CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-62
UNIX Hard Link
CWE-64
Windows Shortcut Following (.LNK)
CWE-65
Windows Hard Link
CWE-66
Improper Handling of File Names that Identify Virtual Resources
CWE-67
Improper Handling of Windows Device Names
CWE-69
Improper Handling of Windows ::DATA Alternate Data Stream
CWE-71
DEPRECATED: Apple '.DS_Store'
CWE-72
Improper Handling of Apple HFS+ Alternate Data Stream Path
CWE-73
External Control of File Name or Path
CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE-75
Failure to Sanitize Special Elements into a Different Plane (Special Element Injection)
CWE-76
Improper Neutralization of Equivalent Special Elements
CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE-81
Improper Neutralization of Script in an Error Message Web Page
CWE-82
Improper Neutralization of Script in Attributes of IMG Tags in a Web Page
CWE-83
Improper Neutralization of Script in Attributes in a Web Page
CWE-84
Improper Neutralization of Encoded URI Schemes in a Web Page
CWE-85
Doubled Character XSS Manipulations
CWE-86
Improper Neutralization of Invalid Characters in Identifiers in Web Pages
CWE-87
Improper Neutralization of Alternate XSS Syntax
CWE-88
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
CWE-91
XML Injection (aka Blind XPath Injection)
CWE-92
DEPRECATED: Improper Sanitization of Custom Special Characters
CWE-93
Improper Neutralization of CRLF Sequences ('CRLF Injection')
CWE-94
Improper Control of Generation of Code ('Code Injection')
CWE-95
Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
CWE-96
Improper Neutralization of Directives in Statically Saved Code ('Static Code Injection')
CWE-97
Improper Neutralization of Server-Side Includes (SSI) Within a Web Page
CWE-98
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
CWE-99
Improper Control of Resource Identifiers ('Resource Injection')
CWE-102
Struts: Duplicate Validation Forms
CWE-103
Struts: Incomplete validate() Method Definition
CWE-104
Struts: Form Bean Does Not Extend Validation Class
CWE-105
Struts: Form Field Without Validator
CWE-106
Struts: Plug-in Framework not in Use
CWE-107
Struts: Unused Validation Form
CWE-108
Struts: Unvalidated Action Form
CWE-109
Struts: Validator Turned Off
CWE-110
Struts: Validator Without Form Field
CWE-111
Direct Use of Unsafe JNI
CWE-112
Missing XML Validation
CWE-113
Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting')
