CWEs that violate the OWASP 2025 standard
Important
These CWEs will be supported June 30, 2026.
The following table lists all the CWEs that might cause an application to not pass a policy that includes an Auto-Update OWASP policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity | On OWASP 2021 list |
|---|---|---|---|---|---|
| 15 | External Control of System or Configuration Setting | X | 4 - High | X | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | X | X | 3 - Medium | X |
| 73 | External Control of File Name or Path | X | 3 - Medium | X | |
| 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection) | X | 4 - High | X | |
| 77 | Improper Neutralization of Special Elements used in a Command (Command Injection) | X | 5 - Very High (Critical) | X | |
| 78 | Improper Neutralization of Special Elements used in an OS Command (OS Command Injection) | X | X | 5 - Very High (Critical) | X |
| 79 | Improper Neutralization of Input During Web Page Generation (Cross-site Scripting) | X | X | 3 - Medium | X |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium | X |
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | X | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | X | |
| 88 | Argument Injection or Modification | X | 3 - Medium | X | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) | X | X | 4 - High | X |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query (LDAP Injection) | X | 3 - Medium | X | |
| 91 | XML Injection (Blind XPath Injection) | X | X | 3 - Medium | X |
| 93 | Improper Neutralization of CRLF Sequences (CRLF Injection) | X | 3 - Medium | X | |
| 94 | Improper Control of Generation of Code | X | 3 - Medium | X | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | X | X | 5 - Very High (Critical) | X |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program (PHP File Inclusion) | X | X | 4 - High | X |
| 99 | Improper Control of Resource Identifiers | X | 3 - Medium | X | |
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | ||
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | ||
| 112 | Missing XML Validation | X | 3 - Medium | X | |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers (HTTP Response Splitting) | X | X | 3 - Medium | X |
| 114 | Process Control | X | 5 - Very High (Critical) | X | |
| 115 | Misinterpretation of Input | X | 4 - High | ||
| 117 | Improper Output Neutralization for Logs | X | 3 - Medium | X | |
| 129 | Improper Validation of Array Index | X | 3 - Medium | X | |
| 134 | Use of Externally-Controlled Format String | X | 5 - Very High (Critical) | X | |
| 183 | Permissive List of Allowed Inputs | X | 3 - Medium | X | |
| 200 | Information Exposure | X | X | 2 - Low | X |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | X | |
| 209 | Information Exposure Through an Error Message | X | X | 2 - Low | X |
| 215 | Information Exposure Through Debug Information | X | X | 2 - Low | X |
| 223 | Omission of Security-relevant Information | X | 2 - Low | X | |
| 234 | Failure to Handle Missing Parameter | X | 3 - Medium | ||
| 248 | Uncaught Exception | X | 2 - Low | ||
| 252 | Unchecked Return Value | X | 2 - Low | ||
| 256 | Plaintext Storage of a Password | X | 3 - Medium | X | |
| 258 | Empty Password in Configuration File | X | 3 - Medium | ||
| 259 | Use of Hard-coded Password | X | X | 3 - Medium | X |
| 261 | Weak Cryptography for Passwords | X | 3 - Medium | X | |
| 272 | Least Privilege Violation | X | 3 - Medium | X | |
| 273 | Improper Check for Dropped Privileges | X | 3 - Medium | ||
| 282 | Improper Ownership Management | X | 3 - Medium | X | |
| 284 | Improper Access Control | X | 3 - Medium | ||
| 285 | Improper Authorization | X | 3 - Medium | X | |
| 287 | Improper Authentication | X | X | 4 - High | X |
| 295 | Improper Certificate Validation | X | 3 - Medium | X | |
| 296 | Improper Following of Chain of Trust for Certificate Validation | X | 3 - Medium | X | |
| 297 | Improper Validation of Host-specific Certificate Data | X | X | 3 - Medium | X |
| 298 | Improper Validation of Certificate Expiration | X | 3 - Medium | X | |
| 299 | Improper Check for Certificate Revocation | X | 3 - Medium | X | |
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium | X | |
| 312 | Cleartext Storage of Sensitive Information | X | 3 - Medium | X | |
| 313 | Plaintext Storage in a File or on Disk | X | 3 - Medium | X | |
| 316 | Plaintext Storage in Memory | X | 3 - Medium | X | |
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium | X | |
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium | X |
| 325 | Missing Cryptographic Step | X | 3 - Medium | ||
| 326 | Inadequate Encryption Strength | X | X | 3 - Medium | X |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | X | 3 - Medium | X |
| 329 | Not Using a Random IV with CBC Mode | X | 2 - Low | X | |
| 330 | Use of Insufficiently Random Values | X | 3 - Medium | X | |
| 331 | Insufficient Entropy | X | 3 - Medium | X | |
| 338 | Use of Cryptographically Weak Pseudo-Random Number Generator | X | 3 - Medium | X | |
