Skip to main content
Skip table of contents

SAST CWE List

Overview

This table organizes Common Weakness Enumerations (CWEs) relevant to SAST, sorted by CWE-ID. Each row outlines a specific security vulnerability, categorized into the following columns:

  1. CWE-ID: Unique identifiers for each CWE.

  2. CWEName: Describes the nature of the CWE.

  3. Languages: Lists the supported programming languages.

  4. Compliance Standards: Maps vulnerabilities to various compliance standards, such as OWASP Top 10 or CAPEC.

  5. Severity: Indicates the severity of the vulnerability, ranging from Low to Medium and High.

SAST CWE List

CWE-ID

CWE Name

Languages

Compliance Standards

Severity

CWE-15

CWE-15: External Control of System or Configuration Setting

  • Java gen2

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 15: External Control of System or Configuration Setting

Low

CWE-16

CWE-16: Configuration

  • Android Java

  • Kotlin Mobile

  • Xamarin (C#)

  • OWASP 2021: A5: Security Misconfiguration

Low

CWE-20

CWE-20: Improper Input Validation

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 134: Email Injection

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Improper Input Validation

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Mail Relay

  • Python

  • Python gen2

  • CAPEC: CAPEC 134: Email Injection

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Memcache Injection Vulnerability

  • Python

  • Python gen2

  • CAPEC: CAPEC 134: Email Injection

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Improper Input Validation

  • JavaScript / TypeScript gen2

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Improper Input Validation

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • VB.Net

  • NIST: SC 23: Session Authenticity

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-20

CWE-20: Improper Input Validation

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • TypeScript

  • VB.Net

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 20: Improper Input Validation

Low

CWE-22

CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • C/C++ (Beta)

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python gen2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 126: Path Traversal

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A5: Broken Access Control

  • OWASP 2021: A1: Broken Access Control

  • PCIDSS: PCI DSS 6.5.8: Improper Access Control

  • SANS TOP25: CWE 22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)

High

CWE-59

CWE-59: Improper Link Resolution Before File Access ('Link Following')

  • Ruby

  • OWASP 2021: A1: Broken Access Control

High

CWE-73

CWE-73: External Control of File Name or Path

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • R

  • Ruby

  • Swift

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 165: File Manipulation

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A4: Insecure Design

High

CWE-74

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • Java gen2

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-74

CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • Java gen2

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-78

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • PHP

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)

High

CWE-78

CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 88: OS Command Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 78: Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)

High

CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • TypeScript

  • CAPEC: CAPEC 63: Cross Site Scripting (XSS)

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A7: Cross Site Scripting (XSS)

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.7: Cross Site Scripting (XSS)

  • SANS TOP25: CWE 79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

High

CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • Ruby

  • OWASP 2021: A3: Injection

  • SANS TOP25: CWE 79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

High

CWE-79

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python gen2

  • Ruby

  • TypeScript

  • VB.Net

  • CAPEC: CAPEC 63: Cross Site Scripting (XSS)

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A7: Cross Site Scripting (XSS)

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.7: Cross Site Scripting (XSS)

  • SANS TOP25: CWE 79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)

High

CWE-89

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C# gen2

  • C/C++ (Beta)

  • Cobol

  • ColdFusion

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • PLSQL

  • Python

  • Python gen2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 66: SQL Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

High

CWE-89

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • Android Java

  • Kotlin Mobile

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)

High

CWE-89

CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

  • Swift

  • iOS Objective-C

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

Low

CWE-90

CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')

  • C#

  • C# gen2

  • C/C++ (Beta)

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 136: LDAP Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

Medium

CWE-94

CWE-94: Improper Control of Generation of Code ('Code Injection')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • VB.Net

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 94: Improper Control of Generation of Code (Code Injection)

High

CWE-94

CWE-94: Improper Control of Generation of Code ('Code Injection')

  • ABAP

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 242: Code Injection

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 94: Improper Control of Generation of Code (Code Injection)

High

CWE-94

CWE-94: Improper Control of Generation of Code ('Code Injection')

  • Android Java

  • Kotlin Mobile

  • CAPEC: CAPEC 242: Code Injection

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 94: Improper Control of Generation of Code (Code Injection)

