liminfoCWE Weakness Reference
Free web tool: CWE Weakness Reference
| ID | Name | Category | Severity | OWASP | Description |
|---|---|---|---|---|---|
| CWE-787 | Out-of-bounds Write | Memory | Critical | - | Writing memory outside buffer bounds. Can cause code execution or crash. |
| CWE-79 | Cross-site Scripting (XSS) | Injection | High | A03 | Malicious script injection. Session hijacking, phishing. |
| CWE-89 | SQL Injection | Injection | Critical | A03 | Injecting malicious input into SQL queries. DB exfiltration/manipulation. |
| CWE-416 | Use After Free | Memory | Critical | - | Accessing freed memory. Can lead to code execution. |
| CWE-78 | OS Command Injection | Injection | Critical | A03 | OS command injection. Full system compromise possible. |
| CWE-20 | Improper Input Validation | Injection | High | A03 | Insufficient input validation. Root cause of many attacks. |
| CWE-125 | Out-of-bounds Read | Memory | High | - | Reading data outside buffer bounds. Information disclosure. |
| CWE-22 | Path Traversal | Injection | High | A01 | Path manipulation for arbitrary file access. ../../../etc/passwd |
| CWE-352 | Cross-Site Request Forgery | Auth | Medium | A01 | Forging requests without user knowledge. Defend with CSRF tokens. |
| CWE-434 | Unrestricted File Upload | Config | Critical | A04 | Unrestricted file upload. Web shell upload possible. |
| CWE-862 | Missing Authorization | Auth | High | A01 | Missing authorization checks. Unauthorized access possible. |
| CWE-476 | NULL Pointer Dereference | Memory | Medium | - | NULL pointer dereference. Denial of Service (DoS). |
| CWE-287 | Improper Authentication | Auth | Critical | A07 | Improper authentication handling. Authentication bypass possible. |
| CWE-190 | Integer Overflow | Memory | High | - | Integer overflow. Unexpected behavior. |
| CWE-502 | Deserialization of Untrusted Data | Injection | Critical | A08 | Deserialization of untrusted data. RCE possible. |
| CWE-918 | Server-Side Request Forgery (SSRF) | Injection | High | A10 | Server makes request to attacker-specified URL. Internal service access possible. |
| CWE-400 | Uncontrolled Resource Consumption | Config | Medium | - | Resource exhaustion attack. Excessive CPU/memory/disk usage causes DoS. |
| CWE-611 | XML External Entity (XXE) | Injection | High | A05 | XML external entity processing. File read, SSRF possible. |
| CWE-295 | Improper Certificate Validation | Config | High | A07 | Improper SSL/TLS certificate validation. Man-in-the-middle attack possible. |
| CWE-798 | Hard-coded Credentials | Auth | Critical | A07 | Credentials hard-coded in source. Authentication bypass. |
| CWE-863 | Incorrect Authorization | Auth | High | A01 | Incorrect authorization checks. Privilege escalation possible. |
| CWE-1321 | Prototype Pollution | Injection | High | A03 | JS prototype pollution. Property injection alters application logic. |
| CWE-77 | Command Injection | Injection | Critical | A03 | Malicious elements injected into command structure. Arbitrary command execution. |
| CWE-269 | Improper Privilege Management | Auth | High | A04 | Improper privilege management. Unnecessary privilege escalation. |
| CWE-732 | Incorrect Permission Assignment | Config | Medium | A01 | File/resource permission misconfiguration. Unauthorized access possible. |
About CWE Weakness Reference
The CWE Weakness Reference is a free, searchable reference tool covering 15 of the most critical and widely exploited software weaknesses from the Common Weakness Enumeration (CWE) catalogue maintained by MITRE. Each entry includes the CWE identifier, weakness name, severity rating (Critical, High, or Medium), and a concise technical description explaining how the weakness manifests and what attacks it enables.
Software developers, security engineers, penetration testers, code reviewers, and compliance professionals use CWE references daily. When a vulnerability scanner flags an issue, security architects propose mitigations, or a development team conducts a threat model session, having a fast CWE lookup prevents time-consuming searches through the full MITRE catalogue. This tool provides the essential context — what the weakness is, how dangerous it is, and what class of attack it enables — all searchable from a single page.
