CWEs that violate the OWASP standard
Important
Support for the 2025 version will begin on June 30, 2026.
The following table lists the CWEs that violate the OWASP Top 10 standard. Only the supported CWEs on the most recent list will cause an application to fail a policy that includes the Auto-Update OWASP policy rule.
| CWE ID | CWE name | Static support | Dynamic support | Veracode severity | Years on list |
|---|---|---|---|---|---|
| 15 | External Control of System or Configuration Setting | X | 4 - High | 2021, 2025 | |
| 22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | X | X | 3 - Medium | 2017, 2021, 2025 |
| 73 | External Control of File Name or Path | X | 3 - Medium | 2021, 2025 | |
| 74 | Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') | X | 4 - High | 2017, 2021, 2025 | |
| 77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | X | 5 - Very High (Critical) | 2017, 2021, 2025 | |
| 78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | X | X | 5 - Very High (Critical) | 2017, 2021, 2025 |
| 79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | X | X | 3 - Medium | 2017, 2021, 2025 |
| 80 | Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) | X | X | 3 - Medium | 2017, 2021, 2025 |
| 83 | Improper Neutralization of Script in Attributes in a Web Page | X | 3 - Medium | 2017, 2021, 2025 | |
| 86 | Improper Neutralization of Invalid Characters in Identifiers in Web Pages | X | 3 - Medium | 2017, 2021, 2025 | |
| 88 | Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') | X | 3 - Medium | 2017, 2021, 2025 | |
| 89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | X | X | 4 - High | 2017, 2021, 2025 |
| 90 | Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection') | X | 3 - Medium | 2017, 2021, 2025 | |
| 91 | XML Injection (aka Blind XPath Injection) | X | X | 3 - Medium | 2017, 2021, 2025 |
| 93 | Improper Neutralization of CRLF Sequences ('CRLF Injection') | X | 3 - Medium | 2017, 2021, 2025 | |
| 94 | Improper Control of Generation of Code ('Code Injection') | X | 3 - Medium | 2017, 2021, 2025 | |
| 95 | Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') | X | X | 5 - Very High (Critical) | 2017, 2021, 2025 |
| 98 | Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') | X | X | 4 - High | 2017, 2021, 2025 |
| 99 | Improper Control of Resource Identifiers ('Resource Injection') | X | 3 - Medium | 2017, 2021, 2025 | |
| 103 | Struts: Incomplete validate() Method Definition | X | 3 - Medium | 2025 | |
| 104 | Struts: Form Bean Does Not Extend Validation Class | X | 3 - Medium | 2025 | |
| 112 | Missing XML Validation | X | 3 - Medium | 2021, 2025 | |
| 113 | Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') | X | X | 3 - Medium | 2017, 2021, 2025 |
| 114 | Process Control | X | 5 - Very High (Critical) | 2021, 2025 | |
| 115 | Misinterpretation of Input | X | 4 - High | 2025 | |
| 117 | Improper Output Neutralization for Logs | X | 3 - Medium | 2017, 2021, 2025 | |
| 129 | Improper Validation of Array Index | X | 3 - Medium | 2021, 2025 | |
| 134 | Use of Externally-Controlled Format String | X | 5 - Very High (Critical) | 2021, 2025 | |
| 183 | Permissive List of Allowed Inputs | X | 3 - Medium | 2021, 2025 | |
| 200 | Exposure of Sensitive Information to an Unauthorized Actor | X | X | 2 - Low | 2021, 2025 |
| 201 | Insertion of Sensitive Information Into Sent Data | X | 2 - Low | 2021, 2025 | |
| 209 | Generation of Error Message Containing Sensitive Information | X | X | 2 - Low | 2017, 2021, 2025 |
| 215 | Insertion of Sensitive Information Into Debugging Code | X | X | 2 - Low | 2021, 2025 |
| 223 | Omission of Security-relevant Information | X | 2 - Low | 2017, 2021, 2025 | |
| 234 | Failure to Handle Missing Parameter | X | 3 - Medium | 2025 | |
| 248 | Uncaught Exception | X | 2 - Low | 2025 | |
| 252 | Unchecked Return Value | X | 2 - Low | 2025 | |
| 256 | Plaintext Storage of a Password | X | 3 - Medium | 2017, 2021, 2025 | |
| 258 | Empty Password in Configuration File | X | 3 - Medium | 2017, 2021, 2025 | |
| 259 | Use of Hard-coded Password | X | X | 3 - Medium | 2017, 2021, 2025 |
| 261 | Weak Encoding for Password | X | 3 - Medium | 2017, 2021, 2025 | |
