Skip to content

CWE List

Coverage: 168 CWEs

These guides include data path analysis and language-specific remediation examples.

Browse by CWE

Select a CWE from the navigation menu to view detailed remediation guidance.

Languages with Detailed Examples

  • C - Memory safety vulnerabilities
  • C# - .NET Framework, .NET Core, ASP.NET
  • Java - Spring, Jakarta EE, JDBC
  • JavaScript - Node.js, Express
  • Perl - Selected vulnerabilities
  • PHP - Core PHP patterns
  • Python - Django, Flask

What's Included

Each CWE guide contains:

  • Overview: Description of the vulnerability
  • OWASP Classification: Mapping to OWASP Top 10 2025
  • Risk: Severity and potential impact
  • Remediation Strategy: High-level approach
  • Remediation Steps: Detailed step-by-step fixes
  • Code Examples: Vulnerable and secure patterns
  • Framework-Specific Guidance: Language and framework details
  • Additional Resources: Links to CWE, OWASP, and tools

Browse by OWASP Top 10 2025

A01:2025 - Broken Access Control

  • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
  • CWE-201 - Insertion of Sensitive Information Into Sent Data
  • CWE-22 - Path Traversal
  • CWE-282 - Improper Ownership Management
  • CWE-284 - Improper Access Control
  • CWE-285 - Improper Authorization
  • CWE-352 - Cross-Site Request Forgery (CSRF)
  • CWE-359 - Exposure of Private Personal Information to an Unauthorized Actor
  • CWE-377 - Insecure Temporary File
  • CWE-402 - Transmission of Private Resources
  • CWE-441 - Unintended Proxy or Intermediary ('Confused Deputy')
  • CWE-497 - Exposure of Sensitive System Information to an Unauthorized Control Sphere
  • CWE-538 - File and Directory Information Exposure
  • CWE-548 - Information Exposure Through Directory Listing
  • CWE-566 - Authorization Bypass Through User-Controlled Key
  • CWE-601 - URL Redirection to Untrusted Site (Open Redirect)
  • CWE-615 - Inclusion of Sensitive Information in Source Code Comments
  • CWE-639 - Authorization Bypass Through User-Controlled Key (Insecure Direct Object Reference - IDOR)
  • CWE-668 - Exposure of Resource to Wrong Sphere
  • CWE-732 - Incorrect Permission Assignment for Critical Resource
  • CWE-749 - Exposed Dangerous Method or Function
  • CWE-918 - Server-Side Request Forgery (SSRF)

A02:2025 - Security Misconfiguration

  • CWE-1174 - ASP.NET Misconfiguration: Improper Model Validation
  • CWE-15 - External Control of System or Configuration Setting
  • CWE-16 - Configuration
  • CWE-489 - Active Debug Code
  • CWE-526 - Information Exposure Through Environment Variables
  • CWE-547 - Use of Hard-coded, Security-relevant Constants
  • CWE-611 - XML External Entity (XXE) Injection
  • CWE-614 - Sensitive Cookie Without 'Secure' Flag
  • CWE-942 - Overly Permissive CORS

A04:2025 - Cryptographic Failures

  • CWE-261 - Weak Encoding for Password
  • CWE-296 - Improper Certificate Validation (Trust Chain)
  • CWE-319 - Cleartext Transmission of Sensitive Information
  • CWE-321 - Use of Hard-coded Cryptographic Key
  • CWE-326 - Inadequate Encryption Strength
  • CWE-327 - Use of a Broken or Risky Cryptographic Algorithm
  • CWE-328 - Use of Weak Hash
  • CWE-329 - Generation of Predictable IV with CBC Mode
  • CWE-330 - Use of Insufficiently Random Values
  • CWE-331 - Insufficient Entropy
  • CWE-338 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
  • CWE-347 - Improper Verification of Cryptographic Signature
  • CWE-757 - Selection of Less-Secure Algorithm
  • CWE-760 - Use of One-Way Hash Without Salt
  • CWE-780 - Use of RSA Without OAEP
  • CWE-916 - Use of Password Hash With Insufficient Computational Effort

