Breadcrumbs

OWASP TOP 10 CWE Coverage

Overview

The Open Web Application Security Project (OWASP Top 10) is a standard awareness document for developers and web application security. It represents a broad consensus on web applications' most critical security risks.

This article organizes Common Weakness Enumerations (CWEs) relevant to OWASP Top 10 (2017, 2021, and 2025).

Each row in the tables below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. CWE-ID: The relevant CWE for this standard, along with a short description.

OWASP TOP 10 2025 CWE List

Compliance Standard

CWE-ID

A1: Broken Access Control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-352: Cross-Site Request Forgery (CSRF)

  • CWE-377: Insecure Temporary File

  • CWE-497: Exposure of System Data to an Unauthorized Control Sphere

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

  • CWE-732: Incorrect Permission Assignment for Critical Resource

  • CWE-749: Exposed Dangerous Method or Function

  • CWE-918: Server-Side Request Forgery (SSRF)

A2: Security Misconfiguration

  • CWE-15: External Control of System or Configuration Setting

  • CWE-16: Configuration

  • CWE-260: Password in Configuration File

  • CWE-489: Active Debug Code

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • CWE-942: Permissive Cross-domain Security Policy with Untrusted Domains

  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

A3: Software Supply Chain Failures

  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

A4: Cryptographic Failures

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-322: Key Exchange without Entity Authentication

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

A5: Injection

  • CWE-20: Improper Input Validation

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • CWE-114: Process Control

  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

A6: Insecure Design

  • CWE-73: External Control of File Name or Path

  • CWE-256: Plaintext Storage of a Password

  • CWE-312: Cleartext Storage of Sensitive Information

  • CWE-434: Unrestricted Upload of File with Dangerous Type

  • CWE-472: External Control of Assumed-Immutable Web Parameter

  • CWE-501: Trust Boundary Violation

  • CWE-598: Use of GET Request Method With Sensitive Query Strings

  • CWE-676: Use of Potentially Dangerous Function

A7: Authentication Failures

  • CWE-295: Improper Certificate Validation

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-346: Origin Validation Error

  • CWE-384: Session Fixation

  • CWE-798: Use of Hard-coded Credentials

  • CWE-941: Incorrectly Specified Destination in a Communication Channel

A8: Software or Data Integrity Failures

  • CWE-502: Deserialization of Untrusted Data

  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • CWE-926: Improper Export of Android Application Components

A9: Logging & Alerting Failures

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-532: Insertion of Sensitive Information into Log File

A10: Mishandling of Exceptional Conditions

  • CWE-209: Information Exposure Through an Error Message

  • CWE-369: Divide By Zero

  • CWE-476: NULL Pointer Dereference

OWASP TOP 10 2017 CWE List

Compliance Standard

CWE-ID

A1: Injection

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

A2: Broken Authentication

  • CWE-346: Origin Validation Error

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-384: Session Fixation

A3: Sensitive Data Exposure

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-798: Use of Hard-coded Credentials

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-918: Server-Side Request Forgery (SSRF)

  • CWE-1204: Generation of Weak Initialization Vector (IV)

A4: XML External Entities (XXE)

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

A5: Broken Access Control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

A6: Security Misconfiguration

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

A7: Cross-Site Scripting (XSS)

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A8: Insecure Deserialization

  • CWE-502: Deserialization of Untrusted Data

A10: Insufficient Logging & Monitoring

  • CWE-532: Insertion of Sensitive Information into Log File

OWSAP TOP 10 2021 CWE List

Compliance-Standard

CWE-ID

A1: Broken Access Control

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • CWE-59: Improper Link Resolution Before File Access ('Link Following')

  • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-377: Insecure Temporary File

  • CWE-497: Exposure of System Data to an Unauthorized Control Sphere

  • CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

A2: Cryptographic Failures

  • CWE-319: Cleartext Transmission of Sensitive Information

  • CWE-321: Use of Hard-coded Cryptographic Key

  • CWE-322: Key Exchange without Entity Authentication

  • CWE-325: Missing Cryptographic Step

  • CWE-326: Inadequate Encryption Strength

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • CWE-328: Use of Weak Hash

  • CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • CWE-347: Improper Verification of Cryptographic Signature

  • CWE-780: Use of RSA Algorithm without OAEP

  • CWE-916: Use of Password Hash With Insufficient Computational Effort

  • CWE-1204: Generation of Weak Initialization Vector (IV)

A3: Injection

  • CWE-15: External Control of System or Configuration Setting

  • CWE-20: Improper Input Validation

  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

  • CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection')

  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

A4: Insecure Design

  • CWE-73: External Control of File Name or Path

  • CWE-209: Information Exposure Through an Error Message

  • CWE-256: Plaintext Storage of a Password

  • CWE-312: Cleartext Storage of Sensitive Information

  • CWE-434: Unrestricted Upload of File with Dangerous Type

  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-472: External Control of Assumed-Immutable Web Parameter

  • CWE-501: Trust Boundary Violation

  • CWE-598: Use of GET Request Method With Sensitive Query Strings

A5: Security Misconfiguration

  • CWE-16: Configuration

  • CWE-611: Improper Restriction of XML External Entity Reference

  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

A7: Identification and Authentication Failures

  • CWE-295: Improper Certificate Validation

  • CWE-297: Improper Validation of Certificate with Host Mismatch

  • CWE-346: Origin Validation Error

  • CWE-384: Session Fixation

  • CWE-798: Use of Hard-coded Credentials

A8: Software and Data Integrity Failures

  • CWE-502: Deserialization of Untrusted Data

  • CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

A9: Security Logging and Monitoring Failures

  • CWE-117: Improper Output Neutralization for Logs

  • CWE-532: Insertion of Sensitive Information into Log File

A10: Server-Side Request Forgery (SSRF)

  • CWE-918: Server-Side Request Forgery (SSRF)