|CWE Top 25 (2021*)
|CWE
|Java
|C#
|C/C++
|CUDA
|Obj-C
|JavaScript/TypeScript
|Kotlin
|Node.js
|Android
|Swift
|Python 3.x
|PHP
|Scala
|VB.NET
|Ruby
|Go
|Apex
|1. Out-of-bounds Write
|787
|2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
|79
|3. Out-of-bounds Read
|125
|4. Improper Input Validation
|20
|5. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
|78
|6. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
|89
|7. Use After Free
|416
|8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
|22
|9. Cross-Site Request Forgery (CSRF)
|352
|10. Unrestricted Upload of File with Dangerous Type
|434
|11. Missing Authentication for Critical Function
|306
|12. Integer Overflow or Wraparound
|190
|13. Deserialization of Untrusted Data
|502
|14. Improper Authentication
|287
|15. NULL Pointer Dereference
|476
|16. Use of Hard-coded Credentials
|798
|17. Improper Restriction of Operations within the Bounds of a Memory Buffer
|119
|18. Missing Authorization
|862
|19. Incorrect Default Permissions
|276
|20. Exposure of Sensitive Information to an Unauthorized Actor
|200
|21. Insufficiently Protected Credentials
|522
|22. Incorrect Permission Assignment for Critical Resource
|732
|23. Improper Restriction of XML External Entity Reference
|611
|24. Server-Side Request Forgery (SSRF)
|918
|25. Improper Neutralization of Special Elements used in a Command ('Command Injection')
|77
*This table refers to Coverity® Static Analysis support for CWE Top 25 (version 2021). The MITRE CWE Top 25 (version 2021) can be found online.