A02:2025 Security Misconfiguration
Defaults are weak, hardening is incomplete, cloud / framework / server settings leave attack surface exposed.
Member CWEs (16)
- CWE-5 J2EE Misconfiguration: Data Transmission Without Encryption
- CWE-11 ASP.NET Misconfiguration: Creating Debug Binary
- CWE-13 ASP.NET Misconfiguration: Password in Configuration File
- CWE-15 External Control of System or Configuration Setting
- CWE-16
- CWE-260 Password in Configuration File
- CWE-315 Cleartext Storage of Sensitive Information in a Cookie
- CWE-489 Active Debug Code
- CWE-526 Cleartext Storage of Sensitive Information in an Environment Variable
- CWE-547 Use of Hard-coded, Security-relevant Constants
- CWE-611 Improper Restriction of XML External Entity Reference
- CWE-614 Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
- CWE-776 Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
- CWE-942 Permissive Cross-domain Security Policy with Untrusted Domains
- CWE-1004 Sensitive Cookie Without 'HttpOnly' Flag
- CWE-1174 ASP.NET Misconfiguration: Improper Model Validation
Mapped NIST 800-53 r5 controls (3)
Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Tagged CVEs (showing 50 most recent of 2,065)
- CVE-2026-59092
- CVE-2026-57957
- CVE-2026-57948
- CVE-2026-57234
- CVE-2026-56701
- CVE-2026-56076
- CVE-2026-55110
- CVE-2026-54753
- CVE-2026-54290
- CVE-2026-53661
- CVE-2026-50088
- CVE-2026-50087
- CVE-2026-49875
- CVE-2026-49383
- CVE-2026-49377
- CVE-2026-49188
- CVE-2026-48981
- CVE-2026-47960
- CVE-2026-46722
- CVE-2026-46685
- CVE-2026-46608
- CVE-2026-46550
- CVE-2026-46431
- CVE-2026-46399
- CVE-2026-46398
- CVE-2026-45771
- CVE-2026-45728
- CVE-2026-45370
- CVE-2026-45087
- CVE-2026-45021
- CVE-2026-44895
- CVE-2026-44774
- CVE-2026-44618
- CVE-2026-44445
- CVE-2026-44417
- CVE-2026-44184
- CVE-2026-44020
- CVE-2026-44018
- CVE-2026-43828
- CVE-2026-43531
- CVE-2026-42239
- CVE-2026-42212
- CVE-2026-41936
- CVE-2026-41895
- CVE-2026-41673
- CVE-2026-41489
- CVE-2026-41384
- CVE-2026-41294
- CVE-2026-41176
- CVE-2026-41066
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1437).