CWE coverage for Python¶
An overview of CWE coverage for Python in the latest release of CodeQL.
Overview¶
| CWE | Language | Query id | Query name |
|---|---|---|---|
| CWE‑20 | Python | py/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE‑20 | Python | py/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE‑20 | Python | py/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE‑20 | Python | py/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
| CWE‑20 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑22 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑22 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
| CWE‑22 | Python | py/zipslip | Arbitrary file write during archive extraction ("Zip Slip") |
| CWE‑23 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑36 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑73 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑74 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑74 | Python | py/command-line-injection | Uncontrolled command line |
| CWE‑74 | Python | py/jinja2/autoescape-false | Jinja2 templating with autoescape=False |
| CWE‑74 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
| CWE‑74 | Python | py/sql-injection | SQL query built from user-controlled sources |
| CWE‑74 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
| CWE‑74 | Python | py/code-injection | Code injection |
| CWE‑74 | Python | py/xpath-injection | XPath query built from user-controlled sources |
| CWE‑74 | Python | py/template-injection | Server Side Template Injection |
| CWE‑74 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
| CWE‑74 | Python | py/header-injection | HTTP Header Injection |
| CWE‑74 | Python | py/nosql-injection | NoSQL Injection |
| CWE‑77 | Python | py/command-line-injection | Uncontrolled command line |
| CWE‑78 | Python | py/command-line-injection | Uncontrolled command line |
| CWE‑79 | Python | py/jinja2/autoescape-false | Jinja2 templating with autoescape=False |
| CWE‑79 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
| CWE‑79 | Python | py/header-injection | HTTP Header Injection |
| CWE‑88 | Python | py/command-line-injection | Uncontrolled command line |
| CWE‑89 | Python | py/sql-injection | SQL query built from user-controlled sources |
| CWE‑90 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
| CWE‑91 | Python | py/xpath-injection | XPath query built from user-controlled sources |
| CWE‑91 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
| CWE‑93 | Python | py/header-injection | HTTP Header Injection |
| CWE‑94 | Python | py/code-injection | Code injection |
| CWE‑95 | Python | py/code-injection | Code injection |
| CWE‑99 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑113 | Python | py/header-injection | HTTP Header Injection |
| CWE‑116 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
| CWE‑116 | Python | py/code-injection | Code injection |
| CWE‑116 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑116 | Python | py/log-injection | Log Injection |
| CWE‑117 | Python | py/log-injection | Log Injection |
| CWE‑185 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑186 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑200 | Python | py/bind-socket-all-network-interfaces | Binding a socket to all network interfaces |
| CWE‑200 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑200 | Python | py/flask-debug | Flask app is run in debug mode |
| CWE‑200 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑200 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑209 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑215 | Python | py/flask-debug | Flask app is run in debug mode |
| CWE‑221 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑227 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
| CWE‑227 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
| CWE‑227 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
| CWE‑227 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
| CWE‑227 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
| CWE‑227 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
| CWE‑227 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
| CWE‑252 | Python | py/ignored-return-value | Ignored return value |
| CWE‑259 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑284 | Python | py/overly-permissive-file | Overly permissive file permissions |
| CWE‑284 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑284 | Python | py/pam-auth-bypass | Authorization bypass due to incorrect usage of PAM |
| CWE‑284 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
| CWE‑284 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑285 | Python | py/overly-permissive-file | Overly permissive file permissions |
| CWE‑285 | Python | py/pam-auth-bypass | Authorization bypass due to incorrect usage of PAM |
| CWE‑287 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑287 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
| CWE‑287 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑295 | Python | py/paramiko-missing-host-key-validation | Accepting unknown SSH host keys when using Paramiko |
| CWE‑295 | Python | py/request-without-cert-validation | Request without certificate validation |
| CWE‑311 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑311 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑311 | Python | py/cookie-injection | Construction of a cookie using user-supplied input. |
| CWE‑311 | Python | py/insecure-cookie | Failure to use secure cookies |
| CWE‑312 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑312 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑315 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑321 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑326 | Python | py/weak-crypto-key | Use of weak cryptographic key |
| CWE‑326 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
| CWE‑327 | Python | py/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑327 | Python | py/insecure-default-protocol | Default version of SSL/TLS may be insecure |
| CWE‑327 | Python | py/insecure-protocol | Use of insecure SSL/TLS version |
| CWE‑327 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
| CWE‑328 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
| CWE‑330 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑330 | Python | py/insecure-randomness | Insecure randomness |
| CWE‑338 | Python | py/insecure-randomness | Insecure randomness |
| CWE‑344 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑345 | Python | py/csrf-protection-disabled | CSRF protection weakened or disabled |
| CWE‑345 | Python | py/jwt-missing-verification | JWT missing secret or public key verification |
| CWE‑345 | Python | py/ip-address-spoofing | IP address spoofing |
