Log4Shell HTML Injection DDOS Lack of Binary Hardening Object Relational Mapping (ORM) Expression Language (EL) Object Graph Navigation Library Injection (OGNL) (CWE-16) Misconfiguration (CWE-23) Relative Path Transversal (CWE-20) Improper Input Validation (CWE-35) Path Transversal (CWE-61) UNIX Symbolic Link (Symlink Following) (CWE-75) Failure to Sanitize Special Elements into a Diferrent Plane (Special Element Injection) (CWE-77) Command Injection - Generic (CWE-78) OS Command Injection (CWE-79) Cross-site Scripting (XSS) (CWE-89) SQL Injection (CWE-90) LDAP Injection (CWE-91) XML Injection (CWE-93) CRLF Injection (CWE-94) Improper Control of Generation of Code (‘Code Injection’) (CWE-98) Improper Control of Filename for Include (CWE-99) Resource Injection (CWE-113) HTTP Response Splitting (CWE-117) Improper Handling of URL Encoding (Hex Encoding) (CWE-119) Memory Corruption - Generic (CWE-120) Classic Buffer Overflow (CWE-121) Stack Overflow (CWE-122) Heap Overflow (CWE-123) Write-what-where Condition (CWE-124) Buffer Underflow (CWE-125) Out-of-bounds Read (CWE-126) Buffer Over-read (CWE-127) Buffer Under-read (CWE-128) Wrap-around Error (CWE-129) Array Index Underflow (CWE-131) Incorrect Calculation of Buffer Size (CWE-134) Use of Externally-Controlled Format String (CWE-138) Improper Neutralization of Special Elements (CWE-150) Improper Neutralization of Espace, Meta, or Control Sequences (CWE-158) Improper Neutralization of Null Byte or NUL Character (CWE-170) Improper Null Termination (CWE-184) Incomplete Blacklist (CWE-190) Integer Overflow (CWE-191) Integer Underflow (CWE-193) Off-by-ne Error (CWE-200) Exposure of Sensitive Information to an Unauthorized Actor (CWE-201) Insertion of Sensitive Information Into Sent Data (CWE-203) Information Exposure Through Discrepancy (CWE-208) Information Exposure Through Timing Discrepancy (CWE-209) Information Exposure Through an Error Message (CWE-215) Information Exposure Through Debug Information (CWE-223) Omission of Security-relevant Information (CWE-250) Execution with Unnecessary Privileges (CWE-256) Plaintext Storage of a Password (CWE-257) Storing Passwords in a Recoverable Format (CWE-259) Use of Hard-coded Password (CWE-260) Password in Configuration File (CWE-261) Weak Cryptography for Passwords (CWE-269) Improper Privilege anagement (CWE-280) Improper Handling of Insufficient Permissions or Privileges (CWE-284) Improper Access Control - Generic (CWE-285) Improper Authorization (CWE-287) Improper Authentication - Generic (CWE-288) Authentication Bypass Using an Alternate Path or Channel (CWE-295) Improper Certificate Validation (CWE-300) Man-in-the-Middle (CWE-306) Missing Authentication for Critical Function (CWE-307) Improper Restrictin of Authentication Attempts (CWE-310) Cryptographic Issues - Generic (CWE-312) Cleartext Storage of Sensitive Information (CWE-319) Cleartext Transmition of Sensitive Information (CWE-321) Use of Hard-coded Cryptographic Key (CWE-322) Key Exchange without Authentication (CWE-323) Reusing a Nonce, Key Pair in Encryption (CWE-324) Use of a Key Past its Expiration Date (CWE-325) Missing Required Cryptographic Step (CWE-326) Inadequate Encryption Strength (CWE-327) Use of a Broken or Risky Cryptographic Algorithm (CWE-328) Reversible One-Way Hash (CWE-330) Use of Insufficiently Random Values (CWE-331) Insufficient Entropy (CWE-338) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CWE-345) Insufficient Verification of Data Authenticy (CWE-350) Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-352) Cross-Site Request Forgery (CSRF) (CWE-357) Insufficient UI Warning of Dangerous Operations (CWE-359) Privacy Violation (CWE-360) Trust of System Event Data (CWE-362) Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) (CWE-367) Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-377) Insecure Temporary File (CWE-384) Session Fixation (CWE-391) Unchecked Error Condition (CWE-400) Denial of Service (CWE-415) Double Free (CWE-416) Use After Free (CWE-425) Forced Browsing (CWE-426) Untrusted Search Path (CWE-434) Unrestricted Upload of File with Dangerous Type (CWE-444) HTTP Request Smuggling (CWE-451) User Interface (UI) Misrepresentation of Critical Information (CWE-457) Use of uninitialized Variable (CWE-471) Modification of Assumed-Immutable Data (MAID) (CWE-476) NULL Pointer Dereference (CWE-489) Leftover Debug Conde (Backdoor) (CWE-494) Download of Code Without Integrity Check (CWE-501) Trust Boundary Violation (CWE-502) Deserialization of Untrusted Data (CWE-506) Embedded Malicious Code (CWE-522) Insufficiently Protected Credentials (CWE-523) Unprotected Transport of Credentials (CWE-538) File and Directory Information Exposure (CWE-539) Cookies Insufficiently Protected: Incorrect ‘Domain’ Attribute (CWE-548) Information Exposure Through Directory Listing (CWE-601) Open Redirect (CWE-602) Client-Side Enforcement of Server-Side Security (CWE-610) Externally Controlled Reference to a Resource in Another Sphere (CWE-611) XML External Entites (XXE) (CWE-613) Insufficient Session Expiration (CWE-617) Reachable Assertion (CWE-620) Unverifed Password Change (CWE-639) Insecure Direct Object Reference (IDOR) (CWE-640) Weak Password Recovery Mechanism for Forgotten Password (CWE-642) External Control of Critical State Data (CWE-644) Improper Neutralization of HTTP Headers for Scripting Syntax (CWE-650) Trusting HTTP Permission Methods on the Server Side (CWE-656) Security Through Obscurity (CWE-657) Violation of Secure Design Principles (CWE-674) Uncontrolled Recursion (CWE-697) Incorrect Comparison (CWE-703) Imporper Check of Handling of Exceptional Conditions (CWE-706) Use of Incorrectly-Resolved Name or Reference (CWE-732) Incorrect Permission Assignment for Critical Resource (CWE-749) Exposed Dangerous Method of Function (CWE-770) Allocation of Resources Without Limits or Throttling (CWE-776) XML Entity Expansion (CWE-778) Insufficient Logging (CWE-784) Reliance on Cookies without Validation and Integrity Checking in a Security Decision (CWE-787) Out-of-bounds Write (CWE-798) Use of Hard-coded Credentials (CWE-799) Improper Control of Interaction Frequency (CWE-807) Reliance on Untrusted Inputs in a Security Decision (CWE-829) Inclusion of Functionality from Untrusted Control Sphere (CWE-840) Business Logic Errors (CWE-843) Type Confusion (CWE-862) Missing Authorization (CWE-863) Incorrect Authorization (CWE-922) Insecure Store of Sensitive Information (CWE-918) Server-Side Request Forgery (SSRF) (CWE-926) Improper Export of Android Application Components (CWE-941) Incorrectly Specified Destination in a Communication Channel (CWE-1035) Using Components with Known Vulnerabilities (CWE-1321) Improperly Controlled Modification of Object Prototype Attributes (‘Prototype Pollution’) (CWE-1336) Improper Neutralization of Special Elements Used in a Template Engine (CAPEC-98) Phishing (CAPEC-103) UI Redressing (Clickjacking) (CAPEC-209) XSS Using MIME Type Mismatch (CAPEC-233) Privilege Escalation (CAPEC-549) Malware