| 272 | Least Privilege Violation | X | 3 - Medium | 2017, 2021, 2025 | |
| 273 | Improper Check for Dropped Privileges | X | 3 - Medium | 2025 | |
| 282 | Improper Ownership Management | X | 3 - Medium | 2017, 2021, 2025 | |
| 284 | Improper Access Control | X | 3 - Medium | 2017, 2021, 2025 | |
| 285 | Improper Authorization | X | 3 - Medium | 2017, 2021, 2025 | |
| 287 | Improper Authentication | X | X | 4 - High | 2017, 2021, 2025 |
| 295 | Improper Certificate Validation | X | 3 - Medium | 2017, 2021, 2025 | |
| 296 | Improper Following of a Certificate's Chain of Trust | X | 3 - Medium | 2017, 2021, 2025 | |
| 297 | Improper Validation of Certificate with Host Mismatch | X | X | 3 - Medium | 2017, 2021, 2025 |
| 298 | Improper Validation of Certificate Expiration | X | 3 - Medium | 2017, 2021, 2025 | |
| 299 | Improper Check for Certificate Revocation | X | 3 - Medium | 2017, 2021, 2025 | |
| 311 | Missing Encryption of Sensitive Data | X | 3 - Medium | 2017, 2021, 2025 | |
| 312 | Cleartext Storage of Sensitive Information | X | 3 - Medium | 2017, 2021, 2025 | |
| 313 | Cleartext Storage in a File or on Disk | X | 3 - Medium | 2017, 2021, 2025 | |
| 316 | Cleartext Storage of Sensitive Information in Memory | X | 3 - Medium | 2017, 2021, 2025 | |
| 319 | Cleartext Transmission of Sensitive Information | X | 3 - Medium | 2017, 2021, 2025 | |
| 321 | Use of Hard-coded Cryptographic Key | X | X | 3 - Medium | 2017, 2021, 2025 |
| 323 | Reusing a Nonce, Key Pair in Encryption | X | 3 - Medium | 2021, 2025 | |
| 325 | Missing Cryptographic Step | X | 3 - Medium | 2017, 2021, 2025 | |
| 326 | Inadequate Encryption Strength | X | X | 3 - Medium | 2017, 2021, 2025 |
| 327 | Use of a Broken or Risky Cryptographic Algorithm | X | X | 3 - Medium | 2017, 2021, 2025 |
| 329 | Generation of Predictable IV with CBC Mode | X | 2 - Low | 2021, 2025 | |
| 330 | Use of Insufficiently Random Values | X | 3 - Medium | 2021, 2025 | |
| 331 | Insufficient Entropy | X | 3 - Medium | 2021, 2025 | |
| 338 | Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) | X | 3 - Medium | 2021, 2025 | |
| 345 | Insufficient Verification of Data Authenticity | X | X | 4 - High | 2021, 2025 |
| 346 | Origin Validation Error | X | 3 - Medium | 2021, 2025 | |
| 347 | Improper Verification of Cryptographic Signature | X | 2 - Low | 2021, 2025 | |
| 350 | Reliance on Reverse DNS Resolution for a Security-Critical Action | X | 3 - Medium | 2017, 2021, 2025 | |
| 352 | Cross-Site Request Forgery (CSRF) | X | X | 3 - Medium | 2021, 2025 |
| 354 | Improper Validation of Integrity Check Value | X | 3 - Medium | 2021, 2025 | |
| 359 | Exposure of Private Personal Information to an Unauthorized Actor | X | X | 2 - Low | 2017, 2021, 2025 |
| 366 | Race Condition within a Thread | X | 3 - Medium | 2025 | |
| 367 | Time-of-check Time-of-use (TOCTOU) Race Condition | X | 3 - Medium | 2025 | |
| 377 | Insecure Temporary File | X | 3 - Medium | 2021, 2025 | |
| 382 | J2EE Bad Practices: Use of System.exit() | X | 2 - Low | 2025 | |
| 384 | Session Fixation | X | X | 3 - Medium | 2017, 2021, 2025 |
| 402 | Transmission of Private Resources into a New Sphere ('Resource Leak') | X | 3 - Medium | 2021, 2025 | |
| 421 | Race Condition During Access to Alternate Channel | X | 3 - Medium | 2017, 2021, 2025 | |
| 426 | Untrusted Search Path | X | 3 - Medium | 2021, 2025 | |
| 427 | Uncontrolled Search Path Element | X | 3 - Medium | 2021, 2025 | |
| 434 | Unrestricted Upload of File with Dangerous Type | X | 4 - High | 2021, 2025 | |
| 441 | Unintended Proxy or Intermediary ('Confused Deputy') | X | 3 - Medium | 2021, 2025 | |
| 451 | User Interface (UI) Misrepresentation of Critical Information | X | 3 - Medium | 2021, 2025 | |
| 470 | Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') | X | 3 - Medium | 2021, 2025 | |
| 472 | External Control of Assumed-Immutable Web Parameter | X | 3 - Medium | 2021, 2025 | |
| 479 | Signal Handler Use of a Non-reentrant Function | X | 3 - Medium | 2025 | |
| 489 | Active Debug Code | X | 3 - Medium | 2025 | |
| 497 | Exposure of Sensitive System Information to an Unauthorized Control Sphere | X | 2 - Low | 2021, 2025 | |
