The Synopsys Software Integrity Group is now Black Duck®. Learn More

CWE Top 25 (2021*) CWE Java C# C/C++ CUDA Obj-C JavaScript/TypeScript Kotlin Node.js Android Swift Python 3.x PHP Scala VB.NET Ruby Go Apex
1. Out-of-bounds Write 787
2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 79
3. Out-of-bounds Read 125
4. Improper Input Validation 20
5. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 78
6. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 89
7. Use After Free 416
8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 22
9. Cross-Site Request Forgery (CSRF) 352
10. Unrestricted Upload of File with Dangerous Type 434
11. Missing Authentication for Critical Function 306
12. Integer Overflow or Wraparound 190
13. Deserialization of Untrusted Data 502
14. Improper Authentication 287
15. NULL Pointer Dereference 476
16. Use of Hard-coded Credentials 798
17. Improper Restriction of Operations within the Bounds of a Memory Buffer 119
18. Missing Authorization 862
19. Incorrect Default Permissions 276
20. Exposure of Sensitive Information to an Unauthorized Actor 200
21. Insufficiently Protected Credentials 522
22. Incorrect Permission Assignment for Critical Resource 732
23. Improper Restriction of XML External Entity Reference 611
24. Server-Side Request Forgery (SSRF) 918
25. Improper Neutralization of Special Elements used in a Command ('Command Injection') 77

*This table refers to Coverity® Static Analysis support for CWE Top 25 (version 2021). The MITRE CWE Top 25 (version 2021) can be found online.