A05:2025 - Injection

  • CWE-103 - Struts: Incomplete validate() Method Definition
  • CWE-104 - Struts: Form Bean Does Not Extend Validation Class
  • CWE-112 - Missing XML Validation
  • CWE-113 - HTTP Response Splitting
  • CWE-114 - Process Control
  • CWE-115 - Misinterpretation of Input
  • CWE-129 - Improper Validation of Array Index
  • CWE-159 - Improper Handling of Invalid Use of Special Elements
  • CWE-20 - Improper Input Validation
  • CWE-470 - Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
  • CWE-564 - SQL Injection: Hibernate
  • CWE-74 - Injection (Generic)
  • CWE-77 - Improper Neutralization of Special Elements used in a Command (Command Injection)
  • CWE-78 - OS Command Injection
  • CWE-79 - Cross-Site Scripting (XSS)
  • CWE-80 - Improper Neutralization of Script-Related HTML Tags (Basic XSS)
  • CWE-83 - XSS (Improper Neutralization)
  • CWE-88 - Argument Injection
  • CWE-89 - SQL Injection
  • CWE-90 - LDAP Injection
  • CWE-91 - XML Injection
  • CWE-93 - CRLF Injection
  • CWE-94 - Improper Control of Generation of Code (Code Injection)
  • CWE-95 - Eval Injection
  • CWE-98 - PHP Remote File Inclusion
  • CWE-99 - Resource Injection

A06:2025 - Insecure Design

  • CWE-183 - Permissive List of Allowed Inputs
  • CWE-256 - Plaintext Storage of a Password
  • CWE-311 - Missing Encryption of Sensitive Data
  • CWE-312 - Cleartext Storage of Sensitive Information
  • CWE-313 - Cleartext Storage in a File or on Disk
  • CWE-316 - Cleartext Storage of Sensitive Information in Memory
  • CWE-382 - J2EE Bad Practices: Use of System.exit()
  • CWE-434 - Unrestricted File Upload
  • CWE-454 - External Initialization of Trusted Variables or Data Stores
  • CWE-472 - External Control of Assumed-Immutable Web Parameter
  • CWE-501 - Trust Boundary Violation
  • CWE-522 - Insufficiently Protected Credentials
  • CWE-628 - Function Call with Incorrectly Specified Arguments
  • CWE-642 - External Control of Critical State Data
  • CWE-656 - Reliance on Security Through Obscurity
  • CWE-676 - Use of Potentially Dangerous Function
  • CWE-693 - Protection Mechanism Failure
  • CWE-73 - External Control of File Name or Path

A07:2025 - Authentication Failures

  • CWE-259 - Use of Hard-coded Password
  • CWE-287 - Improper Authentication
  • CWE-295 - Improper Certificate Validation
  • CWE-297 - Improper Validation of Certificate with Host Mismatch
  • CWE-298 - Improper Certificate Validation (Expired)
  • CWE-299 - Improper Certificate Validation (Basic Constraints)
  • CWE-346 - Origin Validation Error
  • CWE-384 - Session Fixation
  • CWE-798 - Use of Hard-coded Credentials

A08:2025 - Software or Data Integrity Failures

  • CWE-345 - Insufficient Verification of Data Authenticity
  • CWE-426 - Untrusted Search Path
  • CWE-427 - Uncontrolled Search Path Element
  • CWE-494 - Download of Code Without Integrity Check
  • CWE-502 - Insecure Deserialization
  • CWE-506 - Embedded Malicious Code
  • CWE-829 - Inclusion of Functionality from Untrusted Control Sphere
  • CWE-830 - Inclusion of Functionality from Untrusted Control Sphere
  • CWE-915 - Improperly Controlled Modification of Dynamically-Determined Object Attributes
  • CWE-926 - Android Component Export

A09:2025 - Security Logging & Alerting Failures

  • CWE-117 - Log Injection
  • CWE-223 - Omission of Security-Relevant Information
  • CWE-532 - Insertion of Sensitive Information into Log File