High

CWE-98

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

  • PHP

  • CAPEC: CAPEC 252: PHP Local File Inclusion

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-113

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • JavaScript / Node.js

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Ruby

  • TypeScript

  • VB.Net

  • CAPEC: CAPEC 34: HTTP Response Splitting

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

Low

CWE-113

CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • TypeScript

  • VB.Net

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A3: Injection

Low

CWE-114

CWE-114: Process Control

  • C/C++ (Beta)

  • CAPEC: CAPEC 159: Redirect Access to Libraries

Low

CWE-117

CWE-117: Improper Output Neutralization for Logs

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • Python gen2

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 93: Log Injection Tampering Forging

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A9: Security Logging and Monitoring Failures

Low

CWE-121

CWE-121: Stack-based Buffer Overflow

  • C/C++ (Beta)

  • Cobol

  • CAPEC: CAPEC 100: Overflow Buffers

  • PCI DSS: PCI DSS 6.5.2: Buffer Overflows

High

CWE-125

CWE-125: Out-of-bounds Read

  • C/C++ (Beta)

  • CAPEC: CAPEC 540: Overread Buffers

  • SANS TOP25: CWE 125: Out of bounds Read

Medium

CWE-134

CWE-134: Use of Externally-Controlled Format String

  • C/C++ (Beta)

  • CAPEC: CAPEC 135: Format String Injection

High

CWE-134

CWE-134: Use of Externally-Controlled Format String

  • Java gen2

  • JavaScript / TypeScript gen2

  • CAPEC: CAPEC 135: Format String Injection

High

CWE-190

CWE-190: Integer Overflow or Wraparound

  • C/C++ (Beta)

  • CAPEC: CAPEC 92: Forced Integer Overflow

  • SANS TOP25: CWE 190: Integer Overflow or Wraparound

High

CWE-191

CWE-191: Integer Underflow (Wrap or Wraparound)

  • C/C++ (Beta)

Medium

CWE-200

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • Android Java

  • JavaScript / TypeScript gen2

  • Kotlin Mobile

  • Swift

  • iOS Objective-C

  • OWASP 2021: A1: Broken Access Control

Medium

CWE-200

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • Android Java

  • Kotlin Mobile

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • OWASP 2021: A1: Broken Access Control

Medium

CWE-200

CWE-200: Exposure of Sensitive Information to an Unauthorized Actor

  • Android Java

  • Kotlin Mobile

  • CAPEC: CAPEC 124: Shared Resource Manipulation

  • OWASP 2021: A1: Broken Access Control

Medium

CWE-209

CWE-209: Information Exposure Through an Error Message

  • Android Java

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Swift

  • iOS Objective-C

  • CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

  • OWASP 2021: A4: Insecure Design

Medium

CWE-209

CWE-209: Information Exposure Through an Error Message

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • VB.Net

  • Xamarin (C#)

  • NIST: SI 11: Error Handling

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A4: Insecure Design

  • PCIDSS: PCI DSS 6.5.5: Improper Error Handling

Medium

CWE-209

CWE-209: Information Exposure Through an Error Message

  • Apex

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python gen2

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

  • NIST: SI 11: Error Handling

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A4: Insecure Design

  • PCI DSS: PCI DSS 6.5.5: Improper Error Handling

Medium

CWE-242

CWE-242: Use of Inherently Dangerous Function

  • C/C++ (Beta)

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Swift

  • TypeScript

  • iOS Objective-C

Low

CWE-244

CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection')

  • Android Java

  • Apex

  • C#

  • C/C++ (Beta)

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • Python

  • Ruby

  • VB.Net

  • Xamarin (C#)

Medium

CWE-250

CWE-250: Execution with Unnecessary Privileges

  • Xamarin (C#)

Medium

CWE-295

CWE-295: Improper Certificate Validation

  • Android Java

  • Kotlin Mobile

  • Xamarin (C#)

  • CAPEC: CAPEC 94: Man in the Middle Attack

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP 2021: A7: Identification and Authentication Failures

  • SANS TOP25: CWE 295: Improper Certificate Validation

Medium

CWE-295

CWE-295: Improper Certificate Validation

  • Go

  • JavaScript / TypeScript gen2

  • Python gen2

  • CAPEC: CAPEC 94: Man in the Middle Attack

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP 2021: A7: Identification and Authentication Failures