| 345 | Insufficient Verification of Data Authenticity | X | X | 4 - High | X |
| 346 | Origin Validation Error | X | 3 - Medium | X | |
| 347 | Improper Verification of Cryptographic Signature | X | 2 - Low | X | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | X | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium | X |
| 354 | Improper Validation of Integrity Check Value | X | 3 - Medium | X | |
| 359 | Exposure of Private Information (Privacy Violation) | X | X | 2 - Low | X |
| 366 | Race Condition within a Thread | X | 3 - Medium | ||
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | X | 3 - Medium | ||
| 377 | Insecure Temporary File | X | 3 - Medium | X | |
| 382 | J2EE Bad Practices: Use of System.exit() | X | 2 - Low | ||
| 384 | Session Fixation | X | X | 3 - Medium | X |
| 402 | Transmission of Private Resources into a New Sphere (Resource Leak) | X | 3 - Medium | X | |
| 421 | Race Condition During Access to Alternate Channel | X | 3 - Medium | X | |
| 426 | Untrusted Search Path | X | 3 - Medium | X | |
| 427 | Uncontrolled Search Path Element | X | 3 - Medium | X | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | X | |
| 441 | Unintended Proxy or Intermediary (Confused Deputy) | X | 3 - Medium | X | |
| 451 | User Interface (UI) Misrepresentation of Critical Information | X | 3 - Medium | ||
| 470 | Use of Externally-Controlled Input to Select Classes or Code (Unsafe Reflection) | X | 3 - Medium | X | |
| 472 | External Control of Assumed-Immutable Web Parameter | X | 3 - Medium | X | |
| 479 | Signal Handler Use of a Non-Reentrant Function | X | 3 - Medium | ||
| 489 | Leftover Debug Code | X | 3 - Medium | ||
| 497 | Exposure of System Data to an Unauthorized Control Sphere | X | 2 - Low | X | |
| 502 | Deserialization of Untrusted Data | X | X | 3 - Medium | X |
| 506 | Embedded Malicious Code | X | 4 - High | ||
| 511 | Logic/Time Bomb | X | 5 - Very High (Critical) | ||
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium | X |
| 526 | Information Exposure Through Environmental Variables | X | 2 - Low | X | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | X | |
| 532 | Insertion of Sensitive Information into Log File | X | 2 - Low | X | |
| 538 | File and Directory Information Exposure | X | 2 - Low | X | |
| 547 | Use of Hard-coded, Security-relevant Constants | X | 3 - Medium | X | |
| 548 | Information Exposure Through Directory Listing | X | 2 - Low | X | |
| 560 | Use of Umask() with Chmod-Style Argument | X | 3 - Medium | ||
| 564 | SQL Injection: Hibernate | X | 4 - High | X | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | X | |
| 601 | URL Redirection to Untrusted Site (Open Redirect) | X | X | 3 - Medium | X |
| 611 | Information Exposure Through XML External Entity Reference | X | X | 3 - Medium | X |
| 614 | Sensitive Cookie in HTTPS Session Without Secure Attribute | X | X | 2 - Low | X |
| 615 | Information Exposure Through Comments | X | 2 - Low | X | |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High (Critical) | ||
| 628 | Function Call with Incorrectly Specified Arguments | X | 2 - Low | ||
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | X | |
| 642 | External Control of Critical State Data | X | 2 - Low | X | |
| 668 | Exposure of Resource to Wrong Sphere | X | X | 3 - Medium | X |
| 676 | Use of Potentially Dangerous Function | X | 3 - Medium | ||
| 693 | Protection Mechanism Failure | X | X | 3 - Medium | |
| 708 | Incorrect Ownership Assignment | X | 4 - High | X | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | X | |
| 749 | Exposed Dangerous Method or Function | X | 4 - High | ||
| 757 | Selection of Less-Secure Algorithm During Negotiation (Algorithm Downgrade) | X | X | 3 - Medium | X |
| 760 | Use of a One-Way Hash with a Predictable Salt | X | 3 - Medium | X | |
| 780 | Use of RSA without Optimal Asymmetric Encryption Padding | X | 3 - Medium | X | |
| 798 | Use of Hard-code Credentials | X | 3 - Medium | X | |
| 829 | Inclusion of Functionality from Untrusted Control Sphere | X | X | 3 - Medium | X |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | X | |
| 862 | Missing Authorization | X | 2 - Low | ||
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | X | |
| 916 | Use of Password Hash With Insufficient Computational Effort | X | 3 - Medium | X | |
| 918 | Server-side Request Forgery | X | X | 3 - Medium | X |
| 923 | Improper Restriction of Communication Channel to Intended Endpoints | X | 3 - Medium | ||
| 926 | Improper Export of Android Application Components | X | 3 - Medium | X | |
| 942 | Permissive Cross-domain Policy with Untrusted Domains | X | 3 - Medium | X | |
| 943 | Improper Neutralization of Special Elements in Data Query Logic | X | X | 4 - High | X |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low | X | |
| 1236 | Improper Neutralization of Formula Elements in a CSV File | X | 3 - Medium | X | |
| 1336 | Improper Neutralization of Special Elements Used in a Template Engine | X | 5 - Very High (Critical) | ||
| 1427 | Improper Neutralization of Input Used for LLM Prompting | X | 4 - High |