.svg){kind=logo}
Overview
This table organizes Common Weakness Enumerations (CWEs) relevant to SAST, sorted by CWE-ID. Each row outlines a specific security vulnerability, categorized into the following columns:
-
CWE-ID: Unique identifiers for each CWE.
-
CWEName: Describes the nature of the CWE.
-
Languages: Lists the supported programming languages.
-
Compliance Standards: Maps vulnerabilities to various compliance standards, such as OWASP Top 10 or CAPEC.
-
Severity: Indicates the severity of the vulnerability, ranging from Low to Medium and High.
SAST CWE List
|
CWE-ID |
CWE Name |
Languages |
Compliance Standards |
Severity |
|---|---|---|---|---|
|
CWE-15 |
CWE-15: External Control of System or Configuration Setting |
|
|
Low |
|
CWE-16 |
CWE-16: Configuration |
|
|
Low |
|
CWE-20 |
CWE-20: Improper Input Validation |
|
|
Low |
|
CWE-20 |
CWE-20: Mail Relay |
|
|
Low |
|
CWE-20 |
CWE-20: Memcache Injection Vulnerability |
|
|
Low |
|
CWE-22 |
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
|
|
High |
|
CWE-59 |
CWE-59: Improper Link Resolution Before File Access ('Link Following') |
|
|
High |
|
CWE-73 |
CWE-73: External Control of File Name or Path |
|
|
High |
|
CWE-74 |
CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') |
|
|
High |
|
CWE-78 |
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
|
|
High |
|
CWE-79 |
CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
|
|
High |
|
CWE-89 |
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
|
|
High |
|
CWE-90 |
CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') |
|
|
Medium |
|
CWE-94 |
CWE-94: Improper Control of Generation of Code ('Code Injection') |
|
|
High |
|
CWE-98 |
CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') |
|
|
High |
|
CWE-113 |
CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Response Splitting') |
|
|
Low |
|
CWE-114 |
CWE-114: Process Control |
|
|
Low |
|
CWE-117 |
CWE-117: Improper Output Neutralization for Logs |
|
|
Low |
|
CWE-121 |
CWE-121: Stack-based Buffer Overflow |
|
|
High |
|
CWE-125 |
CWE-125: Out-of-bounds Read |
|
|
Medium |
|
CWE-134 |
CWE-134: Use of Externally-Controlled Format String |
|
|
High |
|
CWE-190 |
CWE-190: Integer Overflow or Wraparound |
|
|
High |
|
CWE-191 |
CWE-191: Integer Underflow (Wrap or Wraparound) |
|
|
Medium |
|
CWE-200 |
CWE-200: Exposure of Sensitive Information to an Unauthorized Actor |
|
|
Medium |
|
CWE-209 |
CWE-209: Information Exposure Through an Error Message |
|
|
Medium |
|
CWE-242 |
CWE-242: Use of Inherently Dangerous Function |
|
|
Low |
|
CWE-244 |
CWE-244: Improper Clearing of Heap Memory Before Release ('Heap Inspection') |
|
|
Medium |
|
CWE-250 |
CWE-250: Execution with Unnecessary Privileges |
|
|
Medium |
|
CWE-260 |
CWE-260: Password in Configuration File |
|
|
Medium |
|
CWE-295 |
CWE-295: Improper Certificate Validation |
|
|
Medium |
|
CWE-297 |
CWE-297: Improper Validation of Certificate with Host Mismatch |
|
|
Low |
|
CWE-312 |
CWE-312: Cleartext Storage of Sensitive Information |
|
|
High |
|
CWE-319 |
CWE-319: Cleartext Transmission of Sensitive Information |
|
|
Medium |
|
CWE-321 |
CWE-321: Use of Hard-coded Cryptographic Key |
|
|
Medium |
|
CWE-322 |
CWE-322: Key Exchange without Entity Authentication |
|
|
Medium |
|
CWE-325 |
CWE-325: Missing Cryptographic Step |
|
|
Low |
|
CWE-326 |
CWE-326: Inadequate Encryption Strength |
|
|
Low |
|
CWE-327 |
CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
|
|
Medium |
|
CWE-328 |
CWE-328: Use of Weak Hash |
|
|
Low |
|
CWE-335 |
CWE-335: Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) |
|
|
Medium |
|
CWE-338 |
CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) |
