Common Weakness Enumeration
Explore the comprehensive database of software security weaknesses. CWE provides a unified, measurable set of software weaknesses that enables more effective discussion, description, selection, and use of software security tools and services.
1935
Total CWEs
CWE-9
Variant
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
If elevated access rights are assigned to EJB methods, then an attacker can take advantage of the permissions to exploit the product.
CWE-90
Base
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Inject…
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incor…
CWE-908
Base
Use of Uninitialized Resource
The product uses or accesses a resource that has not been initialized.
CWE-909
Class
Missing Initialization of Resource
The product does not initialize a critical resource.
CWE-91
Base
XML Injection (aka Blind XPath Injection)
The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the …
CWE-910
Base
Use of Expired File Descriptor
The product uses or accesses a file descriptor after it has been closed.
CWE-911
Base
Improper Update of Reference Count
The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.
CWE-912
Class
Hidden Functionality
The product contains functionality that is not documented, not part of the specification, and not accessible through an interface or command sequence…
CWE-913
Class
Improper Control of Dynamically-Managed Code Resources
The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes,…
CWE-914
Base
Improper Control of Dynamically-Identified Variables
The product does not properly restrict reading from or writing to dynamically-identified variables.
CWE-915
Base
Improperly Controlled Modification of Dynamically-Determined Object Attributes
The product receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated…
CWE-916
Base
Use of Password Hash With Insufficient Computational Effort
The product generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make pa…
CWE-917
Base
Improper Neutralization of Special Elements used in an Expression Language Stat…
The product constructs all or part of an expression language (EL) statement in a framework such as a Java Server Page (JSP) using externally-influenc…
CWE-918
Base
Server-Side Request Forgery (SSRF)
The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensu…
CWE-92
Base
DEPRECATED: Improper Sanitization of Custom Special Characters
This entry has been deprecated. It originally came from PLOVER, which sometimes defined 'other' and 'miscellaneous' categories in order to satisfy ex…
CWE-920
Base
Improper Restriction of Power Consumption
The product operates in an environment in which power is a limited resource that cannot be automatically replenished, but the product does not proper…
CWE-921
Base
Storage of Sensitive Data in a Mechanism without Access Control
The product stores sensitive information in a file system or device that does not have built-in access control.
CWE-922
Class
Insecure Storage of Sensitive Information
The product stores sensitive information without properly limiting read or write access by unauthorized actors.
CWE-923
Class
Improper Restriction of Communication Channel to Intended Endpoints
The product establishes a communication channel to (or from) an endpoint for privileged or protected operations, but it does not properly ensure that…
CWE-924
Base
Improper Enforcement of Message Integrity During Transmission in a Communicatio…
The product establishes a communication channel with an endpoint and receives a message from that endpoint, but it does not sufficiently ensure that …
CWE-925
Variant
Improper Verification of Intent by Broadcast Receiver
The Android application uses a Broadcast Receiver that receives an Intent but does not properly verify that the Intent came from an authorized source.
CWE-926
Variant
Improper Export of Android Application Components
The Android application exports a component for use by other applications, but does not properly restrict which applications can launch the component…
CWE-927
Variant
Use of Implicit Intent for Sensitive Communication
The Android application uses an implicit intent for transmitting sensitive data to other applications.
CWE-93
Base
Improper Neutralization of CRLF Sequences ('CRLF Injection')
The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly…
CWE-939
Base
Improper Authorization in Handler for Custom URL Scheme
The product uses a handler for a custom URL scheme, but it does not properly restrict which actors can invoke the handler using the scheme.
CWE-94
Base
Improper Control of Generation of Code ('Code Injection')
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or inco…
CWE-940
Base
Improper Verification of Source of a Communication Channel
The product establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify th…
CWE-941
Base
Incorrectly Specified Destination in a Communication Channel
The product creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination f…
CWE-942
Variant
Permissive Cross-domain Security Policy with Untrusted Domains
The product uses a web-client protection
mechanism such as a Content Security Policy (CSP) or
cross-domain policy file, but the pol…
CWE-943
Class
Improper Neutralization of Special Elements in Data Query Logic
The product generates a query intended to access or manipulate data in a data store such as a database, but it does not neutralize or incorrectly neu…
CWE-95
Variant
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Inje…
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a …
CWE-96
Base
Improper Neutralization of Directives in Statically Saved Code ('Static Code In…
The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before inserting the input i…
CWE-97
Variant
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
The product generates a web page, but does not neutralize or incorrectly neutralizes user-controllable input that could be interpreted as a server-si…
CWE-98
Variant
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP…
The PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in 'requi…
CWE-99
Class
Improper Control of Resource Identifiers ('Resource Injection')
The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier…
CWE ID
Title
Type
Action
CWE-9
J2EE Misconfiguration: Weak Access Permissions for EJB Methods
Variant
View
CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Inject…
Base
View
CWE-908
Use of Uninitialized Resource
Base
View
CWE-909
Missing Initialization of Resource
Class
View
CWE-91
XML Injection (aka Blind XPath Injection)
Base
View
CWE-910
Use of Expired File Descriptor
Base
View
CWE-911
Improper Update of Reference Count
Base
View
CWE-912
Hidden Functionality
Class
View
CWE-913
Improper Control of Dynamically-Managed Code Resources
Class
View
CWE-914
Improper Control of Dynamically-Identified Variables
Base
View
CWE-915
Improperly Controlled Modification of Dynamically-Determined Object Attributes
Base
View
CWE-916
Use of Password Hash With Insufficient Computational Effort
Base
View
CWE-917
Improper Neutralization of Special Elements used in an Expression Language Stat…
Base
View
CWE-918
Server-Side Request Forgery (SSRF)
Base
View
CWE-92
DEPRECATED: Improper Sanitization of Custom Special Characters
Base
View
CWE-920
Improper Restriction of Power Consumption
Base
View
CWE-921
Storage of Sensitive Data in a Mechanism without Access Control
Base
View
CWE-922
Insecure Storage of Sensitive Information
Class
View
CWE-923
Improper Restriction of Communication Channel to Intended Endpoints
Class
View
CWE-924
Improper Enforcement of Message Integrity During Transmission in a Communicatio…
Base
View
CWE-925
Improper Verification of Intent by Broadcast Receiver
Variant
View
CWE-926
Improper Export of Android Application Components
Variant
View
CWE-927
Use of Implicit Intent for Sensitive Communication
Variant
View
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
Base
View
CWE-939
Improper Authorization in Handler for Custom URL Scheme
Base
View
CWE-94
Improper Control of Generation of Code ('Code Injection')
Base
View
CWE-940
Improper Verification of Source of a Communication Channel
Base
View
CWE-941
Incorrectly Specified Destination in a Communication Channel
Base
View
CWE-942
Permissive Cross-domain Security Policy with Untrusted Domains
Variant
View
CWE-943
Improper Neutralization of Special Elements in Data Query Logic
Class
View
CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Inje…
Variant
View
CWE-96
Improper Neutralization of Directives in Statically Saved Code ('Static Code In…
Base
View
CWE-97
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
Variant
View
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP…
Variant
View
CWE-99
Improper Control of Resource Identifiers ('Resource Injection')
Class
View