| Rank |
Item |
| 1 |
CWE-20: Improper Input Validation |
| 2 |
CWE-116: Improper Encoding or Escaping of Output |
| 3 |
CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection') |
| 4 |
Cross-site scripting |
| 5 |
CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection') |
| 6 |
CWE-319: Cleartext Transmission of Sensitive Information |
| 8 |
CWE-362: Race Condition |
| 9 |
CWE-209: Error Message Information Leak |
| 10 |
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer |
| 11 |
CWE-642: External Control of Critical State Data |
| 12 |
CWE-73: External Control of File Name or Path |
| 13 |
CWE-426: Untrusted Search Path |
| 14 |
CWE-94: Failure to Control Generation of Code (aka 'Code Injection') |
| 15 |
CWE-494: Download of Code Without Integrity Check |
| 16 |
CWE-404: Improper Resource Shutdown or Release |
| 17 |
CWE-665: Improper Initialization |
| 18 |
CWE-682: Incorrect Calculation |
| 19 |
CWE-285: Improper Access Control (Authorization) |
| 20 |
CWE-327: Use of a Broken or Risky Cryptographic Algorithm |
| 21 |
CWE-259: Hard-Coded Password |
| 22 |
CWE-732: Insecure Permission Assignment for Critical Resource |
| 23 |
CWE-330: Use of Insufficiently Random Values |
| 24 |
CWE-250: Execution with Unnecessary Privileges |
| 25 |
CWE-602: Client-Side Enforcement of Server-Side Security |