  • SANS TOP25: CWE 295: Improper Certificate Validation

Medium

CWE-297

CWE-297: Improper Validation of Certificate with Host Mismatch

  • Java gen2

  • CAPEC: CAPEC 475: Signature Spoofing by Improper Validation

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A7: Identification and Authentication Failures

Low

CWE-312

CWE-312: Cleartext Storage of Sensitive Information

  • Xamarin (C#)

  • OWASP 2021: A4: Insecure Design

High

CWE-312

CWE-312: Cleartext Storage of Sensitive Information

  • Java gen2

  • JavaScript / TypeScript gen2

  • CAPEC: CAPEC 37: Retrieve Embedded Sensitive Data

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 28: Protection of Information at Rest

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A4: Insecure Design

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

High

CWE-319

CWE-319: Cleartext Transmission of Sensitive Information

  • Android Java

  • C# gen2

  • Java

  • Java gen2

  • JavaScript / TypeScript gen2

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 337: Insufficient Transport Layer Protection

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP: A6: Security Misconfiguration

  • OWASP 2021: A2: Cryptographic Failures

Medium

CWE-321

CWE-321: Use of Hard-coded Cryptographic Key

  • Ruby

  • NIST: SC 28: Protection of Information at Rest

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-322

CWE-322: Key Exchange without Entity Authentication

  • Go

  • CAPEC: CAPEC 94: Man in the Middle Attack

  • HIPAA: 164.312 (e)(2)(ii): Transmission Security: Encryption

  • OWASP 2021: A2: Cryptographic Failures

Medium

CWE-325

CWE-325: Missing Cryptographic Step

  • Java gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-326

CWE-326: Inadequate Encryption Strength

  • Android Java

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Swift

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-327

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

  • Java gen2

  • JavaScript / TypeScript gen2

  • Python gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-328

CWE-328: Use of Weak Hash

  • Java gen2

  • JavaScript / TypeScript gen2

  • Python gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-335

CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

  • Java gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-338

CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCIDSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-346

CWE-346: Origin Validation Error

  • JavaScript / TypeScript gen2

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A7: Identification and Authentication Failures

High

CWE-347

CWE-347: Improper Verification of Cryptographic Signature

  • Java gen2

  • JavaScript / TypeScript gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A2: Cryptographic Failures

Medium

CWE-367

CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition

  • C/C++ (Beta)

  • CAPEC: CAPEC 29: Leveraging Time of Check and Time of Use (TOCTOU) Race Conditions

Medium

CWE-369

CWE-369: Divide By Zero

  • C/C++ (Beta)

Low

CWE-377

CWE-377: Insecure Temporary File

  • Go

  • Python gen2

  • OWASP 2021: A1: Broken Access Control

Medium

CWE-384

CWE-384: Session Fixation

  • PHP

  • NIST: SC 23: Session Authenticity

  • OWASP: A2: Broken Authentication

  • OWASP 2021: A7: Identification and Authentication Failures

  • PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

High

CWE-400

CWE-400: Uncontrolled Resource Consumption

  • ABAP

  • C#

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • Kotlin

  • Kotlin Mobile

  • PHP

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 492: Regular Expression Exponential Blowup

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SC 5: Denial of Service Protection (P1)

  • SANS TOP25: CWE 400: Uncontrolled Resource Consumption

Medium

CWE-400

CWE-400: Uncontrolled Resource Consumption

  • Java gen2

  • NIST: SC 5: Denial of Service Protection

  • SANS TOP25: CWE 400: Uncontrolled Resource Consumption

Medium

CWE-400

CWE-400: Uncontrolled Resource Consumption

  • Java gen2

  • NIST: SC 5: Denial of Service Protection

  • SANS TOP25: CWE 400: Uncontrolled Resource Consumption

Medium

CWE-400

CWE-400: Uncontrolled Resource Consumption

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • Python gen2

  • VB.Net

  • Xamarin (C#)

  • NIST: SC 5: Denial of Service Protection

Medium

CWE-415

CWE-415: Double Free

  • C/C++ (Beta)

High

CWE-416

CWE-416: Use After Free

  • C/C++ (Beta)

