CWE is a community-developed list of common software and hardware weakness
types that have security ramifications. A “weakness” is a condition in a software, firmware, hardware, or
service component that, under certain circumstances, could contribute to the introduction of
vulnerabilities. The CWE List and associated classification taxonomy serve as a language that can be used to
identify and describe these weaknesses in terms of CWEs.
CWE Number
Name
Action
CWE-173
Improper Handling of Alternate Encoding
CWE-174
Double Decoding of the Same Data
CWE-175
Improper Handling of Mixed Encoding
CWE-176
Improper Handling of Unicode Encoding
CWE-177
Improper Handling of URL Encoding (Hex Encoding)
CWE-178
Improper Handling of Case Sensitivity
CWE-179
Incorrect Behavior Order: Early Validation
CWE-180
Incorrect Behavior Order: Validate Before Canonicalize
CWE-181
Incorrect Behavior Order: Validate Before Filter
CWE-182
Collapse of Data into Unsafe Value
CWE-183
Permissive List of Allowed Inputs
CWE-184
Incomplete List of Disallowed Inputs
CWE-185
Incorrect Regular Expression
CWE-186
Overly Restrictive Regular Expression
CWE-187
Partial String Comparison
CWE-188
Reliance on Data/Memory Layout
CWE-190
Integer Overflow or Wraparound
CWE-191
Integer Underflow (Wrap or Wraparound)
CWE-192
Integer Coercion Error
CWE-193
Off-by-one Error
CWE-194
Unexpected Sign Extension
CWE-195
Signed to Unsigned Conversion Error
CWE-196
Unsigned to Signed Conversion Error
CWE-197
Numeric Truncation Error
CWE-198
Use of Incorrect Byte Ordering
CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE-201
Insertion of Sensitive Information Into Sent Data
CWE-202
Exposure of Sensitive Information Through Data Queries
CWE-203
Observable Discrepancy
CWE-204
Observable Response Discrepancy
CWE-205
Observable Behavioral Discrepancy
CWE-206
Observable Internal Behavioral Discrepancy
CWE-207
Observable Behavioral Discrepancy With Equivalent Products
CWE-208
Observable Timing Discrepancy
CWE-209
Generation of Error Message Containing Sensitive Information
CWE-210
Self-generated Error Message Containing Sensitive Information
CWE-211
Externally-Generated Error Message Containing Sensitive Information
CWE-212
Improper Removal of Sensitive Information Before Storage or Transfer
CWE-213
Exposure of Sensitive Information Due to Incompatible Policies
CWE-214
Invocation of Process Using Visible Sensitive Information
CWE-215
Insertion of Sensitive Information Into Debugging Code
CWE-216
DEPRECATED: Containment Errors (Container Errors)
CWE-217
DEPRECATED: Failure to Protect Stored Data from Modification
CWE-218
DEPRECATED: Failure to provide confidentiality for stored data
CWE-219
Storage of File with Sensitive Data Under Web Root
CWE-220
Storage of File With Sensitive Data Under FTP Root
CWE-221
Information Loss or Omission
CWE-222
Truncation of Security-relevant Information
CWE-223
Omission of Security-relevant Information
CWE-224
Obscured Security-relevant Information by Alternate Name