The reference covers the most impactful entries from the CWE Top 25 Most Dangerous Software Weaknesses list, including memory safety issues (CWE-787 Out-of-bounds Write, CWE-416 Use After Free, CWE-125 Out-of-bounds Read), injection vulnerabilities (CWE-89 SQL Injection, CWE-78 OS Command Injection, CWE-79 Cross-site Scripting), authentication and access control weaknesses (CWE-287 Improper Authentication, CWE-862 Missing Authorization, CWE-352 CSRF), and serialization/file handling issues (CWE-502 Deserialization, CWE-434 Unrestricted File Upload). The search bar filters across CWE ID, name, and description simultaneously.
Key Features
- 15 CWE entries from the MITRE CWE Top 25 Most Dangerous Software Weaknesses
- Severity badges — Critical (red), High (orange), Medium (yellow) — for quick risk assessment
- Full-text search across CWE ID, weakness name, and description
- Concise technical descriptions explaining attack impact for each weakness
- Covers memory safety, injection, XSS, CSRF, authentication, and deserialization categories
- Live result count showing how many entries match the current search query
- 100% client-side — all data embedded, no network request needed
- Bilingual support with Korean and English descriptions for all 15 entries
Frequently Asked Questions
What is CWE?
CWE (Common Weakness Enumeration) is a community-developed list of software and hardware weaknesses maintained by MITRE with support from CISA. Unlike CVE (which catalogs specific vulnerabilities in specific products), CWE classifies the underlying code-level weaknesses that cause vulnerabilities. Understanding CWE helps developers write more secure code and helps security teams prioritize code reviews.
What is the CWE Top 25?
The CWE Top 25 Most Dangerous Software Weaknesses is an annual list published by MITRE and CISA that ranks the most prevalent and impactful software weaknesses based on CVE data analysis. It is widely used by development teams, security programs, and compliance frameworks (including the US government's Secure Software Development Framework) to prioritise security efforts.
What is CWE-787 Out-of-bounds Write?
CWE-787 occurs when software writes data to a memory location outside the intended buffer boundary. This can corrupt adjacent memory, crash the application, or allow an attacker to execute arbitrary code by overwriting function pointers or return addresses. It has ranked #1 on the CWE Top 25 for multiple consecutive years.
What is CWE-79 Cross-site Scripting (XSS)?
CWE-79 occurs when an application includes untrusted data in a web page without proper validation or escaping. Attackers inject malicious scripts that execute in other users' browsers, enabling session hijacking, credential theft, redirects to phishing pages, and other client-side attacks. Prevention involves output encoding and Content Security Policy headers.
What is CWE-89 SQL Injection?
CWE-89 occurs when user-supplied input is incorporated into a SQL query without sanitization. Attackers can manipulate the query to bypass authentication, extract the entire database, modify or delete records, and in some configurations execute operating system commands. Prevention requires parameterized queries or prepared statements.
What is the difference between CWE and CVE?
CVE (Common Vulnerabilities and Exposures) identifies specific security vulnerabilities in specific software versions — e.g. CVE-2021-44228 (Log4Shell). CWE identifies the class of weakness that caused the vulnerability — e.g. CWE-502 Deserialization of Untrusted Data. Every CVE typically maps to one or more CWE identifiers.
How do I search for a specific CWE entry?
Type any part of the CWE ID (e.g. "787"), the weakness name (e.g. "injection"), or a keyword from the description (e.g. "memory") into the search bar. The table filters in real time and the result count updates to show how many entries match.
What is CWE-502 Deserialization of Untrusted Data?
CWE-502 occurs when an application deserializes data from an untrusted source without validation. Attackers can craft malicious serialized payloads that trigger arbitrary code execution (RCE) during deserialization. Notable examples include the Apache Commons Collections and Log4Shell exploits. Prevention involves validating the source, using safe serialization formats (JSON), and implementing allowlists for deserializable classes.