Browse 543 Base level CWE entries. Specific weakness types that are more concrete and often describe actual issues found in code.
The accidental addition of a data-structure sentinel can cause serious programming logic problems.
The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
The product uses a sequential operation to read or write a buffer, but it uses an incorrect length value that causes it to access memory that is outside of the bounds of the buffer.
The product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
The product transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
A covert storage channel transfers information through the setting of bits by one program and the reading of those bits by another. What distinguishes this case from that of ordinary operation is that the bits are used to convey encoded information.
Opening temporary files without appropriate measures or controls can leave the file, its contents and any function that it impacts vulnerable to attack.
The product allows user input to control or influence paths or file names that are used in filesystem operations.
The product generates an error message that includes sensitive information about its environment, users, or associated data.
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neutralizes that input. This allows an attacker to control the structure of the query.
The product correctly neutralizes certain special elements, but it improperly neutralizes equivalent special elements.
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
The product does not correctly calculate the size to be used when allocating a buffer, which could lead to a buffer overflow.
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting values are used in a sensitive context, then dangerous behaviors may occur.
The product uses a regular expression with a worst-case computational complexity that is inefficient and possibly exponential.
The product performs a key exchange with an actor without verifying the identity of that actor.
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.
The product writes data past the end, or before the beginning, of the intended buffer.
The product contains an account lockout protection mechanism, but the mechanism is too restrictive and can be triggered too easily, which allows attackers to deny service to legitimate users by causing their accounts to be locked out.
The product stores a password in plaintext within resources such as memory or files.
Two distinct privileges, roles, capabilities, or rights can be combined in a way that allows an entity to perform unsafe actions that would not be allowed without that combination.
The product uses obfuscation or encryption of inputs that should not be mutable by an external actor, but the product does not use integrity checks to detect if those inputs have been modified.
The product uses a protection mechanism that relies on the existence or values of an input, but the input can be modified by an untrusted actor in a way that bypasses the protection mechanism.
Nonces should be used for the present occasion and only once.
The storage of passwords in a recoverable format makes them subject to password reuse attacks by malicious users. In fact, it should be noted that recoverable encrypted passwords provide no significant benefit over plaintext passwords since they are subject not only to reuse by malicious attackers but also by malicious insiders. If a system administrator can recover a password directly, or use a brute force search on the available information, the administrator can use the password on other accounts.
Security based on event locations are insecure and can be spoofed.
The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.
The product uses a function that accepts a format string as an argument, but the format string originates from an external source.
The product contains hard-coded credentials, such as a password or cryptographic key.
The product calls a function that can never be guaranteed to work safely.
The use of password systems as the primary means of authentication may be subject to several flaws or shortcomings, each reducing the effectiveness of the mechanism.
The product invokes a potentially dangerous function that could introduce a vulnerability if it is used incorrectly, but the function can also be used safely.
The product uses an authentication algorithm that uses a single factor (e.g., a password) in a security context that should require more than one factor.
The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Any condition where the attacker has the ability to write an arbitrary value to an arbitrary location, often as the result of a buffer overflow.
The product writes to a buffer using an index or pointer that references a memory location prior to the beginning of the buffer.
Covert timing channels convey information by modulating some aspect of system behavior over time, so that the program receiving the information can observe system behavior and infer protected information.
The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
The product detects a specific error, but takes no actions to handle the error.
The product divides a value by zero.
The product downloads source code or an executable from a remote location and executes the code without sufficiently verifying the origin and integrity of the code.
The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of other weaknesses.
When trying to keep information confidential, an attacker can often infer some of the information by using statistics.
The product does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.
The product attempts to drop privileges but does not check or incorrectly checks to see if the drop succeeded.
The product does not clean up its state or incorrectly cleans up its state when an exception is thrown, leading to unexpected state or control flow.
The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
The product does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
The product constructs a log message from external input, but it does not neutralize or incorrectly neutralizes special elements when the message is written to a log file.
The product uses XML documents and allows their structure to be defined with a Document Type Definition (DTD), but it does not properly control the number of recursive definitions of entities.
The product uses a reference count to manage a resource, but it does not update or incorrectly updates the reference count.
The product does not validate or incorrectly validates the integrity check values or "checksums" of a message. This may prevent it from detecting if the data has been modified or corrupted in transmission.
During installation, installed file permissions are set to allow anyone to modify those files.
In C and C++, one may often accidentally refer to the wrong memory due to the semantics of when math operations are implicitly scaled.
The product writes sensitive information to a log file.
When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.
The product displays information or identifiers to a user, but the display mechanism does not make it easy for the user to distinguish between visually similar or identical glyphs (homoglyphs), which may cause the user to misinterpret a glyph and perform an unintended, insecure action.
The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
The product does not properly maintain a reference to a resource that has been allocated, which prevents the resource from being reclaimed.
The product uses a transmission protocol that does not include a mechanism for verifying the integrity of the data during transmission, such as a checksum.
The product dereferences a pointer that it expects to be valid but is NULL.
The product omits a break statement within a switch or similar construct, causing code associated with multiple conditions to execute. This can cause problems when the programmer only intended to execute code associated with one condition.
The product sends non-cloned mutable data as an argument to a method or function.
If two threads of execution use a resource simultaneously, there exists the possibility that resources may be used while invalid, in turn making the state of execution undefined.
Simple authentication protocols are subject to reflection attacks if a malicious user can use the target machine to impersonate a trusted user.
Java packages are not inherently closed; therefore, relying on them for code security is not a good practice.
Sending non-cloned mutable data as a return value may result in that data being altered or deleted by the calling function.
The product uses a signal handler that introduces a race condition.
The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
[PLANNED FOR DEPRECATION. SEE MAINTENANCE NOTES AND CONSIDER CWE-252, CWE-248, OR CWE-1069.] Ignoring exceptions and other error conditions may allow an attacker to induce unexpected behavior unnoticed.
The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
The product uses or accesses a file descriptor after it has been closed.
The product subtracts one pointer from another in order to determine size, but this calculation can be incorrect if the pointers do not exist in the same memory chunk.
The product uses or accesses a resource that has not been initialized.
Wrap around errors occur whenever a value is incremented past the maximum value for its type and therefore "wraps around" to a very small, negative, or undefined value.
The product creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.
The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous method or function that is not properly restricted.
The product does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate.
The product constructs the name of a file or other resource using input from an upstream component, but it does not restrict or incorrectly restricts the resulting name.
The code does not explicitly delimit a block that is intended to contain 2 or more statements, creating a logic error.
The product incorrectly checks a return value from a function, which prevents it from detecting errors or exceptional conditions.
The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
The product logs too much information, making log files hard to process and possibly hindering recovery efforts or forensic analysis after an attack.
The product does not have a mechanism in place for managing password aging.
Truncation errors occur when a primitive is cast to a primitive of a smaller size and data is lost in the conversion.
The product uses an expression in which operator precedence causes incorrect logic to be used.
The product supports password aging, but the expiration period is too long.
The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is removed or modified.
The product makes invalid assumptions about how protocol data or memory is organized at a lower level, resulting in unintended program behavior.
The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.
Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.
Continue with these related tools
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. All processing happens client-side in your browser — no data is sent to our servers.