2010 Top 25 - Weaknesses On the Cusp

The software provides an Applications Programming Interface (API) or similar interface for interaction with external actors, but the interface includes a dangerous met...

The software initializes critical internal variables or data stores using inputs that can be modified by untrusted actors.

The software uses a CAPTCHA challenge, but the challenge can be guessed or automatically recognized by a non-human actor.

The software does not properly limit the number or frequency of interactions that it has with an actor, such as the number of incoming requests.

The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an un...

The product stores, transfers, or shares a resource that contains sensitive information, but it does not properly remove that information before the product makes the ...

The software does not implement sufficient measures to prevent multiple failed authentication attempts within in a short time frame, making it more susceptible to brut...

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...

The software does not initialize critical variables, which causes the execution environment to use unexpected values.

The software does not release a resource after its effective lifetime has ended, i.e., after the resource is no longer needed.

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

The application searches for critical resources using an externally-supplied search path that can point to resources that are not under the application's direct control.

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.

The software uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

CWE entries in this view (graph) are listed in the 2010 CWE/SANS Top 25 Programming Errors. This view is considered obsolete as a newer version of the Top 25 is availa...