Common Weakness Enumeration (CWE)

The Common Weakness Enumeration (CWE) is an "encyclopedia" of over 600 types of software weaknesses [1]. Some of the classes are buffer overflow, directory traversal, OS injection, race condition, cross-site scripting, hard-coded password and insecure random numbers. CWE is a widely-used compilation, which has gone through many iterations. Many tools and projects are based on it. Each CWE has a variety of information, such as description summary, extended description, white box definition, consequences, examples, background details and other notes, recorded occurrences (Common Vulnerabilities and Exposures or CVE), mitigations, relations to other CWEs, and references.


CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-226: Sensitive Information Uncleared Before Release


CWEs are a rich source of material for software developers and superior to anything that existed before. However, for very formal, exacting work, CWE definitions are often inaccurate, imprecise or ambiguous, and the various definitions within one CWE can be inconsistent. Each CWE bundles many stages, such as likely attacks, resources affected and consequences. The coverage is uneven, with some combinations of attributes well represented and others not appearing at all.