A10:2025 - Mishandling of Exceptional Conditions

  • CWE-209 - Error Message Information Leak
  • CWE-215 - Insertion of Sensitive Information Into Debugging Code
  • CWE-234 - Failure to Handle Missing Parameter
  • CWE-248 - Uncaught Exception
  • CWE-252 - Unchecked Return Value
  • CWE-274 - Improper Handling of Insufficient Privileges

Not Mapped to OWASP Top 10 2025

  • CWE-111 - Direct Use of Unsafe JNI
  • CWE-118 - Incorrect Access of Indexable Resource (Range Error)
  • CWE-121 - Stack-based Buffer Overflow
  • CWE-1236 - Formula Injection
  • CWE-125 - Out-of-bounds Read
  • CWE-134 - Use of Externally-Controlled Format String
  • CWE-135 - Incorrect Calculation of Multi-Byte String Length
  • CWE-170 - Improper Null Termination
  • CWE-185 - Incorrect Regular Expression
  • CWE-190 - Integer Overflow or Wraparound
  • CWE-191 - Integer Underflow (Wrap or Wraparound)
  • CWE-192 - Integer Coercion Error
  • CWE-193 - Off-by-one Error
  • CWE-195 - Signed to Unsigned Conversion Error
  • CWE-196 - Unsigned to Signed Conversion Error
  • CWE-197 - Numeric Truncation Error
  • CWE-242 - Use of Inherently Dangerous Function
  • CWE-243 - Creation of chroot Jail Without Changing Working Directory
  • CWE-245 - J2EE Bad Practices: Direct Management of Connections
  • CWE-272 - Least Privilege Violation
  • CWE-273 - Improper Check for Dropped Privileges
  • CWE-35 - Path Equivalence
  • CWE-354 - Improper Validation of Integrity Check Value
  • CWE-366 - Race Condition within a Thread
  • CWE-367 - Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-398 - Indicator of Poor Code Quality
  • CWE-401 - Missing Release of Memory After Effective Lifetime
  • CWE-404 - Improper Resource Shutdown or Release
  • CWE-415 - Double Free
  • CWE-416 - Use After Free
  • CWE-421 - Race Condition During Access to Alternate Channel
  • CWE-477 - Use of Obsolete Function
  • CWE-479 - Signal Handler Use of a Non-Reentrant Function
  • CWE-498 - Cloneable Class Containing Sensitive Information
  • CWE-511 - Logic/Time Bomb
  • CWE-514 - Covert Timing Channel
  • CWE-530 - Information Exposure Through Source Code
  • CWE-557 - Concurrency Issues
  • CWE-560 - Use of umask() with chmod-style Argument
  • CWE-597 - Use of Wrong Operator in String Comparison
  • CWE-618 - Exposed Unsafe ActiveX Method
  • CWE-665 - Improper Initialization
  • CWE-675 - Multiple Operations on Resource in Single-Operation Context
  • CWE-691 - Insufficient Control Flow Management
  • CWE-708 - Incorrect Processor Features
  • CWE-787 - Out-of-bounds Write
  • CWE-823 - Out-of-range Pointer
  • CWE-824 - Uninitialized Pointer
  • CWE-943 - Improper Neutralization of Special Elements in Data Query Logic (NoSQL Injection)

