Skip to main content
Skip table of contents

SAST CWE List

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

Overview

This table organizes Common Weakness Enumerations (CWEs) relevant to SAST, sorted by CWE-ID. Each row outlines a specific security vulnerability, categorized into the following columns:

  1. CWE-ID: Unique identifiers for each CWE.

  2. CWEName: Describes the nature of the CWE.

  3. Languages: Lists the supported programming languages.

  4. Compliance Standards: Maps vulnerabilities to various compliance standards, such as OWASP Top 10 or CAPEC.

  5. Severity: Indicates the severity of the vulnerability, ranging from Low to Medium and High.

SAST CWE List

CWE-ID

CWE Name

Languages

Compliance Standards

Severity

CWE-15

CWE-15: External Control of System or Configuration Setting

  • Java

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 15: External Control of System or Configuration Setting

Low

CWE-16

CWE-16: Configuration

  • Android Java

  • Kotlin Mobile

  • Xamarin (C#)

  • OWASP 2021: A5: Security Misconfiguration

Low

CWE-20

CWE-20: Improper Input Validation

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 134: Email Injection

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • NIST: SC 23: Session Authenticity

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

  • PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

Low

CWE-20

CWE-20: Mail Relay

  • Python

  • CAPEC: CAPEC 134: Email Injection

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Memcache Injection Vulnerability

  • Python

  • CAPEC: CAPEC 134: Email Injection

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-22

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C/C++ (Beta)

  • ColdFusion

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 126: Path Traversal

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A5: Broken Access Control

  • OWASP 2021: A1: Broken Access Control

  • PCIDSS: PCI DSS 6.5.8: Improper Access Control

  • SANS TOP25: CWE 22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

High

CWE-59

CWE-59: Improper Link Resolution Before File Access ('Link Following')

  • Ruby

  • OWASP 2021: A1: Broken Access Control

High

CWE-73

CWE-73: External Control of File Name or Path

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • R

  • Ruby

  • Swift

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 165: File Manipulation

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A4: Insecure Design

High

CWE-74

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • Java

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-78

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 88: OS Command Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)

High

CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • ColdFusion

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Ruby

  • TypeScript

  • VB.Net

  • CAPEC: CAPEC 63: Cross Site Scripting (XSS)

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A7: Cross Site Scripting (XSS)

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.7: Cross Site Scripting (XSS)

  • SANS TOP25: CWE 79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

High

CWE-89

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • ABAP

  • Android Java

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • iOS Objective-C

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • R

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 66: SQL Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

High

CWE-90

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • C#

  • C/C++ (Beta)

  • Go

  • Groovy

  • Java

  • JavaScript

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 136: LDAP Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

Medium

CWE-94

CWE-94: Improper Control of Generation of Code ('Code Injection')

  • ABAP

  • Android Java

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 242: Code Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 94: Improper Control of Generation of Code (Code Injection)

High

CWE-98

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • PHP

  • CAPEC: CAPEC 252: PHP Local File Inclusion

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-113

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Ruby

  • TypeScript

  • VB.Net

  • CAPEC: CAPEC 34: HTTP Response Splitting

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

Low

CWE-114

CWE-114: Process Control

  • C/C++ (Beta)

  • CAPEC: CAPEC 159: Redirect Access to Libraries

Low

CWE-117

CWE-117: Improper Output Neutralization for Logs

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • Python

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 93: Log Injection Tampering Forging

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A9: Security Logging and Monitoring Failures

Low

CWE-121

CWE-121: Stack-based Buffer Overflow

  • C/C++ (Beta)

  • Cobol

  • CAPEC: CAPEC 100: Overflow Buffers

  • PCI DSS: PCI DSS 6.5.2: Buffer Overflows

High

CWE-125

CWE-125: Out-of-bounds Read

  • C/C++ (Beta)

  • CAPEC: CAPEC 540: Overread Buffers

  • SANS TOP25: CWE 125: Out of bounds Read

Medium

CWE-134

CWE-134: Use of Externally-Controlled Format String

  • C/C++ (Beta)

  • Java

  • TypeScript

  • CAPEC: CAPEC 135: Format String Injection

High

CWE-190

CWE-190: Integer Overflow or Wraparound

  • C/C++ (Beta)

  • CAPEC: CAPEC 92: Forced Integer Overflow

  • SANS TOP25: CWE 190: Integer Overflow or Wraparound

High

CWE-191

CWE-191: Integer Underflow (Wrap or Wraparound)

  • C/C++ (Beta)

  • Not standard-relevant

Medium

CWE-200

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • Android Java

  • iOS Objective-C

  • TypeScript

  • Kotlin Mobile

  • Swift

  • Xamarin (C#)

  • CAPEC: CAPEC 124: Shared Resource Manipulation

  • OWASP 2021: A1: Broken Access Control

Medium

CWE-209

CWE-209: Information Exposure Through an Error Message

  • Android Java

  • Apex

  • C#

  • Groovy

  • iOS Objective-C

  • Java

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Swift

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

  • NIST: SI 11: Error Handling

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A4: Insecure Design

  • PCI DSS: PCI DSS 6.5.5: Improper Error Handling

Medium

CWE-242

CWE-242: Use of Inherently Dangerous Function

  • C/C++ (Beta)