  • SANS TOP25: CWE 416: Use After Free

High

CWE-434

CWE-434: Unrestricted Upload of File with Dangerous Type

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Ruby

  • VB.Net

  • OWASP 2021: A4: Insecure Design

  • SANS TOP25: CWE 434: Unrestricted Upload of File with Dangerous Type

Low

CWE-470

CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • Java gen2

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A4: Insecure Design

Medium

CWE-472

CWE-472: External Control of Assumed-Immutable Web Parameter

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Go

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • VB.Net

  • OWASP 2021: A4: Insecure Design

Medium

CWE-489

CWE-489: Active Debug Code

  • Xamarin (C#)

Medium

CWE-497

CWE-497: Exposure of System Data to an Unauthorized Control Sphere

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • OWASP 2021: A1: Broken Access Control

Low

CWE-501

CWE-501: Trust Boundary Violation

  • Apex

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 284: Improper Access Control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A4: Insecure Design

Medium

CWE-502

CWE-502: Deserialization of Untrusted Data

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 586: Object Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A8: Insecure Deserialization

  • OWASP 2021: A8: Software and Data Integrity Failures

  • SANS TOP25: CWE 502: Deserialization of Untrusted Data

High

CWE-530

CWE-530: Exposure of Backup File to an Unauthorized Control Sphere

  • ASP Classic/Visual Basic/VBScript

  • C#

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Ruby

  • VB.Net

Low

CWE-532

CWE-532: Insertion of Sensitive Information into Log File

  • Java gen2

  • CAPEC: CAPEC 215: Fuzzing and observing application log data/errors for application mapping

  • OWASP: A10: Insufficient Logging & Monitoring

  • OWASP 2021: A9: Security Logging and Monitoring Failures

Low

CWE-598

CWE-598: Use of GET Request Method With Sensitive Query Strings

  • JavaScript / TypeScript gen2

  • OWASP 2021: A4: Insecure Design

Low

CWE-601

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • TypeScript

  • VB.Net

  • CAPEC: CAPEC 194: Fake the Source of Data

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP 2021: A1: Broken Access Control

Low

CWE-611

CWE-611: Improper Restriction of XML External Entity Reference

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python gen2

  • R

  • VB.Net

  • CAPEC: CAPEC 201: Serialized Data External Linking

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • OWASP: A4: XML External Entities (XXE)

  • OWASP 2021: A5: Security Misconfiguration

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

  • SANS TOP25: CWE 611: Improper Restriction of XML External Entity Reference

Medium

CWE-614

CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute

  • C# gen2

  • JavaScript / TypeScript gen2

  • CAPEC: CAPEC 102: Session Sidejacking

  • OWASP: A6: Security Misconfiguration

  • OWASP 2021: A5: Security Misconfiguration

  • PCIDSS: PCI DSS 6.5.10: Broken Authentication and Session Management

Low

CWE-643

CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection')

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • VB.Net

  • CAPEC: CAPEC 83: XPath Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-676

CWE-676: Use of Potentially Dangerous Function

  • Android Java

  • Kotlin Mobile

  • Swift

  • iOS Objective-C

Low

CWE-676

CWE-676: Use of Potentially Dangerous Function

  • ASP Classic/Visual Basic/VBScript

  • Android Java

  • C#

  • C# gen2

  • C/C++ (Beta)

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • R

  • Ruby

  • Swift

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • iOS Objective-C

Medium

CWE-676

CWE-676: Use of Potentially Dangerous Function

  • Kotlin Mobile

Medium

CWE-732

CWE-732: Incorrect Permission Assignment for Critical Resource

  • Go

  • Python gen2

High

CWE-732

CWE-732: Incorrect Permission Assignment for Critical Resource

  • Go

  • SANS TOP25: CWE 732: Incorrect Permission Assignment for Critical Resource

High

CWE-749

CWE-749: Exposed Dangerous Method or Function

  • Android Java

  • Kotlin Mobile

  • Swift

  • Xamarin (C#)

  • iOS Objective-C

  • CAPEC: CAPEC 503: WebView Exposure

Medium

CWE-776

CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • JavaScript / TypeScript gen2

  • CAPEC: CAPEC 197: Exponential Data Expansion

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • OWASP: A4: XML External Entities (XXE)