Complete CWE Index

CWE ID Description OWASP Category
CWE-15 External Control of System or Configuration Setting A02:2025 - Security Misconfiguration
CWE-16 Configuration A02:2025 - Security Misconfiguration
CWE-20 Improper Input Validation A05:2025 - Injection
CWE-22 Path Traversal A01:2025 - Broken Access Control
CWE-35 Path Equivalence
CWE-73 External Control of File Name or Path A06:2025 - Insecure Design
CWE-74 Injection (Generic) A05:2025 - Injection
CWE-77 Improper Neutralization of Special Elements used in a Command (Command Injection) A05:2025 - Injection
CWE-78 OS Command Injection A05:2025 - Injection
CWE-79 Cross-Site Scripting (XSS) A05:2025 - Injection
CWE-80 Improper Neutralization of Script-Related HTML Tags (Basic XSS) A05:2025 - Injection
CWE-83 XSS (Improper Neutralization) A05:2025 - Injection
CWE-88 Argument Injection A05:2025 - Injection
CWE-89 SQL Injection A05:2025 - Injection
CWE-90 LDAP Injection A05:2025 - Injection
CWE-91 XML Injection A05:2025 - Injection
CWE-93 CRLF Injection A05:2025 - Injection
CWE-94 Improper Control of Generation of Code (Code Injection) A05:2025 - Injection
CWE-95 Eval Injection A05:2025 - Injection
CWE-98 PHP Remote File Inclusion A05:2025 - Injection
CWE-99 Resource Injection A05:2025 - Injection
CWE-103 Struts: Incomplete validate() Method Definition A05:2025 - Injection
CWE-104 Struts: Form Bean Does Not Extend Validation Class A05:2025 - Injection
CWE-111 Direct Use of Unsafe JNI
CWE-112 Missing XML Validation A05:2025 - Injection
CWE-113 HTTP Response Splitting A05:2025 - Injection
CWE-114 Process Control A05:2025 - Injection
CWE-115 Misinterpretation of Input A05:2025 - Injection
CWE-117 Log Injection A09:2025 - Security Logging & Alerting Failures
CWE-118 Incorrect Access of Indexable Resource (Range Error)
CWE-121 Stack-based Buffer Overflow
CWE-125 Out-of-bounds Read
CWE-129 Improper Validation of Array Index A05:2025 - Injection
CWE-134 Use of Externally-Controlled Format String
CWE-135 Incorrect Calculation of Multi-Byte String Length
CWE-159 Improper Handling of Invalid Use of Special Elements A05:2025 - Injection
CWE-170 Improper Null Termination
CWE-183 Permissive List of Allowed Inputs A06:2025 - Insecure Design
CWE-185 Incorrect Regular Expression
CWE-190 Integer Overflow or Wraparound
CWE-191 Integer Underflow (Wrap or Wraparound)
CWE-192 Integer Coercion Error
CWE-193 Off-by-one Error
CWE-195 Signed to Unsigned Conversion Error
CWE-196 Unsigned to Signed Conversion Error
CWE-197 Numeric Truncation Error
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor A01:2025 - Broken Access Control
CWE-201 Insertion of Sensitive Information Into Sent Data A01:2025 - Broken Access Control
CWE-209 Error Message Information Leak A10:2025 - Mishandling of Exceptional Conditions
CWE-215 Insertion of Sensitive Information Into Debugging Code A10:2025 - Mishandling of Exceptional Conditions
CWE-223 Omission of Security-Relevant Information A09:2025 - Security Logging & Alerting Failures
CWE-234 Failure to Handle Missing Parameter A10:2025 - Mishandling of Exceptional Conditions
CWE-242 Use of Inherently Dangerous Function
CWE-243 Creation of chroot Jail Without Changing Working Directory
CWE-245 J2EE Bad Practices: Direct Management of Connections
CWE-248 Uncaught Exception A10:2025 - Mishandling of Exceptional Conditions
CWE-252 Unchecked Return Value A10:2025 - Mishandling of Exceptional Conditions
CWE-256 Plaintext Storage of a Password A06:2025 - Insecure Design
CWE-259 Use of Hard-coded Password A07:2025 - Authentication Failures
CWE-261 Weak Encoding for Password A04:2025 - Cryptographic Failures
CWE-272 Least Privilege Violation
CWE-273 Improper Check for Dropped Privileges
CWE-274 Improper Handling of Insufficient Privileges A10:2025 - Mishandling of Exceptional Conditions