|
|
Medium |
|
CWE-346 |
CWE-346: Origin Validation Error |
|
|
High |
|
CWE-347 |
CWE-347: Improper Verification of Cryptographic Signature |
|
|
Medium |
|
CWE-367 |
CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition |
|
|
Medium |
|
CWE-369 |
CWE-369: Divide By Zero |
|
|
Low |
|
CWE-377 |
CWE-377: Insecure Temporary File |
|
|
Medium |
|
CWE-384 |
CWE-384: Session Fixation |
|
|
High |
|
CWE-400 |
CWE-400: Uncontrolled Resource Consumption |
|
|
Medium |
|
CWE-415 |
CWE-415: Double Free |
|
|
High |
|
CWE-416 |
CWE-416: Use After Free |
|
|
High |
|
CWE-434 |
CWE-434: Unrestricted Upload of File with Dangerous Type |
|
|
Low |
|
CWE-470 |
CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') |
|
|
Medium |
|
CWE-472 |
CWE-472: External Control of Assumed-Immutable Web Parameter |
|
|
Medium |
|
CWE-489 |
CWE-489: Active Debug Code |
|
|
Medium |
|
CWE-497 |
CWE-497: Exposure of System Data to an Unauthorized Control Sphere |
|
|
Low |
|
CWE-501 |
CWE-501: Trust Boundary Violation |
|
|
Medium |
|
CWE-502 |
CWE-502: Deserialization of Untrusted Data |
|
|
High |
|
CWE-530 |
CWE-530: Exposure of Backup File to an Unauthorized Control Sphere |
|
|
Low |
|
CWE-532 |
CWE-532: Insertion of Sensitive Information into Log File |
|
|
Low |
|
CWE-598 |
CWE-598: Use of GET Request Method With Sensitive Query Strings |
|
|
Low |
|
CWE-601 |
CWE-601: URL Redirection to Untrusted Site ('Open Redirect') |
|
|
Low |
|
CWE-611 |
CWE-611: Improper Restriction of XML External Entity Reference |
|
|
Medium |
|
CWE-614 |
CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute |
|
|
Low |
|
CWE-643 |
CWE-643: Improper Neutralization of Data within XPath Expressions ('XPath Injection') |
|
|
High |
|
CWE-676 |
CWE-676: Use of Potentially Dangerous Function |
|
|
Medium |
|
CWE-732 |
CWE-732: Incorrect Permission Assignment for Critical Resource |
|
|
High |
|
CWE-749 |
CWE-749: Exposed Dangerous Method or Function |
|
|
Medium |
|
CWE-776 |
CWE-776: Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') |
|
|
Low |
|
CWE-780 |
CWE-780: Use of RSA Algorithm without OAEP |
|
|
Medium |
|
CWE-787 |
CWE-787: Out-of-bounds Write |
|
|
High |
|
CWE-789 |
CWE-789: Uncontrolled Memory Allocation |
|
|
Low |
|
CWE-798 |
CWE-798: Use of Hard-coded Credentials |
|
|
Medium |
|
CWE-915 |
CWE-915: Improperly Controlled Modification of Dynamically-Determined Object Attributes |
|
|
High |
|
CWE-916 |
CWE-916: Use of Password Hash With Insufficient Computational Effort |
|
|
Low |
|
CWE-917 |
CWE-917: Improper Neutralization of Special Elements Used in an Expression Language Statement ('Expression Language Injection') |
|
|
High |
|
CWE-918 |
CWE-918: Server-Side Request Forgery (SSRF) |
|
|
High |
|
CWE-926 |
CWE-926: Improper Export of Android Application Components |
|
|
Medium |
|
CWE-941 |
CWE-941: Incorrectly Specified Destination in a Communication Channel |
|
|
Low |
|
CWE-943 |
CWE-943: Improper Neutralization of Special Elements in Data Query Logic |
|
|
High |
|
CWE-1004 |
CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag |
|
|
Low |
|
CWE-1104 |
CWE-1104: Use of Unmaintained Third Party Components |
|
|
Low |
|
CWE-1204 |
CWE-1204: Generation of Weak Initialization Vector (IV) |
|
|
Low |
|
CWE-1327 |
CWE-1327: Binding to an Unrestricted IP Address |
|
|
Medium |
|
CWE-1333 |
CWE-1333: Inefficient Regular Expression Complexity |
|
|
Low |
|
CWE-1336 |
CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine |
|
|
Medium |
|
CWE-208 |
CWE-208: Observable Timing Discrepancy |
|
|
Low |
|
CWE-256 |
CWE-256: Plaintext Storage of a Password |
|
|
Low |
|
CWE-352 |
CWE-352: Cross-Site Request Forgery (CSRF) |
|
|
High |