  • JavaScript

  • Swift

  • TypeScript

  • iOS Objective-C

  • Not standard-relevant

Low

CWE-244

CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')

  • Android Java

  • Apex

  • C#

  • C/C++ (Beta)

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • Python

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • Not standard-relevant

Medium

CWE-250

CWE-250: Execution with Unnecessary Privileges

  • Xamarin (C#)

  • Not standard-relevant

Medium

CWE-295

CWE-295: Improper Certificate Validation

  • Android Java

  • Go

  • TypeScript

  • Kotlin Mobile

  • Python

  • Xamarin (C#)

  • CAPEC: CAPEC 94: Man in the Middle Attack

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP 2021: A7: Identification and Authentication Failures

  • SANS TOP25: CWE 295: Improper Certificate Validation

Medium

CWE-297

CWE-297: Improper Validation of Certificate with Host Mismatch

  • Java

  • CAPEC: CAPEC 475: Signature Spoofing by Improper Validation

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A7: Identification and Authentication Failures

Low

CWE-312

CWE-312: Cleartext Storage of Sensitive Information

  • Java

  • TypeScript

  • Xamarin (C#)

  • CAPEC: CAPEC 37: Retrieve Embedded Sensitive Data

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 28: Protection of Information at Rest

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A4: Insecure Design

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

High

CWE-319

CWE-319: Cleartext Transmission of Sensitive Information

  • Android Java

  • C#

  • Java

  • Java

  • TypeScript

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 337: Insufficient Transport Layer Protection

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP: A6: Security Misconfiguration

  • OWASP 2021: A2: Cryptographic Failures

Medium

CWE-321

CWE-321: Use of Hard-coded Cryptographic Key

  • Ruby

  • NIST: SC 28: Protection of Information at Rest

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-322

CWE-322: Key Exchange without Entity Authentication

  • Go

  • CAPEC: CAPEC 94: Man in the Middle Attack

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP 2021: A2: Cryptographic Failures

Medium

CWE-325

CWE-325: Missing Cryptographic Step

  • Java

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-326

CWE-326: Inadequate Encryption Strength

  • Android Java

  • C#

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Swift

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-327

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • Java

  • TypeScript

  • Python

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-328

CWE-328: Use of Weak Hash

  • Java

  • TypeScript

  • Python

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-335

CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • Java

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-338

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-346

CWE-346: Origin Validation Error

  • TypeScript

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A7: Identification and Authentication Failures

High

CWE-347

CWE-347: Improper Verification of Cryptographic Signature

  • Java

  • TypeScript

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A2: Cryptographic Failures

Medium

CWE-367

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

  • C/C++ (Beta)

  • CAPEC: CAPEC 29: Leveraging Time of Check and Time of Use (TOCTOU) Race Conditions

Medium

CWE-369

CWE-369: Divide By Zero

  • C/C++ (Beta)

  • Not standard-relevant

Low

CWE-377

CWE-377: Insecure Temporary File

  • Go

  • Python

  • OWASP 2021: A1: Broken Access Control

Medium

CWE-384

CWE-384: Session Fixation

  • PHP

  • NIST: SC 23: Session Authenticity

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A7: Identification and Authentication Failures

  • PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

High

CWE-400

CWE-400: Uncontrolled Resource Consumption

  • ABAP

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 492: Regular Expression Exponential Blowup

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SC 5: Denial of Service Protection (P1)

  • SANS TOP25: CWE 400: Uncontrolled Resource Consumption

Medium

CWE-415

CWE-415: Double Free

  • C/C++ (Beta)

  • Not standard-relevant

High

CWE-416

CWE-416: Use After Free

  • C/C++ (Beta)

  • SANS TOP25: CWE 416: Use After Free

High

CWE-434

CWE-434: Unrestricted Upload of File with Dangerous Type

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Ruby

  • VB.Net

  • OWASP 2021: A4: Insecure Design

  • SANS TOP25: CWE 434: Unrestricted Upload of File with Dangerous Type

Low

CWE-470

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • Java

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A4: Insecure Design

Medium

CWE-472

CWE-472: External Control of Assumed-Immutable Web Parameter

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • OWASP 2021: A4: Insecure Design

Medium

CWE-489

CWE-489: Active Debug Code

  • Xamarin (C#)

  • Not standard-relevant

Medium

CWE-497

CWE-497: Exposure of System Data to an Unauthorized Control Sphere

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • OWASP 2021: A1: Broken Access Control

Low

CWE-501

CWE-501: Trust Boundary Violation

  • Apex

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 284: Improper Access Control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A4: Insecure Design

Medium

CWE-502

CWE-502: Deserialization of Untrusted Data

  • C#

  • Groovy

  • Java

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 586: Object Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A8: Insecure Deserialization

