A04:2025 Cryptographic Failures

OWASP Top 10:2025 · Back to the list

Sensitive data exposed in transit or at rest due to absent, weak, or misused cryptography.

Member CWEs (32)

• CWE-261 Weak Encoding for Password
• CWE-296 Improper Following of a Certificate's Chain of Trust
• CWE-319 Cleartext Transmission of Sensitive Information
• CWE-320
• CWE-321 Use of Hard-coded Cryptographic Key
• CWE-322 Key Exchange without Entity Authentication
• CWE-323 Reusing a Nonce, Key Pair in Encryption
• CWE-324 Use of a Key Past its Expiration Date
• CWE-325 Missing Cryptographic Step
• CWE-326 Inadequate Encryption Strength
• CWE-327 Use of a Broken or Risky Cryptographic Algorithm
• CWE-328 Use of Weak Hash
• CWE-329 Generation of Predictable IV with CBC Mode
• CWE-330 Use of Insufficiently Random Values
• CWE-331 Insufficient Entropy
• CWE-332 Insufficient Entropy in PRNG
• CWE-334 Small Space of Random Values
• CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
• CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
• CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
• CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
• CWE-340 Generation of Predictable Numbers or Identifiers
• CWE-342 Predictable Exact Value from Previous Values
• CWE-347 Improper Verification of Cryptographic Signature
• CWE-523 Unprotected Transport of Credentials
• CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
• CWE-759 Use of a One-Way Hash without a Salt
• CWE-760 Use of a One-Way Hash with a Predictable Salt
• CWE-780 Use of RSA Algorithm without OAEP
• CWE-916 Use of Password Hash With Insufficient Computational Effort
• CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
• CWE-1241 Use of Predictable Algorithm in Random Number Generator

Tagged CVEs (showing 50 most recent of 3,962)

• CVE-2026-8803
• CVE-2026-8739
• CVE-2026-8700
• CVE-2026-8503
• CVE-2026-8243
• CVE-2026-8072
• CVE-2026-7847
• CVE-2026-7845
• CVE-2026-7689
• CVE-2026-7610
• CVE-2026-7306
• CVE-2026-7210
• CVE-2026-7103
• CVE-2026-7018
• CVE-2026-6986
• CVE-2026-6966
• CVE-2026-6911
• CVE-2026-6787
• CVE-2026-6659
• CVE-2026-6611
• CVE-2026-6580
• CVE-2026-6550
• CVE-2026-6420
• CVE-2026-6411
• CVE-2026-6328
• CVE-2026-6276
• CVE-2026-6146
• CVE-2026-6066
• CVE-2026-5926
• CVE-2026-5889
• CVE-2026-5682
• CVE-2026-5622
• CVE-2026-5588
• CVE-2026-5549
• CVE-2026-5527
• CVE-2026-5471
• CVE-2026-5466
• CVE-2026-5462
• CVE-2026-5458
• CVE-2026-5457
• CVE-2026-5456
• CVE-2026-5455
• CVE-2026-5454
• CVE-2026-5453
• CVE-2026-5452
• CVE-2026-5446
• CVE-2026-5426
• CVE-2026-5420
• CVE-2026-5363
• CVE-2026-5310

Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1439).