A04:2025 Cryptographic Failures
Sensitive data exposed in transit or at rest due to absent, weak, or misused cryptography.
Member CWEs (32)
- CWE-261 Weak Encoding for Password
- CWE-296 Improper Following of a Certificate's Chain of Trust
- CWE-319 Cleartext Transmission of Sensitive Information
- CWE-320
- CWE-321 Use of Hard-coded Cryptographic Key
- CWE-322 Key Exchange without Entity Authentication
- CWE-323 Reusing a Nonce, Key Pair in Encryption
- CWE-324 Use of a Key Past its Expiration Date
- CWE-325 Missing Cryptographic Step
- CWE-326 Inadequate Encryption Strength
- CWE-327 Use of a Broken or Risky Cryptographic Algorithm
- CWE-328 Use of Weak Hash
- CWE-329 Generation of Predictable IV with CBC Mode
- CWE-330 Use of Insufficiently Random Values
- CWE-331 Insufficient Entropy
- CWE-332 Insufficient Entropy in PRNG
- CWE-334 Small Space of Random Values
- CWE-335 Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)
- CWE-336 Same Seed in Pseudo-Random Number Generator (PRNG)
- CWE-337 Predictable Seed in Pseudo-Random Number Generator (PRNG)
- CWE-338 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
- CWE-340 Generation of Predictable Numbers or Identifiers
- CWE-342 Predictable Exact Value from Previous Values
- CWE-347 Improper Verification of Cryptographic Signature
- CWE-523 Unprotected Transport of Credentials
- CWE-757 Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
- CWE-759 Use of a One-Way Hash without a Salt
- CWE-760 Use of a One-Way Hash with a Predictable Salt
- CWE-780 Use of RSA Algorithm without OAEP
- CWE-916 Use of Password Hash With Insufficient Computational Effort
- CWE-1240 Use of a Cryptographic Primitive with a Risky Implementation
- CWE-1241 Use of Predictable Algorithm in Random Number Generator
Mapped NIST 800-53 r5 controls (3)
Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Tagged CVEs (showing 50 most recent of 4,157)
- CVE-2026-59099
- CVE-2026-57997
- CVE-2026-57082
- CVE-2026-56369
- CVE-2026-56272
- CVE-2026-56141
- CVE-2026-56016
- CVE-2026-55967
- CVE-2026-55961
- CVE-2026-55844
- CVE-2026-55568
- CVE-2026-55069
- CVE-2026-54833
- CVE-2026-54266
- CVE-2026-53692
- CVE-2026-52809
- CVE-2026-52754
- CVE-2026-50722
- CVE-2026-50721
- CVE-2026-50634
- CVE-2026-50268
- CVE-2026-50226
- CVE-2026-50208
- CVE-2026-50200
- CVE-2026-50091
- CVE-2026-50086
- CVE-2026-50034
- CVE-2026-50010
- CVE-2026-50009
- CVE-2026-49952
- CVE-2026-49486
- CVE-2026-49454
- CVE-2026-49440
- CVE-2026-49323
- CVE-2026-49322
- CVE-2026-48902
- CVE-2026-48558
- CVE-2026-48526
- CVE-2026-48523
- CVE-2026-48488
- CVE-2026-48480
- CVE-2026-47775
- CVE-2026-47372
- CVE-2026-47201
- CVE-2026-46749
- CVE-2026-46654
- CVE-2026-46493
- CVE-2026-46474
- CVE-2026-46473
- CVE-2026-46423
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1439).