2010 Top 25 - Weaknesses On the Cusp

The product provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous meth...

The product initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

The product uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

The product does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

The product attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an uni...

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the ...

The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute fo...

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...

The product does not initialize critical variables, which causes the execution environment to use unexpected values.

The product does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

The product searches for critical resources using an externally-supplied search path that can point to resources that are not under the product's direct control.

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is availa...