A06:2025 Insecure Design

OWASP Top 10:2025 · Back to the list

Design-level weaknesses — missing or flawed controls baked into the architecture, irrespective of implementation quality.

Member CWEs (39)

• CWE-73 External Control of File Name or Path
• CWE-183 Permissive List of Allowed Inputs
• CWE-256 Plaintext Storage of a Password
• CWE-266 Incorrect Privilege Assignment
• CWE-269 Improper Privilege Management
• CWE-286 Incorrect User Management
• CWE-311 Missing Encryption of Sensitive Data
• CWE-312 Cleartext Storage of Sensitive Information
• CWE-313 Cleartext Storage in a File or on Disk
• CWE-316 Cleartext Storage of Sensitive Information in Memory
• CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
• CWE-382 J2EE Bad Practices: Use of System.exit()
• CWE-419 Unprotected Primary Channel
• CWE-434 Unrestricted Upload of File with Dangerous Type
• CWE-436 Interpretation Conflict
• CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
• CWE-451 User Interface (UI) Misrepresentation of Critical Information
• CWE-454 External Initialization of Trusted Variables or Data Stores
• CWE-472 External Control of Assumed-Immutable Web Parameter
• CWE-501 Trust Boundary Violation
• CWE-522 Insufficiently Protected Credentials
• CWE-525 Use of Web Browser Cache Containing Sensitive Information
• CWE-539 Use of Persistent Cookies Containing Sensitive Information
• CWE-598 Use of GET Request Method With Sensitive Query Strings
• CWE-602 Client-Side Enforcement of Server-Side Security
• CWE-628 Function Call with Incorrectly Specified Arguments
• CWE-642 External Control of Critical State Data
• CWE-646 Reliance on File Name or Extension of Externally-Supplied File
• CWE-653 Improper Isolation or Compartmentalization
• CWE-656 Reliance on Security Through Obscurity
• CWE-657 Violation of Secure Design Principles
• CWE-676 Use of Potentially Dangerous Function
• CWE-693 Protection Mechanism Failure
• CWE-799 Improper Control of Interaction Frequency
• CWE-807 Reliance on Untrusted Inputs in a Security Decision
• CWE-841 Improper Enforcement of Behavioral Workflow
• CWE-1021 Improper Restriction of Rendered UI Layers or Frames
• CWE-1022 Use of Web Link to Untrusted Target with window.opener Access
• CWE-1125 Excessive Attack Surface

Tagged CVEs (showing 50 most recent of 15,169)

• CVE-2026-9157
• CVE-2026-9116
• CVE-2026-9115
• CVE-2026-9110
• CVE-2026-9102
• CVE-2026-8972
• CVE-2026-8970
• CVE-2026-8969
• CVE-2026-8964
• CVE-2026-8962
• CVE-2026-8959
• CVE-2026-8958
• CVE-2026-8957
• CVE-2026-8955
• CVE-2026-8952
• CVE-2026-8945
• CVE-2026-8758
• CVE-2026-8752
• CVE-2026-8747
• CVE-2026-8743
• CVE-2026-8741
• CVE-2026-8719
• CVE-2026-8596
• CVE-2026-8585
• CVE-2026-8584
• CVE-2026-8583
• CVE-2026-8577
• CVE-2026-8573
• CVE-2026-8572
• CVE-2026-8571
• CVE-2026-8568
• CVE-2026-8567
• CVE-2026-8565
• CVE-2026-8564
• CVE-2026-8563
• CVE-2026-8561
• CVE-2026-8559
• CVE-2026-8534
• CVE-2026-8532
• CVE-2026-8520
• CVE-2026-8519
• CVE-2026-8510
• CVE-2026-8401
• CVE-2026-8368
• CVE-2026-8241
• CVE-2026-8233
• CVE-2026-8148
• CVE-2026-8127
• CVE-2026-8069
• CVE-2026-8043

Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1441).