A06:2025 Insecure Design
Design-level weaknesses — missing or flawed controls baked into the architecture, irrespective of implementation quality.
Member CWEs (39)
- CWE-73 External Control of File Name or Path
- CWE-183 Permissive List of Allowed Inputs
- CWE-256 Plaintext Storage of a Password
- CWE-266 Incorrect Privilege Assignment
- CWE-269 Improper Privilege Management
- CWE-286 Incorrect User Management
- CWE-311 Missing Encryption of Sensitive Data
- CWE-312 Cleartext Storage of Sensitive Information
- CWE-313 Cleartext Storage in a File or on Disk
- CWE-316 Cleartext Storage of Sensitive Information in Memory
- CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
- CWE-382 J2EE Bad Practices: Use of System.exit()
- CWE-419 Unprotected Primary Channel
- CWE-434 Unrestricted Upload of File with Dangerous Type
- CWE-436 Interpretation Conflict
- CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')
- CWE-451 User Interface (UI) Misrepresentation of Critical Information
- CWE-454 External Initialization of Trusted Variables or Data Stores
- CWE-472 External Control of Assumed-Immutable Web Parameter
- CWE-501 Trust Boundary Violation
- CWE-522 Insufficiently Protected Credentials
- CWE-525 Use of Web Browser Cache Containing Sensitive Information
- CWE-539 Use of Persistent Cookies Containing Sensitive Information
- CWE-598 Use of HTTP Request With Sensitive Query String
- CWE-602 Client-Side Enforcement of Server-Side Security
- CWE-628 Function Call with Incorrectly Specified Arguments
- CWE-642 External Control of Critical State Data
- CWE-646 Reliance on File Name or Extension of Externally-Supplied File
- CWE-653 Improper Isolation or Compartmentalization
- CWE-656 Reliance on Security Through Obscurity
- CWE-657 Violation of Secure Design Principles
- CWE-676 Use of Potentially Dangerous Function
- CWE-693 Protection Mechanism Failure
- CWE-799 Improper Control of Interaction Frequency
- CWE-807 Reliance on Untrusted Inputs in a Security Decision
- CWE-841 Improper Enforcement of Behavioral Workflow
- CWE-1021 Improper Restriction of Rendered UI Layers or Frames
- CWE-1022 Use of Web Link to Untrusted Target with window.opener Access
- CWE-1125 Excessive Attack Surface
Mapped NIST 800-53 r5 controls (7)
Our two-way, human-QA’d reading of how this category and each NIST 800-53 control relate. No external body publishes an OWASP→800-53 mapping, so these are our assessment.
Direction: ← other covers this;
→ this covers other (F/M/P = full / mostly /
partial).
Tagged CVEs (showing 50 most recent of 16,104)
- CVE-2026-59093
- CVE-2026-58055
- CVE-2026-58054
- CVE-2026-58053
- CVE-2026-58052
- CVE-2026-57995
- CVE-2026-57913
- CVE-2026-57912
- CVE-2026-57700
- CVE-2026-57692
- CVE-2026-57658
- CVE-2026-57536
- CVE-2026-57302
- CVE-2026-57287
- CVE-2026-57281
- CVE-2026-57280
- CVE-2026-56783
- CVE-2026-56693
- CVE-2026-56414
- CVE-2026-56290
- CVE-2026-56256
- CVE-2026-56251
- CVE-2026-56247
- CVE-2026-56245
- CVE-2026-56239
- CVE-2026-56225
- CVE-2026-56216
- CVE-2026-56212
- CVE-2026-56059
- CVE-2026-56058
- CVE-2026-56033
- CVE-2026-56030
- CVE-2026-56028
- CVE-2026-56027
- CVE-2026-56010
- CVE-2026-56008
- CVE-2026-55700
- CVE-2026-55699
- CVE-2026-55628
- CVE-2026-55568
- CVE-2026-55487
- CVE-2026-55477
- CVE-2026-55188
- CVE-2026-55180
- CVE-2026-54807
- CVE-2026-54805
- CVE-2026-54762
- CVE-2026-54415
- CVE-2026-54414
- CVE-2026-54388
Data: OWASP Top 10:2025 (CC BY-SA 4.0) · CWE memberships from cwe-api.mitre.org (meta-category CWE-1441).