Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 181–210 of 323 weaknesses

CWE-444

Inconsistent Interpretation of HTTP Requests (Request Smuggling)

HTTP request smuggling occurs when a proxy, load balancer, or firewall interprets the boundaries of an HTTP request differently than the backend server it…

Read
CWE-451

User Interface (UI) Misrepresentation of Critical Information

This weakness occurs when a user interface displays information in a way that contradicts how the system actually processes it, causing users to make decisions…

Read
CWE-459

Incomplete Cleanup

Incomplete cleanup occurs when an application fails to properly remove or clear temporary files, database connections, cached data, or other resources after…

Read
CWE-460

Improper Cleanup on Thrown Exception

When code throws an exception without properly releasing resources or restoring state, it can leave the application in an unstable or insecure condition. This…

Read
CWE-470

Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)

This weakness occurs when an application uses user-supplied input to dynamically load or instantiate classes, invoke methods, or execute code via reflection…

Read
CWE-471

Modification of Assumed-Immutable Data (MAID)

This weakness occurs when software assumes a value cannot be changed—such as a user ID, file path, or security token—but fails to enforce that assumption. An…

Read
CWE-472

External Control of Assumed-Immutable Web Parameter

This weakness occurs when a web application trusts that certain inputs—typically hidden form fields, cookies, or URL parameters marked as \"internal\"—cannot be…

Read
CWE-476

NULL Pointer Dereference

A NULL pointer dereference occurs when code attempts to access memory through a pointer that has not been initialized or has been set to NULL. This typically…

Read
CWE-477

Use of Obsolete Function

This weakness occurs when software relies on functions, APIs, or libraries that have been deprecated or marked obsolete by their maintainers. Obsolete…

Read
CWE-478

Missing Default Case in Switch Statement

A switch statement without a default case leaves the program unable to handle unexpected input values. When a value doesn't match any case, execution may…

Read
CWE-489

Active Debug Code

Debug code left enabled in production exposes sensitive information and unintended functionality to attackers. This includes verbose error messages, diagnostic…

Read
CWE-497

Exposure of Sensitive System Information to an Unauthorized Control Sphere

This weakness occurs when an application or system leaks internal details—such as software versions, file paths, configuration settings, or environment…

Read
CWE-501

Trust Boundary Violation

Trust boundary violation occurs when a program mixes validated trusted and unvalidated untrusted data in the same variable, object, or data structure without…

Read
CWE-502

Deserialization of Untrusted Data

Deserialization is the process of converting serialized data often a byte stream or string back into an object or data structure. When an application…

Read
CWE-521

Weak Password Requirements

This weakness occurs when a system allows users to set passwords that are too simple, short, or predictable — making accounts vulnerable to guessing and…

Read
CWE-522

Insufficiently Protected Credentials

This weakness occurs when authentication credentials—usernames, passwords, API keys, tokens, or other secrets—are transmitted or stored without adequate…

Read
CWE-523

Unprotected Transport of Credentials

This weakness occurs when login credentials, API keys, authentication tokens, or other sensitive authentication data are transmitted over unencrypted…

Read
CWE-524

Use of Cache Containing Sensitive Information

This weakness occurs when an application stores sensitive data passwords, tokens, personal information, etc. in a cache that is accessible to unauthorized…

Read
CWE-525

Use of Web Browser Cache Containing Sensitive Information

This weakness occurs when a web application stores sensitive data passwords, authentication tokens, personal information, financial details in the browser's…

Read
CWE-526

Exposure of Sensitive Information Through Environmental Variables

Environment variables are a convenient way to pass configuration to applications, but they are often visible to anyone with access to the system—including…

Read
CWE-532

Insertion of Sensitive Information into Log File

This weakness occurs when an application writes sensitive data—such as passwords, API keys, authentication tokens, or personal information—directly into log…

Read
CWE-538

Insertion of Sensitive Information into Externally-Accessible File or Directory

This weakness occurs when an application stores sensitive data—such as API keys, database credentials, private tokens, or user information—in a location that…

Read
CWE-539

Use of Persistent Cookies Containing Sensitive Information

This weakness occurs when an application stores sensitive data such as authentication tokens, API keys, or personal information in a persistent cookie that…

Read
CWE-540

Inclusion of Sensitive Information in Source Code

This weakness occurs when developers hardcode sensitive data—such as API keys, database passwords, authentication tokens, or private encryption keys—directly…

Read
CWE-548

Exposure of Information Through Directory Listing

Directory listing occurs when a web server automatically generates and displays the contents of a directory when no default file like index.html is present…

Read
CWE-550

Server-generated Error Message Containing Sensitive Information

When a server encounters an error, it sometimes responds with detailed diagnostic information intended to help developers debug the problem. If that error…

Read
CWE-552

Files or Directories Accessible to External Parties

This weakness occurs when sensitive files or directories—such as configuration files, private keys, database backups, or source code—are stored in locations…

Read
CWE-565

Reliance on Cookies without Validation and Integrity Checking

This weakness occurs when an application stores sensitive data or logic-critical information in cookies without verifying that the cookie hasn't been tampered…

Read
CWE-566

Authorization Bypass Through User-Controlled SQL Primary Key

This weakness occurs when an application uses a user-supplied value such as a record ID in a URL or form parameter as a primary key to fetch database records…

Read
CWE-573

Improper Following of Specification by Caller

This weakness occurs when code calls an API, library function, or protocol without adhering to its documented requirements or constraints. The caller may omit…

Read
Page 7 of 11
1 5 6 7 8 9 11