Early Access — Mondoo Vulnerability Intelligence is currently in preview.
Browse the Common Weakness Enumeration database. CWEs are a categorized list of software and hardware weakness types.
Top 50 CWEs by vulnerability count
CWE-79BaseStableThe product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-89BaseStableThe product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
CWE-352CompoundStableThe web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
CWE-862ClassIncompleteThe product does not perform an authorization check when an actor attempts to access a resource or perform an action.
CWE-20ClassStableThe product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-74ClassIncompleteThe product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-22BaseStableThe product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
CWE-125BaseDraftThe product reads data past the end, or before the beginning, of the intended buffer.
CWE-200ClassDraftThe product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-284PillarIncompleteThe product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-78BaseStableThe product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
CWE-416VariantStableThe product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-121VariantDraftA stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
CWE-787BaseDraftThe product writes data past the end, or before the beginning, of the intended buffer.
CWE-94BaseDraftThe product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-119ClassStableThe product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.
CWE-434BaseDraftThe product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
CWE-122VariantDraftA heap overflow condition is a buffer overflow, where the buffer that can be overwritten is allocated in the heap portion of memory, generally meaning that the buffer was allocated using a routine such as malloc().
CWE-120BaseIncompleteThe product copies an input buffer to an output buffer without verifying that the size of the input buffer is less than the size of the output buffer.
CWE-502BaseDraftThe product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-400ClassDraftThe product does not properly control the allocation and maintenance of a limited resource.
CWE-287ClassDraftWhen an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.
CWE-77ClassDraftThe product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
CWE-918BaseIncompleteThe web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-476BaseStableThe product dereferences a pointer that it expects to be valid but is NULL.
CWE-863ClassIncompleteThe product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check.
CWE-269ClassDraftThe product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
CWE-306BaseDraftThe product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE-285ClassDraftThe product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-190BaseStableThe product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-639BaseIncompleteThe system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
CWE-770BaseIncompleteThe product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-98VariantDraftThe PHP application receives input from an upstream component, but it does not restrict or incorrectly restricts the input before its usage in "require," "include," or similar functions.
CWE-427BaseDraftThe product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.
CWE-601BaseDraftThe web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
CWE-266BaseDraftA product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
CWE-532BaseIncompleteThe product writes sensitive information to a log file.
CWE-798BaseDraftThe product contains hard-coded credentials, such as a password or cryptographic key.
CWE-276BaseDraftDuring installation, installed file permissions are set to allow anyone to modify those files.
CWE-80VariantIncompleteThe product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes special characters such as "<", ">", and "&" that could be interpreted as web-scripting elements when they are sent to a downstream component that processes web pages.
CWE-732ClassDraftThe product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
CWE-295BaseDraftThe product does not validate, or incorrectly validates, a certificate.
CWE-126VariantDraftThe product reads from a buffer using buffer access mechanisms such as indexes or pointers that reference memory locations after the targeted buffer.
CWE-611BaseDraftThe product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
CWE-59BaseDraftThe product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource.
CWE-404ClassDraftThe product does not release or incorrectly releases a resource before it is made available for re-use.
CWE-362ClassDraftThe product contains a concurrent code sequence that requires temporary, exclusive access to a shared resource, but a timing window exists in which the shared resource can be modified by another code sequence operating concurrently.
CWE-288BaseIncompleteThe product requires authentication, but the product has an alternate path or channel that does not require authentication.
CWE-23BaseDraftThe product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.
CWE-522ClassIncompleteThe product transmits or stores authentication credentials, but it uses an insecure method that is susceptible to unauthorized interception and/or retrieval.