CWE-282 Improper Ownership Management A01:2025 - Broken Access Control
CWE-284 Improper Access Control A01:2025 - Broken Access Control
CWE-285 Improper Authorization A01:2025 - Broken Access Control
CWE-287 Improper Authentication A07:2025 - Authentication Failures
CWE-295 Improper Certificate Validation A07:2025 - Authentication Failures
CWE-296 Improper Certificate Validation (Trust Chain) A04:2025 - Cryptographic Failures
CWE-297 Improper Validation of Certificate with Host Mismatch A07:2025 - Authentication Failures
CWE-298 Improper Certificate Validation (Expired) A07:2025 - Authentication Failures
CWE-299 Improper Certificate Validation (Basic Constraints) A07:2025 - Authentication Failures
CWE-311 Missing Encryption of Sensitive Data A06:2025 - Insecure Design
CWE-312 Cleartext Storage of Sensitive Information A06:2025 - Insecure Design
CWE-313 Cleartext Storage in a File or on Disk A06:2025 - Insecure Design
CWE-316 Cleartext Storage of Sensitive Information in Memory A06:2025 - Insecure Design
CWE-319 Cleartext Transmission of Sensitive Information A04:2025 - Cryptographic Failures
CWE-321 Use of Hard-coded Cryptographic Key A04:2025 - Cryptographic Failures
CWE-326 Inadequate Encryption Strength A04:2025 - Cryptographic Failures
CWE-327 Use of a Broken or Risky Cryptographic Algorithm A04:2025 - Cryptographic Failures
CWE-328 Use of Weak Hash A04:2025 - Cryptographic Failures
CWE-329 Generation of Predictable IV with CBC Mode A04:2025 - Cryptographic Failures
CWE-330 Use of Insufficiently Random Values A04:2025 - Cryptographic Failures
CWE-331 Insufficient Entropy A04:2025 - Cryptographic Failures
CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) A04:2025 - Cryptographic Failures
CWE-345 Insufficient Verification of Data Authenticity A08:2025 - Software or Data Integrity Failures
CWE-346 Origin Validation Error A07:2025 - Authentication Failures
CWE-347 Improper Verification of Cryptographic Signature A04:2025 - Cryptographic Failures
CWE-352 Cross-Site Request Forgery (CSRF) A01:2025 - Broken Access Control
CWE-354 Improper Validation of Integrity Check Value
CWE-359 Exposure of Private Personal Information to an Unauthorized Actor A01:2025 - Broken Access Control
CWE-366 Race Condition within a Thread
CWE-367 Time-of-check Time-of-use (TOCTOU) Race Condition
CWE-377 Insecure Temporary File A01:2025 - Broken Access Control
CWE-382 J2EE Bad Practices: Use of System.exit() A06:2025 - Insecure Design
CWE-384 Session Fixation A07:2025 - Authentication Failures
CWE-398 Indicator of Poor Code Quality
CWE-401 Missing Release of Memory After Effective Lifetime
CWE-402 Transmission of Private Resources A01:2025 - Broken Access Control
CWE-404 Improper Resource Shutdown or Release
CWE-415 Double Free
CWE-416 Use After Free
CWE-421 Race Condition During Access to Alternate Channel
CWE-426 Untrusted Search Path A08:2025 - Software or Data Integrity Failures
CWE-427 Uncontrolled Search Path Element A08:2025 - Software or Data Integrity Failures
CWE-434 Unrestricted File Upload A06:2025 - Insecure Design
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy') A01:2025 - Broken Access Control
CWE-454 External Initialization of Trusted Variables or Data Stores A06:2025 - Insecure Design
CWE-470 Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') A05:2025 - Injection
CWE-472 External Control of Assumed-Immutable Web Parameter A06:2025 - Insecure Design
CWE-477 Use of Obsolete Function
CWE-479 Signal Handler Use of a Non-Reentrant Function
CWE-489 Active Debug Code A02:2025 - Security Misconfiguration
CWE-494 Download of Code Without Integrity Check A08:2025 - Software or Data Integrity Failures
CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere A01:2025 - Broken Access Control
