BETA · GateTest is in active polish ahead of public launch. Some flows are rough. Found a bug? hello@gatetest.ai — we're reading every message.
MITRE 2023 CWE Top 25

The 25 most dangerous bug classes. 19 of them caught by GateTest.

MITRE's annual CWE Top 25 ranks the most dangerous software weaknesses by prevalence and severity. We show which classes GateTest catches today, which we don't, and the fix shape for each.

Honest scoring — we cover the web-stack and infrastructure-as-code classes. The C/C++ memory-safety classes (out-of-bounds writes, use-after-free, NULL deref) we don't scan today. Each page says so.

CWE-787
Not covered
Out-of-bounds Write
A buffer write that lands outside the allocated bounds, corrupting memory and enabling exploitation. Almost exclusively
#1 in Top 25
CWE-79
Caught
Cross-Site Scripting (XSS)
User-controlled input is rendered into HTML or JavaScript context without escaping, letting an attacker execute script i
#2 in Top 25
CWE-89
Caught
SQL Injection
User input is concatenated directly into a SQL query, letting the attacker change the query's logic — read other users'
#3 in Top 25
CWE-416
Not covered
Use After Free
Memory is referenced after it has been freed. Common in C/C++; a frequent root cause of zero-day exploits in browsers an
#4 in Top 25
CWE-78
Caught
OS Command Injection
User input is interpolated into a shell command, letting the attacker execute arbitrary commands on the host.
#5 in Top 25
CWE-20
Caught
Improper Input Validation
The application accepts input without validating shape, length, range, or type — and that input later violates an assump
#6 in Top 25
CWE-125
Not covered
Out-of-bounds Read
Reading memory outside an allocated buffer. Leaks adjacent data, sometimes secrets. C/C++ class.
#7 in Top 25
CWE-22
Caught
Path Traversal
User input is used as a file path without restricting it to an intended directory, letting the attacker read or write ar
#8 in Top 25
CWE-352
Caught
Cross-Site Request Forgery (CSRF)
An attacker tricks an authenticated user's browser into making a request to your site, riding the user's session cookie.
#9 in Top 25
CWE-434
Caught
Unrestricted Upload of File with Dangerous Type
Accepting arbitrary file uploads without validating type, size, or content, letting an attacker upload a .php, .jsp, or
#10 in Top 25
CWE-862
Caught
Missing Authorization
An endpoint enforces authentication but not authorisation — any logged-in user can access any other user's data.
#11 in Top 25
CWE-476
Not covered
NULL Pointer Dereference
Dereferencing a pointer that may be NULL, causing a crash or worse. C/C++/Java NullPointerException class.
#12 in Top 25
CWE-287
Caught
Improper Authentication
Authentication is incorrectly implemented — weak password rules, accepting tokens without verifying signature, accepting
#13 in Top 25
CWE-190
Not covered
Integer Overflow or Wraparound
Arithmetic produces a result the variable's type can't hold, wrapping silently. Most common in lower-level languages.
#14 in Top 25
CWE-502
Caught
Deserialization of Untrusted Data
Deserialising attacker-controlled bytes into native objects, letting the attacker construct unexpected types that trigge
#15 in Top 25
CWE-77
Caught
Command Injection
Like OS Command Injection (CWE-78) but broader — any interpreter that builds commands from input is vulnerable.
#16 in Top 25
CWE-119
Not covered
Buffer Overflow
Writes past the end of a buffer. Classic memory-safety bug; almost always C/C++.
#17 in Top 25
CWE-798
Caught
Use of Hard-coded Credentials
API keys, passwords, tokens, or private keys are committed directly into source code where anyone with repo access (or g
#18 in Top 25
CWE-918
Caught
Server-Side Request Forgery (SSRF)
An endpoint fetches a URL from user input without validating the destination, letting an attacker hit internal services
#19 in Top 25
CWE-306
Caught
Missing Authentication for Critical Function
An endpoint that performs a critical action (delete account, change password, transfer funds) doesn't require authentica
#20 in Top 25
CWE-362
Caught
Race Condition
Two execution paths share state without proper synchronisation; the outcome depends on timing. Classic forms include TOC
#21 in Top 25
CWE-269
Caught
Improper Privilege Management
Code runs with more privilege than it needs, or fails to drop privileges before processing untrusted input.
#22 in Top 25
CWE-94
Caught
Code Injection
User input is evaluated as code — eval(), Function(), exec(), or template engines that allow expression execution.
#23 in Top 25
CWE-863
Caught
Incorrect Authorization
Authorisation is implemented but wrong — checking the wrong field, comparing strings non-constant-time, or allowing the
#24 in Top 25
CWE-276
Caught
Incorrect Default Permissions
Files, directories, S3 buckets, or database tables are created with overly permissive default access (world-readable, pu
#25 in Top 25

Scan for 19 CWE classes in one run.

110 modules. Per-scan pricing. AI auto-fix PR on Scan + Fix and Forensic Scan tiers.

See pricing →