🧩

Common Weakness Enumeration

Explore the comprehensive database of software security weaknesses. CWE provides a unified, measurable set of software weaknesses that enables more effective discussion, description, selection, and use of software security tools and services.

1935

Total CWEs

Sensitive Cookie Without 'HttpOnly' Flag

The product uses a cookie to store sensitive information, but the cookie is not marked with the HttpOnly flag.

Insufficient Visual Distinction of Homoglyphs Presented to User

The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visual…

Struts: Duplicate Validation Forms

The product uses multiple validation forms with the same name, which might cause the Struts Validator to validate a form that the programmer does not…

Improper Restriction of Rendered UI Layers or Frames

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lea…

Use of Web Link to Untrusted Target with window.opener Access

The web application produces links to untrusted external sites outside of its sphere of control, but it does not properly prevent the external site f…

Incomplete Comparison with Missing Factors

The product performs a comparison between entities that must consider multiple factors or characteristics of each entity, but the comparison does not…

Comparison of Incompatible Types

The product performs a comparison between two entities, but the entities are of different, incompatible types that cannot be guaranteed to provide co…

Comparison Using Wrong Factors

The code performs a comparison between two entities, but the comparison examines the wrong factors or characteristics of the entities, which can lead…

Struts: Incomplete validate() Method Definition

The product has a validator form that either does not define a validate() method, or defines a validate() method but does not call super.validate().

Processor Optimization Removal or Modification of Security-critical Code

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that t…

Insecure Automated Optimizations

The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have …

Inadequate Detection or Handling of Adversarial Input Perturbations in Automate…

The product uses an automated mechanism such as machine learning to recognize complex data inputs (e.g. image or audio) as a particular concept or ca…

Struts: Form Bean Does Not Extend Validation Class

If a form bean does not extend an ActionForm subclass of the Validator framework, it can expose the application to other weaknesses related to insuff…

Use of Redundant Code

The product has multiple functions, methods, procedures, macros, etc. that contain the same code.

Static Member Data Element outside of a Singleton Class Element

The code contains a member element that is declared as static (but not final), in which its parent class element is not a singleton class …

Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

The product uses a data element that has an excessively large number of sub-elements with non-primitive data types such as structures or aggrega…

Architecture with Number of Horizontal Layers Outside of Expected Range

The product's architecture contains too many - or too few - horizontal layers.

Parent Class with a Virtual Destructor and a Child Class without a Virtual Dest…

A parent class has a virtual destructor method, but the parent has a child class that does not have a virtual destructor.

Creation of Immutable Text Using String Concatenation

The product creates an immutable text string using string concatenation operations.

Modules with Circular Dependencies

The product contains modules in which one module has references that cycle back to itself, i.e., there are circular dependencies.

Invokable Control Element with Large Number of Outward Calls

The code contains callable control elements that contain an excessively large number of references to other application objects ext…

Excessive Data Query Operations in a Large Data Table

The product performs a data query with a large number of joins and sub-queries on a large data table.

Struts: Form Field Without Validator

The product has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient i…

Excessive Platform Resource Consumption within a Loop

The product has a loop body or loop condition that contains a control element that directly or indirectly consumes platform resources, e.g. mess…

Initialization with Hard-Coded Network Resource Configuration Data

The product initializes data using hard-coded values that act as network resource identifiers.

Excessive Use of Hard-Coded Literals in Initialization

The product initializes a data element using a hard-coded literal that is not a simple integer or static constant element.

Missing Documentation for Design

The product does not have documentation that represents how it is designed.

Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer

The code at one architectural layer invokes code that resides at a deeper layer than the adjacent layer, i.e., the invocation skips at least one…

Multiple Inheritance from Concrete Classes

The product contains a class with inheritance from more than one concrete class.

Invokable Control Element with Variadic Parameters

A named-callable or method control element has a signature that supports a variable (variadic) number of parameters or arguments.

Data Access Operations Outside of Expected Data Manager Component

The product uses a dedicated, central data manager component as required by design, but it contains code that performs data-access operations that do…

Invokable Control Element in Multi-Thread Context with non-Final Static Storabl…

The code contains a function or method that operates in a multi-threaded environment but owns an unsafe non-final static st…

Insufficient Technical Documentation

The product does not contain sufficient technical or engineering documentation (whether on paper or in electronic form) that contai…

Struts: Plug-in Framework not in Use

When an application does not use an input validation framework such as the Struts Validator, there is a greater risk of introducing weaknesses relate…

Excessive Number of Inefficient Server-Side Data Accesses

The product performs too many data queries without using efficient data processing functionality such as stored procedures.

