Skip to main content

CWEs that violate the 2020 CWE Top 25 standard

This table lists all the CWEs that may cause an application to not pass a policy that includes the 2020 CWE Top 25 policy rule.

CWE IDCWE nameStatic supportDynamic supportVeracode severity
20Improper Input ValidationX 0 - Informational
22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)XX3 - Medium
23Relative Path Traversal   
73External Control of File Name or PathX 3 - Medium
78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)XX5 - Very High
79Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)XX3 - Medium
80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)XX3 - Medium
81Improper Neutralization of Script in an Error Message Web Page   
83Improper Neutralization of Script in Attributes in a Web Page X3 - Medium
86Improper Neutralization of Invalid Characters in Identifiers in Web PagesX 3 - Medium
89Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)XX4 - High
90Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection)X 3 - Medium
91XML Injection (aka Blind XPath Injection)XX3 - Medium
94Improper Control of Generation of Code (Code Injection)X 3 - Medium
95Improper Neutralization of Directives in Dynamically Evaluated Code (Eval Injection)XX5 - Very High
98Improper Control of Filename for Include/Require Statement in PHP Program (PHP Remote File Inclusion)XX4 - High
100DEPRECATED: Technology-Specific Input Validation Problems   
103Struts: Incomplete validate() Method DefinitionX 3 - Medium
104Struts: Form Bean Does Not Extend Validation ClassX 3 - Medium
112Missing XML ValidationX 3 - Medium
119Improper Restriction of Operations within the Bounds of a Memory Buffer   
120Buffer Copy without Checking Size of Input (Classic Buffer Overflow)   
121Stack-based Buffer OverflowX 5 - Very High
125Out-of-bounds ReadX 3 - Medium
131Incorrect Calculation of Buffer Size   
135Incorrect Calculation of Multi-Byte String LengthX 5 - Very High
185Incorrect Regular ExpressionX 2 - Low
190Integer Overflow or WraparoundX 5 - Very High
200Exposure of Sensitive Information to an Unauthorized ActorXX2 - Low
201Insertion of Sensitive Information Into Sent DataX 2 - Low
209Generation of Error Message Containing Sensitive InformationXX2 - Low
215Insertion of Sensitive Information Into Debugging CodeXX2 - Low
259Use of Hard-coded PasswordXX3 - Medium
269Improper Privilege Management   
272Least Privilege ViolationX 3 - Medium
274Improper Handling of Insufficient PrivilegesX 0 - Informational
285Improper AuthorizationXX3 - Medium
287Improper AuthenticationXX4 - High
306Missing Authentication for Critical Function   
321Use of Hard-coded Cryptographic KeyXX3 - Medium
346Origin Validation ErrorX 3 - Medium
350Reliance on Reverse DNS Resolution for a Security-Critical ActionX 3 - Medium
352Cross-Site Request Forgery (CSRF)XX3 - Medium
359Exposure of Private Personal Information to an Unauthorized ActorX 2 - Low
400Uncontrolled Resource Consumption   
416Use After FreeX 2 - Low
434Unrestricted Upload of File with Dangerous Type X4 - High
470Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection)X 3 - Medium
476NULL Pointer Dereference   
497Exposure of Sensitive System Information to an Unauthorized Control SphereX 2 - Low
498Cloneable Class Containing Sensitive Information   
502Deserialization of Untrusted DataX 3 - Medium
522Insufficiently Protected CredentialsXX3 - Medium
526Exposure of Sensitive Information Through Environmental Variables X2 - Low
530Exposure of Backup File to an Unauthorized Control Sphere X2 - Low
538Insertion of Sensitive Information into Externally-Accessible File or Directory X0 - Informational
548Exposure of Information Through Directory Listing X2 - Low
564SQL Injection: HibernateX 4 - High
566Authorization Bypass Through User-Controlled SQL Primary KeyX 3 - Medium
601URL Redirection to Untrusted Site (Open Redirect)XX3 - Medium
611Improper Restriction of XML External Entity ReferenceXX3 - Medium
615Inclusion of Sensitive Information in Source Code CommentsXX0 - Informational
618Exposed Unsafe ActiveX MethodX 5 - Very High
639Authorization Bypass Through User-Controlled KeyX 4 - High
665Improper InitializationX 2 - Low
693Protection Mechanism FailureXX3 - Medium
708Incorrect Ownership AssignmentX 4 - High
732Incorrect Permission Assignment for Critical ResourceX 3 - Medium
787Out-of-bounds WriteX 3 - Medium
798Use of Hard-coded CredentialsX 3 - Medium
830Inclusion of Web Functionality from an Untrusted Source X2 - Low
862Missing Authorization   
915Improperly Controlled Modification of Dynamically-Determined Object AttributesX 3 - Medium
918Server-Side Request Forgery (SSRF)XX3 - Medium
942Permissive Cross-domain Policy with Untrusted DomainsXX3 - Medium
1174ASP.NET Misconfiguration: Improper Model ValidationX 2 - Low