CWE Library

Common Weakness Enumeration

All Pillar Root categories Class Abstract weaknesses Base Detectable weaknesses Variant Technology-specific Compound Multi-weakness
CWE-15 Base
External Control of System or Configuration Setting
Incomplete
CWE-22 Base
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Likelihood: High Stable
CWE-23 Base
Relative Path Traversal
Draft
CWE-36 Base
Absolute Path Traversal
Draft
CWE-41 Base
Improper Resolution of Path Equivalence
Incomplete
CWE-59 Base
Improper Link Resolution Before File Access ('Link Following')
Likelihood: Medium Draft
CWE-66 Base
Improper Handling of File Names that Identify Virtual Resources
Draft
CWE-73 Base
External Control of File Name or Path
Likelihood: High Draft
CWE-76 Base
Improper Neutralization of Equivalent Special Elements
Likelihood: High Draft
CWE-78 Base
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Likelihood: High Stable
CWE-79 Base
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Likelihood: High Stable
CWE-88 Base
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
Draft
CWE-89 Base
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Likelihood: High Stable
CWE-90 Base
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Draft
CWE-91 Base
XML Injection (aka Blind XPath Injection)
Draft
CWE-92 Base
DEPRECATED: Improper Sanitization of Custom Special Characters
Deprecated
CWE-93 Base
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Draft
CWE-94 Base
Improper Control of Generation of Code ('Code Injection')
Likelihood: Medium Draft
CWE-96 Base
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
Draft
CWE-112 Base
Missing XML Validation
Draft
CWE-115 Base
Misinterpretation of Input
Incomplete
CWE-117 Base
Improper Output Neutralization for Logs
Likelihood: Medium Draft
CWE-120 Base
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
Likelihood: High Incomplete
CWE-123 Base
Write-what-where Condition
Likelihood: High Draft
CWE-124 Base
Buffer Underwrite ('Buffer Underflow')
Likelihood: Medium Incomplete
CWE-125 Base
Out-of-bounds Read
Draft
CWE-128 Base
Wrap-around Error
Likelihood: Medium Incomplete
CWE-130 Base
Improper Handling of Length Parameter Inconsistency
Incomplete
CWE-131 Base
Incorrect Calculation of Buffer Size
Likelihood: High Draft
CWE-132 Base
DEPRECATED: Miscalculated Null Termination
Deprecated
CWE-134 Base
Use of Externally-Controlled Format String
Likelihood: High Draft
CWE-135 Base
Incorrect Calculation of Multi-Byte String Length
Draft
CWE-140 Base
Improper Neutralization of Delimiters
Draft
CWE-166 Base
Improper Handling of Missing Special Element
Draft
CWE-167 Base
Improper Handling of Additional Special Element
Draft
CWE-168 Base
Improper Handling of Inconsistent Special Elements
Draft
CWE-170 Base
Improper Null Termination
Likelihood: Medium Incomplete
CWE-178 Base
Improper Handling of Case Sensitivity
Incomplete
CWE-179 Base
Incorrect Behavior Order: Early Validation
Incomplete
CWE-182 Base
Collapse of Data into Unsafe Value
Draft
CWE-183 Base
Permissive List of Allowed Inputs
Draft
CWE-184 Base
Incomplete List of Disallowed Inputs
Draft
CWE-186 Base
Overly Restrictive Regular Expression
Draft
CWE-188 Base
Reliance on Data/Memory Layout
Likelihood: Low Draft
CWE-190 Base
Integer Overflow or Wraparound
Likelihood: Medium Stable
CWE-191 Base
Integer Underflow (Wrap or Wraparound)
Draft
CWE-193 Base
Off-by-one Error
Draft
CWE-197 Base
Numeric Truncation Error
Likelihood: Low Incomplete
CWE-201 Base
Insertion of Sensitive Information Into Sent Data
Draft
CWE-202 Base
Exposure of Sensitive Information Through Data Queries
Likelihood: Medium Draft