CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-777
Regular Expression without Anchors
CWE-778
Insufficient Logging
CWE-779
Logging of Excessive Data
CWE-780
Use of RSA Algorithm without OAEP
CWE-781
Improper Address Validation in IOCTL with METHOD_NEITHER I/O Control Code
CWE-782
Exposed IOCTL with Insufficient Access Control
CWE-783
Operator Precedence Logic Error
CWE-784
Reliance on Cookies without Validation and Integrity Checking in a Security Decision
CWE-785
Use of Path Manipulation Function without Maximum-sized Buffer
CWE-786
Access of Memory Location Before Start of Buffer
CWE-787
Out-of-bounds Write
CWE-788
Access of Memory Location After End of Buffer
CWE-789
Memory Allocation with Excessive Size Value
CWE-790
Improper Filtering of Special Elements
CWE-791
Incomplete Filtering of Special Elements
CWE-792
Incomplete Filtering of One or More Instances of Special Elements
CWE-793
Only Filtering One Instance of a Special Element
CWE-794
Incomplete Filtering of Multiple Instances of Special Elements
CWE-795
Only Filtering Special Elements at a Specified Location
CWE-796
Only Filtering Special Elements Relative to a Marker
CWE-797
Only Filtering Special Elements at an Absolute Position
CWE-798
Use of Hard-coded Credentials
CWE-799
Improper Control of Interaction Frequency
CWE-804
Guessable CAPTCHA
CWE-805
Buffer Access with Incorrect Length Value
CWE-806
Buffer Access Using Size of Source Buffer
CWE-807
Reliance on Untrusted Inputs in a Security Decision
CWE-820
Missing Synchronization
CWE-821
Incorrect Synchronization
CWE-822
Untrusted Pointer Dereference
CWE-823
Use of Out-of-range Pointer Offset
CWE-824
Access of Uninitialized Pointer
CWE-825
Expired Pointer Dereference
CWE-826
Premature Release of Resource During Expected Lifetime
CWE-827
Improper Control of Document Type Definition
CWE-828
Signal Handler with Functionality that is not Asynchronous-Safe
CWE-829
Inclusion of Functionality from Untrusted Control Sphere
CWE-830
Inclusion of Web Functionality from an Untrusted Source
CWE-831
Signal Handler Function Associated with Multiple Signals
CWE-832
Unlock of a Resource that is not Locked
CWE-833
Deadlock
CWE-834
Excessive Iteration
CWE-835
Loop with Unreachable Exit Condition ('Infinite Loop')
CWE-836
Use of Password Hash Instead of Password for Authentication
CWE-837
Improper Enforcement of a Single, Unique Action
CWE-838
Inappropriate Encoding for Output Context
CWE-839
Numeric Range Comparison Without Minimum Check
CWE-841
Improper Enforcement of Behavioral Workflow
CWE-842
Placement of User into Incorrect Group
CWE-843
Access of Resource Using Incompatible Type ('Type Confusion')
