Common Weakness Enumeration — the root causes behind every CVE

CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.

Showing 211–240 of 323 weaknesses

CWE-598

Use of GET Request Method With Sensitive Query Strings

This weakness occurs when a web application transmits sensitive data passwords, tokens, personal information as part of a GET request's query string. Because…

Read
CWE-601

URL Redirection to Untrusted Site (Open Redirect)

An open redirect occurs when a web application takes user input and uses it to redirect the browser to another URL without validating that the destination is…

Read
CWE-611

Improper Restriction of XML External Entity Reference

XML External Entity XXE injection occurs when an application parses untrusted XML input without disabling external entity resolution. An attacker can craft…

Read
CWE-613

Insufficient Session Expiration

Session expiration is the mechanism that automatically logs out a user after a period of inactivity or elapsed time. When this is not properly implemented, an…

Read
CWE-614

Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

This weakness occurs when a web application sets a sensitive cookie such as a session token or authentication credential over HTTPS but fails to include the…

Read
CWE-620

Unverified Password Change

This weakness occurs when a system allows a user's password to be changed without confirming the user's identity first — typically by requiring the current…

Read
CWE-624

Executable Regular Expression Error

This weakness occurs when a regular expression engine evaluates code embedded within a regex pattern or subject string, rather than treating the pattern as a…

Read
CWE-625

Permissive Regular Expression

A permissive regular expression accepts a wider range of input than intended, allowing malicious or unexpected data to pass validation checks. This weakness…

Read
CWE-639

Authorization Bypass Through User-Controlled Key

This weakness occurs when an application allows users to directly control identifiers like user IDs, account numbers, or resource IDs in requests, without…

Read
CWE-640

Weak Password Recovery Mechanism for Forgotten Password

Password recovery mechanisms are often the weakest link in account security. When a site uses easily guessable security questions, sends recovery codes via…

Read
CWE-641

Improper Restriction of Names for Files and Other Resources

This weakness occurs when an application allows users to specify or influence the names of files, directories, or other resources without proper validation or…

Read
CWE-643

Improper Neutralization of Data within XPath Expressions

XPath injection occurs when user-supplied input is directly embedded into an XPath query without proper escaping or validation. An attacker can inject XPath…

Read
CWE-644

Improper Neutralization of HTTP Headers for Scripting Syntax

This weakness occurs when an application accepts user-controlled data in HTTP headers and passes it to a downstream component such as a template engine…

Read
CWE-646

Reliance on File Name or Extension of Externally-Supplied File

This weakness occurs when an application trusts a file's name or extension to determine how it should be processed, without verifying the actual file content…

Read
CWE-648

Incorrect Use of Privileged APIs

This weakness occurs when code calls security-critical functions like permission checks, cryptographic operations, or system calls but fails to use them…

Read
CWE-649

Reliance on Obfuscation or Encryption without Integrity Checking

This weakness occurs when software encrypts or obfuscates data but fails to verify that the data hasn't been modified after encryption. An attacker can alter…

Read
CWE-650

Trusting HTTP Permission Methods on the Server Side

This weakness occurs when a web application relies solely on HTTP method restrictions GET, POST, PUT, DELETE, etc. to enforce security controls, without…

Read
CWE-653

Insufficient Compartmentalization

Insufficient compartmentalization occurs when a software system fails to isolate components or functionality that operate at different privilege levels or…

Read
CWE-654

Reliance on a Single Factor in a Security Decision

This weakness occurs when software makes a security decision based on only one piece of evidence—such as a single password, a single token, or a single…

Read
CWE-657

Violation of Secure Design Principles

This weakness describes software that is built on an insecure architectural foundation — one that ignores established principles like least privilege, defense…

Read
CWE-664

Improper Control of a Resource Through its Lifetime

This weakness occurs when software fails to properly manage a resource—such as memory, a file handle, a database connection, or a temporary credential—from the…

Read
CWE-665

Improper Initialization

Improper initialization occurs when a software component fails to set up a resource—such as a variable, array, object, or connection—to a known safe state…

Read
CWE-666

Operation on Resource in Wrong Phase of Lifetime

This weakness occurs when code attempts to use a resource memory, file handle, database connection, etc. at an inappropriate point in its lifecycle — before it…

Read
CWE-667

Improper Locking

Improper locking occurs when software fails to correctly acquire or release locks on shared resources accessed by multiple threads or processes. This weakness…

Read
CWE-668

Exposure of Resource to Wrong Sphere

This weakness occurs when a resource—such as a file, database, API endpoint, or configuration—is made accessible to users or systems that should not have…

Read
CWE-669

Incorrect Resource Transfer Between Spheres

This weakness occurs when software fails to properly hand off control of a resource—such as a file handle, memory buffer, or database connection—between…

Read
CWE-670

Always-Incorrect Control Flow Implementation

This weakness occurs when a program contains a control flow path—a sequence of conditional branches or loops—that is logically flawed and never executes as…

Read
CWE-672

Operation on a Resource after Expiration or Release

This weakness occurs when code attempts to use a resource—such as memory, a file handle, a database connection, or a session token—after that resource has been…

Read
CWE-674

Uncontrolled Recursion

Uncontrolled recursion occurs when a program calls itself repeatedly without a proper limit, allowing an attacker to exhaust the call stack and crash the…

Read
CWE-675

Duplicate Operations on Resource

This weakness occurs when software performs the same operation on a resource multiple times when it should only happen once. Common examples include charging a…

Read
Page 8 of 11