Insufficient Encapsulation

The product does not sufficiently hide the internal representation and implementation details of data or methods, which might allow external componen…

Parent Class with References to Child Class

The code has a parent class that contains references to a child class, its methods, or its members.

Creation of Class Instance within a Static Code Block

A static code block creates an instance of a class.

Invokable Control Element with Signature Containing an Excessive Number of Para…

The product contains a function, subroutine, or method whose signature has an unnecessarily large number of parameters/arguments.

Runtime Resource Management Control Element in a Component Built to Run on Appl…

The product uses deployed components from application servers, but it also uses low-level functions/methods for management of resources, instead of t…

Missing Serialization Control Element

The product contains a serializable data element that does not have an associated serialization method.

Excessive Execution of Sequential Searches of Data Resource

The product contains a data query against an SQL table or view that is configured in a way that does not utilize an index and may cause seq…

Inconsistency Between Implementation and Documented Design

The implementation of the product is not consistent with the design as described within the relevant documentation.

Empty Exception Block

An invokable code block contains an exception handling block that does not contain any code, i.e. is empty.

Struts: Unused Validation Form

An unused validation form indicates that validation logic is not up-to-date.

Serializable Data Element Containing non-Serializable Item Elements

The product contains a serializable, storable data element such as a field or member, but the data element contains member elements that are not…

Empty Code Block

The source code contains a block that does not contain any code, i.e., the block is empty.

Data Resource Access without Use of Connection Pooling

The product accesses a data resource through a database without using a connection pooling capability.

Non-SQL Invokable Control Element with Excessive Number of Data Resource Access…

The product contains a client with a function or method that contains a large number of data accesses/queries that are sent through a data manager, i…

Class with Excessively Deep Inheritance

A class has an inheritance level that is too high, i.e., it has a large number of parent classes.

CWE ID

Title

Type

Action

Sensitive Cookie Without 'HttpOnly' Flag

Insufficient Visual Distinction of Homoglyphs Presented to User

Struts: Duplicate Validation Forms

Improper Restriction of Rendered UI Layers or Frames

Use of Web Link to Untrusted Target with window.opener Access

Incomplete Comparison with Missing Factors

Comparison of Incompatible Types

Comparison Using Wrong Factors

Struts: Incomplete validate() Method Definition

Processor Optimization Removal or Modification of Security-critical Code

Insecure Automated Optimizations

Inadequate Detection or Handling of Adversarial Input Perturbations in Automate…

Struts: Form Bean Does Not Extend Validation Class

Use of Redundant Code

Static Member Data Element outside of a Singleton Class Element

Data Element Aggregating an Excessively Large Number of Non-Primitive Elements

Architecture with Number of Horizontal Layers Outside of Expected Range

Parent Class with a Virtual Destructor and a Child Class without a Virtual Dest…

Creation of Immutable Text Using String Concatenation

Modules with Circular Dependencies

Invokable Control Element with Large Number of Outward Calls

Excessive Data Query Operations in a Large Data Table

Struts: Form Field Without Validator

Excessive Platform Resource Consumption within a Loop

Initialization with Hard-Coded Network Resource Configuration Data

Excessive Use of Hard-Coded Literals in Initialization

Missing Documentation for Design

Invocation of a Control Element at an Unnecessarily Deep Horizontal Layer

Multiple Inheritance from Concrete Classes

Invokable Control Element with Variadic Parameters

Data Access Operations Outside of Expected Data Manager Component

Invokable Control Element in Multi-Thread Context with non-Final Static Storabl…

Insufficient Technical Documentation

Struts: Plug-in Framework not in Use

Excessive Number of Inefficient Server-Side Data Accesses

Insufficient Encapsulation

Parent Class with References to Child Class

Creation of Class Instance within a Static Code Block

Invokable Control Element with Signature Containing an Excessive Number of Para…

Runtime Resource Management Control Element in a Component Built to Run on Appl…

Missing Serialization Control Element

Excessive Execution of Sequential Searches of Data Resource

Inconsistency Between Implementation and Documented Design

Empty Exception Block

Struts: Unused Validation Form

Serializable Data Element Containing non-Serializable Item Elements

Empty Code Block

Data Resource Access without Use of Connection Pooling

Non-SQL Invokable Control Element with Excessive Number of Data Resource Access…

Class with Excessively Deep Inheritance

1 2 3 ... 39