CWE-498 Cloneable Class Containing Sensitive Information
CWE-501 Trust Boundary Violation A06:2025 - Insecure Design
CWE-502 Insecure Deserialization A08:2025 - Software or Data Integrity Failures
CWE-506 Embedded Malicious Code A08:2025 - Software or Data Integrity Failures
CWE-511 Logic/Time Bomb
CWE-514 Covert Timing Channel
CWE-522 Insufficiently Protected Credentials A06:2025 - Insecure Design
CWE-526 Information Exposure Through Environment Variables A02:2025 - Security Misconfiguration
CWE-530 Information Exposure Through Source Code
CWE-532 Insertion of Sensitive Information into Log File A09:2025 - Security Logging & Alerting Failures
CWE-538 File and Directory Information Exposure A01:2025 - Broken Access Control
CWE-547 Use of Hard-coded, Security-relevant Constants A02:2025 - Security Misconfiguration
CWE-548 Information Exposure Through Directory Listing A01:2025 - Broken Access Control
CWE-557 Concurrency Issues
CWE-560 Use of umask() with chmod-style Argument
CWE-564 SQL Injection: Hibernate A05:2025 - Injection
CWE-566 Authorization Bypass Through User-Controlled Key A01:2025 - Broken Access Control
CWE-597 Use of Wrong Operator in String Comparison
CWE-601 URL Redirection to Untrusted Site (Open Redirect) A01:2025 - Broken Access Control
CWE-611 XML External Entity (XXE) Injection A02:2025 - Security Misconfiguration
CWE-614 Sensitive Cookie Without 'Secure' Flag A02:2025 - Security Misconfiguration
CWE-615 Inclusion of Sensitive Information in Source Code Comments A01:2025 - Broken Access Control
CWE-618 Exposed Unsafe ActiveX Method
CWE-628 Function Call with Incorrectly Specified Arguments A06:2025 - Insecure Design
CWE-639 Authorization Bypass Through User-Controlled Key (Insecure Direct Object Reference - IDOR) A01:2025 - Broken Access Control
CWE-642 External Control of Critical State Data A06:2025 - Insecure Design
CWE-656 Reliance on Security Through Obscurity A06:2025 - Insecure Design
CWE-665 Improper Initialization
CWE-668 Exposure of Resource to Wrong Sphere A01:2025 - Broken Access Control
CWE-675 Multiple Operations on Resource in Single-Operation Context
CWE-676 Use of Potentially Dangerous Function A06:2025 - Insecure Design
CWE-691 Insufficient Control Flow Management
CWE-693 Protection Mechanism Failure A06:2025 - Insecure Design
CWE-708 Incorrect Processor Features
CWE-732 Incorrect Permission Assignment for Critical Resource A01:2025 - Broken Access Control
CWE-749 Exposed Dangerous Method or Function A01:2025 - Broken Access Control
CWE-757 Selection of Less-Secure Algorithm A04:2025 - Cryptographic Failures
CWE-760 Use of One-Way Hash Without Salt A04:2025 - Cryptographic Failures
CWE-780 Use of RSA Without OAEP A04:2025 - Cryptographic Failures
CWE-787 Out-of-bounds Write
CWE-798 Use of Hard-coded Credentials A07:2025 - Authentication Failures
CWE-823 Out-of-range Pointer
CWE-824 Uninitialized Pointer
CWE-829 Inclusion of Functionality from Untrusted Control Sphere A08:2025 - Software or Data Integrity Failures
CWE-830 Inclusion of Functionality from Untrusted Control Sphere A08:2025 - Software or Data Integrity Failures
CWE-915 Improperly Controlled Modification of Dynamically-Determined Object Attributes A08:2025 - Software or Data Integrity Failures
CWE-916 Use of Password Hash With Insufficient Computational Effort A04:2025 - Cryptographic Failures
CWE-918 Server-Side Request Forgery (SSRF) A01:2025 - Broken Access Control
CWE-926 Android Component Export A08:2025 - Software or Data Integrity Failures
CWE-942 Overly Permissive CORS A02:2025 - Security Misconfiguration
CWE-943 Improper Neutralization of Special Elements in Data Query Logic (NoSQL Injection)
CWE-1174 ASP.NET Misconfiguration: Improper Model Validation A02:2025 - Security Misconfiguration
CWE-1236 Formula Injection