  • OWASP 2021: A8: Software and Data Integrity Failures

  • SANS TOP25: CWE 502: Deserialization of Untrusted Data

High

CWE-530

CWE-530: Exposure of Backup File to an Unauthorized Control Sphere

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Ruby

  • VB.Net

  • Not standard-relevant

Low

CWE-532

CWE-532: Insertion of Sensitive Information into Log File

  • Java

  • CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

  • OWASP: A10: Insufficient Logging & Monitoring

  • OWASP 2021: A9: Security Logging and Monitoring Failures

Low

CWE-598

CWE-598: Use of GET Request Method With Sensitive Query Strings

  • TypeScript

  • OWASP 2021: A4: Insecure Design

Low

CWE-601

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • TypeScript

  • VB.Net

  • CAPEC: CAPEC 194: Fake the Source of Data

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A1: Broken Access Control

Low

CWE-611

CWE-611: Improper Restriction of XML External Entity Reference

  • C#

  • Groovy

  • Java

  • JavaScript

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • R

  • VB.Net

  • CAPEC: CAPEC 201: Serialized Data External Linking

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • OWASP: A4: XML External Entities (XXE)

  • OWASP 2021: A5: Security Misconfiguration

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 611: Improper Restriction of XML External Entity Reference

Medium

CWE-614

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • C#

  • TypeScript

  • CAPEC: CAPEC 102: Session Sidejacking

  • OWASP: A6: Security Misconfiguration

  • OWASP 2021: A5: Security Misconfiguration

  • PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

Low

CWE-643

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • CAPEC: CAPEC 83: XPath Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-676

CWE-676: Use of Potentially Dangerous Function

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • C/C++ (Beta)

  • Go

  • Groovy

  • iOS Objective-C

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • R

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • Not standard-relevant

Medium

CWE-732

CWE-732: Incorrect Permission Assignment for Critical Resource

  • Go

  • Python

  • SANS TOP25: CWE 732: Incorrect Permission Assignment for Critical Resource

High

CWE-749

CWE-749: Exposed Dangerous Method or Function

  • Android Java

  • Kotlin Mobile

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 503: WebView Exposure

Medium

CWE-776

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • TypeScript

  • CAPEC: CAPEC 197: Exponential Data Expansion

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • OWASP: A4: XML External Entities (XXE)

  • OWASP 2021: A5: Security Misconfiguration

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

Low

CWE-780

CWE-780: Use of RSA Algorithm without OAEP

  • Java

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-787

CWE-787: Out-of-bounds Write

  • C/C++ (Beta)

  • CAPEC: CAPEC 123: Buffer Manipulation

  • SANS TOP25: CWE 787: Out of bounds Write

High

CWE-789

CWE-789: Uncontrolled Memory Allocation

  • C/C++ (Beta)

  • Not standard-relevant

Low

CWE-798

CWE-798: Use of Hard-coded Credentials

  • Android Java

  • Apex

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 28: Protection of Information at Rest

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A7: Identification and Authentication Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

  • SANS TOP25: CWE 798: Use of Hard-coded Credentials

Medium

CWE-915

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • Ruby

  • OWASP 2021: A8: Software and Data Integrity Failures

High

CWE-916

CWE-916: Use of Password Hash With Insufficient Computational Effort

  • C#

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • Python

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-917

CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection')

  • Java

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-918

CWE-918: Server-Side Request Forgery (SSRF)

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A10: Server Side Request Forgery (SSRF)

  • PCIDSS: PCI DSS 6.5.8: Improper Access Control

  • SANS TOP25: CWE 918: Server Side Request Forgery (SSRF)

High

CWE-926

CWE-926: Improper Export of Android Application Components

  • Android Java

  • Kotlin Mobile

  • Xamarin (C#)

  • Not standard-relevant

Medium

CWE-941

CWE-941: Incorrectly Specified Destination in a Communication Channel

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • CAPEC: CAPEC 134: Email Injection

Low

CWE-943

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • JavaScript

  • Python

  • TypeScript

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

High

CWE-1004

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

  • C#

  • Groovy

  • Java

  • TypeScript

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Ruby

  • VB.Net

  • OWASP 2021: A5: Security Misconfiguration

Low

CWE-1104

CWE-1104: Use of Unmaintained Third Party Components

  • Xamarin (C#)

  • Not standard-relevant

Low

CWE-1204

CWE-1204: Generation of Weak Initialization Vector (IV)

  • Java

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-1327

CWE-1327: Binding to an Unrestricted IP Address

  • Go

  • Not standard-relevant

Medium

CWE-1333

CWE-1333: Inefficient Regular Expression Complexity

  • C#

  • TypeScript

  • Python

  • CAPEC: CAPEC 492: Regular Expression Exponential Blowup

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SC 5: Denial of Service Protection

  • SANS TOP25: CWE 1333: Inefficient Regular Expression Complexity

Low

CWE-1336

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

  • C#

  • Python

  • CAPEC: CAPEC 242: Code Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

Medium

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.