Common Weakness Enumeration — the root causes behind every CVE
CWE catalogs the root causes behind CVEs — SQL injection, XSS, broken auth, and 300+ others that keep showing up in security advisories. Each entry here covers how it happens, what it costs when someone exploits it, and the fix that actually closes it.
Integer Overflow to Buffer Overflow
This weakness occurs when a program calculates a buffer size using integer arithmetic, but an overflow in that calculation causes the result to wrap around to…
Incorrect Conversion between Numeric Types
This weakness occurs when software converts a value from one numeric type to another for example, from a larger integer to a smaller one, or from a…
Incorrect Calculation
Incorrect Calculation occurs when software performs a mathematical operation and produces a wrong result due to logic errors, type mismatches, overflow, or…
Incorrect Provision of Specified Functionality
This weakness occurs when software fails to implement a feature, security control, or behavior exactly as it was designed or specified to work. The gap between…
Insufficient Control Flow Management
This weakness occurs when an application fails to properly enforce the sequence or conditions under which operations should occur. An attacker can bypass…
Protection Mechanism Failure
This weakness occurs when software has access to a security control—such as input validation, authentication, encryption, or access checks—but either doesn't…
Incorrect Behavior Order
This weakness occurs when a software system performs security-critical operations in the wrong sequence, allowing an attacker to bypass checks or exploit a…
Incorrect Comparison
Incorrect comparison occurs when software uses the wrong operator, compares values of different types without proper conversion, or applies logic that doesn't…
Improper Check or Handling of Exceptional Conditions
This weakness occurs when software fails to properly detect, catch, or respond to error conditions and exceptional events during execution. When exceptions are…
Incorrect Type Conversion or Cast
Type conversion weaknesses occur when software converts data from one type to another in a way that produces unexpected or unsafe results. In loosely-typed…
Use of Incorrectly-Resolved Name or Reference
This weakness occurs when software attempts to access a resource by name or reference, but that name resolves to something other than what the developer…
Improper Neutralization
This weakness describes a failure to properly validate and sanitize structured data before passing it to another component or system. When software doesn't…
Improper Adherence to Coding Standards
This weakness describes code that violates established coding standards, conventions, or best practices — not because it's immediately broken, but because it…
Incorrect Permission Assignment for Critical Resource
This weakness occurs when a security-critical file, directory, or resource is created with overly permissive access controls, allowing unauthorized users to…
Exposed Dangerous Method or Function
This weakness occurs when software exposes a powerful or sensitive method, function, or API endpoint without adequate access controls or safety guardrails. An…
Improper Check for Unusual or Exceptional Conditions
This weakness occurs when code fails to anticipate and handle edge cases, error states, or unusual inputs that fall outside normal operation. Rather than…
Improper Handling of Exceptional Conditions
This weakness occurs when software fails to properly catch, log, or respond to errors and exceptional conditions. When exceptions go unhandled or are handled…
Selection of Less-Secure Algorithm During Negotiation
This weakness occurs when software chooses a weaker encryption algorithm, protocol version, or security mechanism during negotiation, even though stronger…
Use of a One-Way Hash without a Salt
This weakness occurs when a system hashes sensitive data typically passwords without adding a unique random value called a \"salt\" to each hash before…
Use of a One-Way Hash with a Predictable Salt
This weakness occurs when a system hashes sensitive data like passwords with a salt, but the salt itself is predictable or reused across multiple users. A salt…
Allocation of Resources Without Limits or Throttling
This weakness occurs when an application allocates resources—such as memory, disk space, network connections, or processing time—without enforcing any upper…
Missing Release of Resource after Effective Lifetime
This weakness occurs when a program acquires a resource—such as a file handle, database connection, network socket, or memory allocation—but fails to release…
Improper Restriction of Recursive Entity References in DTDs (XML Entity Expansion)
This weakness occurs when an application parses XML documents without limiting how many times entity references can be nested or expanded. An attacker can…
Insufficient Logging
Insufficient logging occurs when an application fails to record security-relevant events or records them without enough detail to detect or investigate…
Logging of Excessive Data
This weakness occurs when an application logs too much information—particularly sensitive data like passwords, API keys, personal identifiers, or full…
Out-of-bounds Write
Out-of-bounds write occurs when a program writes data to a memory location outside the boundaries of an allocated buffer. This can corrupt adjacent memory…
Access of Memory Location After End of Buffer
This weakness occurs when software reads from or writes to memory beyond the boundaries of an allocated buffer. Unlike a classic buffer overflow that writes…
Memory Allocation with Excessive Size Value
This weakness occurs when a program allocates memory based on a size value that comes from untrusted input without proper validation. An attacker can supply an…
Use of Hard-coded Credentials
Hard-coded credentials are usernames, passwords, API keys, or cryptographic keys embedded directly in source code, configuration files, or compiled binaries…
Improper Control of Interaction Frequency
This weakness occurs when software fails to limit how often a user or automated system can perform a specific action—such as submitting a login attempt…