the browser's…
Exposure of Sensitive Information Through Environmental Variables
Environment variables are a convenient way to pass configuration to applications, but they are often visible to anyone with access to the system—including…
Insertion of Sensitive Information into Log File
This weakness occurs when an application writes sensitive data—such as passwords, API keys, authentication tokens, or personal information—directly into log…
Insertion of Sensitive Information into Externally-Accessible File or Directory
This weakness occurs when an application stores sensitive data—such as API keys, database credentials, private tokens, or user information—in a location that…
Use of Persistent Cookies Containing Sensitive Information
This weakness occurs when an application stores sensitive data such as authentication tokens, API keys, or personal information in a persistent cookie that…
Inclusion of Sensitive Information in Source Code
This weakness occurs when developers hardcode sensitive data—such as API keys, database passwords, authentication tokens, or private encryption keys—directly…
Exposure of Information Through Directory Listing
Directory listing occurs when a web server automatically generates and displays the contents of a directory when no default file like index.html is present…
Server-generated Error Message Containing Sensitive Information
When a server encounters an error, it sometimes responds with detailed diagnostic information intended to help developers debug the problem. If that error…
Files or Directories Accessible to External Parties
This weakness occurs when sensitive files or directories—such as configuration files, private keys, database backups, or source code—are stored in locations…
Reliance on Cookies without Validation and Integrity Checking
This weakness occurs when an application stores sensitive data or logic-critical information in cookies without verifying that the cookie hasn't been tampered…
Authorization Bypass Through User-Controlled SQL Primary Key
This weakness occurs when an application uses a user-supplied value such as a record ID in a URL or form parameter as a primary key to fetch database records…
Improper Following of Specification by Caller
This weakness occurs when code calls an API, library function, or protocol without adhering to its documented requirements or constraints. The caller may omit…