  • OWASP 2021: A5: Security Misconfiguration

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

Low

CWE-780

CWE-780: Use of RSA Algorithm without OAEP

  • Java gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Medium

CWE-787

CWE-787: Out-of-bounds Write

  • C/C++ (Beta)

  • CAPEC: CAPEC 123: Buffer Manipulation

  • SANS TOP25: CWE 787: Out of bounds Write

High

CWE-789

CWE-789: Uncontrolled Memory Allocation

  • C/C++ (Beta)

Low

CWE-798

CWE-798: Use of Hard-coded Credentials

  • Android Java

  • Apex

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • R

  • Ruby

  • TypeScript

  • VB.Net

  • Xamarin (C#)

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 28: Protection of Information at Rest

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A7: Identification and Authentication Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

  • SANS TOP25: CWE 798: Use of Hard-coded Credentials

Medium

CWE-915

CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes

  • Ruby

  • OWASP 2021: A8: Software and Data Integrity Failures

High

CWE-916

CWE-916: Use of Password Hash With Insufficient Computational Effort

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Kotlin

  • Kotlin Mobile

  • Python

  • Ruby

  • VB.Net

  • Xamarin (C#)

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-917

CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection')

  • Java gen2

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCIDSS: PCI DSS 6.5.1: Injection Flaws

High

CWE-918

CWE-918: Server-Side Request Forgery (SSRF)

  • ASP Classic/Visual Basic/VBScript

  • Apex

  • C#

  • C# gen2

  • Go

  • Groovy

  • Java

  • Java gen2

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python gen2

  • VB.Net

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A10: Server Side Request Forgery (SSRF)

  • PCIDSS: PCI DSS 6.5.8: Improper Access Control

  • SANS TOP25: CWE 918: Server Side Request Forgery (SSRF)

High

CWE-926

CWE-926: Improper Export of Android Application Components

  • Android Java

  • Kotlin Mobile

  • Xamarin (C#)

Medium

CWE-941

CWE-941: Incorrectly Specified Destination in a Communication Channel

  • ASP Classic/Visual Basic/VBScript

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Python

  • Python gen2

  • VB.Net

  • CAPEC: CAPEC 134: Email Injection

Low

CWE-943

CWE-943: Improper Neutralization of Special Elements in Data Query Logic

  • JavaScript / Node.js

  • JavaScript / TypeScript gen2

  • Python gen2

  • TypeScript

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

High

CWE-1004

CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag

  • C#

  • C# gen2

  • Groovy

  • Java

  • Java gen2

  • JavaScript / TypeScript gen2

  • Kotlin

  • Kotlin Mobile

  • PHP

  • Ruby

  • VB.Net

  • OWASP 2021: A5: Security Misconfiguration

Low

CWE-1104

CWE-1104: Use of Unmaintained Third Party Components

  • Xamarin (C#)

Low

CWE-1204

CWE-1204: Generation of Weak Initialization Vector (IV)

  • Java gen2

  • CAPEC: CAPEC 97: Cryptanalysis

  • HIPAA: 164.312 (a)(2)(iv): Access Control: Encryption and Decryption

  • NIST: SC 13: Cryptographic Protection

  • OWASP: A3: Sensitive Data Exposure

  • OWASP 2021: A2: Cryptographic Failures

  • PCI DSS: PCI DSS 6.5.3: Insecure Cryptographic Storage

Low

CWE-1327

CWE-1327: Binding to an Unrestricted IP Address

  • Go

Medium

CWE-1333

CWE-1333: Inefficient Regular Expression Complexity

  • C# gen2

  • JavaScript / TypeScript gen2

  • Python gen2

  • CAPEC: CAPEC 492: Regular Expression Exponential Blowup

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SC 5: Denial of Service Protection

  • SANS TOP25: CWE 1333: Inefficient Regular Expression Complexity

Low

CWE-1336

CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine

  • C# gen2

  • Python gen2

  • CAPEC: CAPEC 242: Code Injection

  • HIPAA: 164.312 (a)(1): Standard: Access control

  • HITRUST: 10.b: Input Data Validation (Level 1 Implementation)

  • NIST: SI 10: Information Input Validation

  • OWASP: A1: Injection

  • OWASP 2021: A3: Injection

  • PCI DSS: PCI DSS 6.5.1: Injection Flaws

Medium

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close