| 502 | Deserialization of Untrusted Data | X | X | 3 - Medium | 2017, 2021, 2025 |
| 506 | Embedded Malicious Code | X | 4 - High | 2025 | |
| 511 | Logic/Time Bomb | X | 5 - Very High (Critical) | 2025 | |
| 522 | Insufficiently Protected Credentials | X | X | 3 - Medium | 2017, 2021, 2025 |
| 526 | Cleartext Storage of Sensitive Information in an Environment Variable | X | 2 - Low | 2017, 2021, 2025 | |
| 530 | Exposure of Backup File to an Unauthorized Control Sphere | X | 2 - Low | 2021, 2025 | |
| 532 | Insertion of Sensitive Information into Log File | X | 2 - Low | 2021, 2025 | |
| 538 | Insertion of Sensitive Information into Externally-Accessible File or Directory | X | 2 - Low | 2021, 2025 | |
| 547 | Use of Hard-coded, Security-relevant Constants | X | 3 - Medium | 2021, 2025 | |
| 548 | Exposure of Information Through Directory Listing | X | 2 - Low | 2017, 2021, 2025 | |
| 564 | SQL Injection: Hibernate | X | 4 - High | 2017, 2021, 2025 | |
| 566 | Authorization Bypass Through User-Controlled SQL Primary Key | X | 3 - Medium | 2017, 2021, 2025 | |
| 601 | URL Redirection to Untrusted Site ('Open Redirect') | X | X | 3 - Medium | 2021, 2025 |
| 611 | Improper Restriction of XML External Entity Reference | X | X | 3 - Medium | 2017, 2021, 2025 |
| 614 | Sensitive Cookie in HTTPS Session Without 'Secure' Attribute | X | X | 2 - Low | 2017, 2021, 2025 |
| 615 | Inclusion of Sensitive Information in Source Code Comments | X | 2 - Low | 2021, 2025 | |
| 618 | Exposed Unsafe ActiveX Method | X | 5 - Very High (Critical) | 2017, 2021, 2025 | |
| 628 | Function Call with Incorrectly Specified Arguments | X | 2 - Low | 2025 | |
| 639 | Authorization Bypass Through User-Controlled Key | X | 4 - High | 2017, 2021, 2025 | |
| 642 | External Control of Critical State Data | X | 2 - Low | 2021, 2025 | |
| 668 | Exposure of Resource to Wrong Sphere | X | X | 3 - Medium | 2021, 2025 |
| 676 | Use of Potentially Dangerous Function | X | 3 - Medium | 2025 | |
| 693 | Protection Mechanism Failure | X | X | 3 - Medium | 2025 |
| 708 | Incorrect Ownership Assignment | X | 4 - High | 2017, 2021, 2025 | |
| 732 | Incorrect Permission Assignment for Critical Resource | X | 3 - Medium | 2017, 2021, 2025 | |
| 749 | Exposed Dangerous Method or Function | X | 4 - High | 2017, 2021, 2025 | |
| 757 | Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade') | X | X | 3 - Medium | 2021, 2025 |
| 760 | Use of a One-Way Hash with a Predictable Salt | X | 3 - Medium | 2017, 2021, 2025 | |
| 780 | Use of RSA Algorithm without OAEP | X | 3 - Medium | 2017, 2021, 2025 | |
| 798 | Use of Hard-coded Credentials | X | 3 - Medium | 2017, 2021, 2025 | |
| 829 | Inclusion of Functionality from Untrusted Control Sphere | X | X | 3 - Medium | 2021, 2025 |
| 830 | Inclusion of Web Functionality from an Untrusted Source | X | 2 - Low | 2021, 2025 | |
| 862 | Missing Authorization | X | 2 - Low | 2017, 2021, 2025 | |
| 915 | Improperly Controlled Modification of Dynamically-Determined Object Attributes | X | 3 - Medium | 2021, 2025 | |
| 916 | Use of Password Hash With Insufficient Computational Effort | X | 3 - Medium | 2017, 2021, 2025 | |
| 918 | Server-Side Request Forgery (SSRF) | X | X | 3 - Medium | 2021, 2025 |
| 923 | Improper Restriction of Communication Channel to Intended Endpoints | X | 3 - Medium | 2017, 2021, 2025 | |
| 926 | Improper Export of Android Application Components | X | 3 - Medium | 2017, 2021, 2025 | |
| 942 | Permissive Cross-domain Security Policy with Untrusted Domains | X | 3 - Medium | 2017, 2021, 2025 | |
| 943 | Improper Neutralization of Special Elements in Data Query Logic | X | X | 4 - High | 2017, 2021, 2025 |
| 1174 | ASP.NET Misconfiguration: Improper Model Validation | X | 2 - Low | 2021, 2025 | |
| 1236 | Improper Neutralization of Formula Elements in a CSV File | X | 3 - Medium | 2017, 2021, 2025 | |
| 1336 | Improper Neutralization of Special Elements Used in a Template Engine | X | 5 - Very High (Critical) | 2017, 2021, 2025 | |
| 1427 | Improper Neutralization of Input Used for LLM Prompting | X | 4 - High | 2017, 2021, 2025 |