CWEs that violate the CWE Top 25 standard
Important
Support for the 2025 version will begin on June 30, 2026.
The following table lists the CWEs that violate the CWE Top 25 standard. Only the supported CWEs on the most recent list will cause an application to fail a policy that includes the Auto-Update CWE Top 25 policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity | Years on list |
|---|---|---|---|---|---|
| 22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | X | X | 3 - Medium | 2019-2025 |
| 23 | Relative Path Traversal | 2019-2025 | |||
| 73 | External Control of File Name or Path | X | 3 - Medium | 2019-2025 | |
| 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | X | 5 - Very High (Critical) | 2021-2025 | |
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X | 5 - Very High (Critical) | 2019-2025 |
| 79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | X | X | 3 - Medium | 2019-2025 |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium | 2019-2025 |
| 81 | Improper Neutralization of Script in an Error Message Web Page | 3 - Medium | 2019-2025 | ||
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | 2019-2025 | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | 2019-2025 | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | X | X | 4 - High | 2019-2025 |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | X | 3 - Medium | 2019-2025 | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium | 2019-2020, 2022-2025 |
| 94 | Improper Control of Generation of Code ('Code Injection') | X | 3 - Medium | 2019-2020, 2022-2025 | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | X | X | 5 - Very High (Critical) | 2019-2020, 2022-2025 |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | X | X | 4 - High | 2019-2020, 2022-2025 |
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | 2019-2025 | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | 2019-2025 | |
| 112 | Missing XML Validation | X | 3 - Medium | 2019-2025 | |
| 119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 2019-2024 | |||
| 120 | Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') | 5 - Very High (Critical) | 2019-2025 | ||
| 121 | Stack-based Buffer Overflow | X | 5 - Very High (Critical) | 2019-2025 | |
| 122 | Heap-based Buffer Overflow | 5 - Very High (Critical) | 2025 | ||
| 125 | Out-of-bounds Read | X | 3 - Medium | 2019-2025 | |
| 131 | Incorrect Calculation of Buffer Size | 2019-2024 | |||
| 135 | Incorrect Calculation of Multi-Byte String Length | X | 5 - Very High (Critical) | 2019-2024 | |
| 185 | Incorrect Regular Expression | X | 2 - Low | 2019-2020, 2022-2025 | |
| 190 | Integer Overflow or Wraparound | X | 5 - Very High (Critical) | 2019-2024 | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low | 2019-2021, 2024-2025 |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | 2019-2021, 2024-2025 | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low | 2019-2021, 2024-2025 |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low | 2019-2021, 2024-2025 |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium | 2019-2024 |
| 269 | Improper Privilege Management | 3 - Medium | 2019-2020, 2023-2024 | ||
| 272 | Least Privilege Violation | X | 3 - Medium | 2019-2020, 2023-2024 | |
| 276 | Incorrect Default Permissions | 3 - Medium | 2021-2023 | ||
| 284 | Improper Access Control | X | 3 - Medium | 2025 | |
| 285 | Improper Authorization | X | 3 - Medium | 2019-2020, 2023-2024 | |
| 287 | Improper Authentication | X | X | 4 - High | 2019-2024 |
| 295 | Improper Certificate Validation | X | 3 - Medium | 2019 | |
| 306 | Missing Authentication for Critical Function | 3 - Medium | 2020-2025 | ||
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium | 2019-2024 |
| 346 | Origin Validation Error | X | 3 - Medium | 2019-2020, 2023-2024 | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | 2019-2020, 2023-2024 | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium | 2019-2025 |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | X | 2 - Low | 2019-2021, 2024-2025 |
| 362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 2022-2023 | |||
| 366 | Race Condition within a Thread | X | 3 - Medium | 2022-2023 | |
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | X | 3 - Medium | 2022-2023 | |
| 400 | Uncontrolled Resource Consumption | 2 - Low | 2019-2020, 2022, 2024 | ||
| 416 | Use After Free | X | 2 - Low | 2019-2025 | |
| 426 | Untrusted Search Path | X | 3 - Medium | 2019 | |
| 427 | Uncontrolled Search Path Element | X | 3 - Medium | 2019 | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | 2019-2025 | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | X | 3 - Medium | 2019-2025 | |
| 476 | NULL Pointer Dereference | 2 - Low | 2019-2025 | ||
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | 2019-2021, 2024-2025 | |
| 498 | Cloneable Class Containing Sensitive Information | 2 - Low | 2019-2021, 2024-2025 | ||
| 502 | Deserialization of Untrusted Data | X | X | 3 - Medium | 2019-2025 |
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium | 2020-2021 |
| 526 | Cleartext Storage of Sensitive Information in an Environment Variable | X | 2 - Low | 2019-2021, 2024-2025 | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | 2019-2021, 2024-2025 | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 2 - Low | 2019-2021, 2024-2025 | |
| 548 | Exposure of Information Through Directory Listing | X | 2 - Low | 2019-2021, 2024-2025 | |
| 564 | SQL Injection: Hibernate | X | 4 - High | 2019-2025 | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | 2019-2020, 2023-2024 | |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X | 3 - Medium | 2019-2025 |
| 611 | Improper Restriction of XML External Entity Reference | X | X | 3 - Medium | 2019-2022 |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | 2 - Low | 2019-2021, 2024-2025 | |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High (Critical) | 2019-2025 | |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | 2019-2020, 2023-2025 | |
| 665 | Improper Initialization | X | 2 - Low | 2019-2021, 2024-2025 | |
| 693 | Protection Mechanism Failure | X | X | 3 - Medium | 2019-2024 |
| 708 | Incorrect Ownership Assignment | X | 4 - High | 2019-2020, 2023-2024 | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | 2019-2021 | |
| 770 | Allocation of Resources Without Limits or Throttling | 2025 | |||
| 772 | Missing Release of Resource after Effective Lifetime | 2019 | |||
| 787 | Out-of-bounds Write | X | 3 - Medium | 2019-2025 | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | 2019-2024 | |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | 2019-2020, 2022-2025 | |
| 862 | Missing Authorization | X | 2 - Low | 2020-2025 | |
| 863 | Incorrect Authorization | 2023-2025 | |||
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | 2019-2025 | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium | 2019-2025 |
| 942 | Permissive Cross-domain Security Policy with Untrusted Domains | X | 3 - Medium | 2019-2020, 2023-2024 | |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low | 2019-2025 |