| CWE‑347 | Python | py/jwt-missing-verification | JWT missing secret or public key verification |
| CWE‑348 | Python | py/ip-address-spoofing | IP address spoofing |
| CWE‑352 | Python | py/csrf-protection-disabled | CSRF protection weakened or disabled |
| CWE‑359 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑359 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑377 | Python | py/insecure-temporary-file | Insecure temporary file |
| CWE‑390 | Python | py/empty-except | Empty except |
| CWE‑396 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑398 | Python | py/unreachable-except | Unreachable 'except' block |
| CWE‑398 | Python | py/comparison-of-constants | Comparison of constants |
| CWE‑398 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑398 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
| CWE‑398 | Python | py/redundant-comparison | Redundant comparison |
| CWE‑398 | Python | py/duplicate-key-dict-literal | Duplicate key in dict literal |
| CWE‑398 | Python | py/import-deprecated-module | Import of deprecated module |
| CWE‑398 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
| CWE‑398 | Python | py/redundant-assignment | Redundant assignment |
| CWE‑398 | Python | py/ineffectual-statement | Statement has no effect |
| CWE‑398 | Python | py/unreachable-statement | Unreachable code |
| CWE‑398 | Python | py/multiple-definition | Variable defined multiple times |
| CWE‑398 | Python | py/unused-local-variable | Unused local variable |
| CWE‑398 | Python | py/unused-global-variable | Unused global variable |
| CWE‑400 | Python | py/file-not-closed | File is not always closed |
| CWE‑400 | Python | py/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑400 | Python | py/redos | Inefficient regular expression |
| CWE‑400 | Python | py/regex-injection | Regular expression injection |
| CWE‑400 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑404 | Python | py/file-not-closed | File is not always closed |
| CWE‑405 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑405 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑409 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑409 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑441 | Python | py/full-ssrf | Full server-side request forgery |
| CWE‑441 | Python | py/partial-ssrf | Partial server-side request forgery |
| CWE‑477 | Python | py/import-deprecated-module | Import of deprecated module |
| CWE‑485 | Python | py/flask-debug | Flask app is run in debug mode |
| CWE‑489 | Python | py/flask-debug | Flask app is run in debug mode |
| CWE‑497 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑502 | Python | py/unsafe-deserialization | Deserializing untrusted input |
| CWE‑522 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑523 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑532 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑538 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑552 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑561 | Python | py/unreachable-except | Unreachable 'except' block |
| CWE‑561 | Python | py/comparison-of-constants | Comparison of constants |
| CWE‑561 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑561 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
| CWE‑561 | Python | py/redundant-comparison | Redundant comparison |
| CWE‑561 | Python | py/duplicate-key-dict-literal | Duplicate key in dict literal |
| CWE‑561 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
| CWE‑561 | Python | py/ineffectual-statement | Statement has no effect |
| CWE‑561 | Python | py/unreachable-statement | Unreachable code |
| CWE‑563 | Python | py/redundant-assignment | Redundant assignment |
| CWE‑563 | Python | py/multiple-definition | Variable defined multiple times |
| CWE‑563 | Python | py/unused-local-variable | Unused local variable |
| CWE‑563 | Python | py/unused-global-variable | Unused global variable |
| CWE‑570 | Python | py/comparison-of-constants | Comparison of constants |
| CWE‑570 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑570 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
| CWE‑570 | Python | py/redundant-comparison | Redundant comparison |
| CWE‑570 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
| CWE‑571 | Python | py/comparison-of-constants | Comparison of constants |
| CWE‑571 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑571 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
| CWE‑571 | Python | py/redundant-comparison | Redundant comparison |
| CWE‑571 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
| CWE‑573 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
| CWE‑573 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
| CWE‑573 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
| CWE‑573 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
| CWE‑573 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
| CWE‑573 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
| CWE‑573 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
| CWE‑581 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
| CWE‑584 | Python | py/exit-from-finally | 'break' or 'return' statement in finally |
| CWE‑601 | Python | py/url-redirection | URL redirection from remote source |
| CWE‑610 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑610 | Python | py/url-redirection | URL redirection from remote source |
| CWE‑610 | Python | py/xxe | XML external entity expansion |
| CWE‑610 | Python | py/full-ssrf | Full server-side request forgery |
| CWE‑610 | Python | py/partial-ssrf | Partial server-side request forgery |
| CWE‑611 | Python | py/xxe | XML external entity expansion |
| CWE‑614 | Python | py/cookie-injection | Construction of a cookie using user-supplied input. |
| CWE‑614 | Python | py/insecure-cookie | Failure to use secure cookies |
| CWE‑628 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
| CWE‑628 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
| CWE‑628 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
| CWE‑628 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
| CWE‑628 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
| CWE‑628 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
| CWE‑642 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑643 | Python | py/xpath-injection | XPath query built from user-controlled sources |
| CWE‑643 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
| CWE‑657 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑664 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑664 | Python | py/implicit-string-concatenation-in-list | Implicit string concatenation in a list |
| CWE‑664 | Python | py/file-not-closed | File is not always closed |
| CWE‑664 | Python | py/bind-socket-all-network-interfaces | Binding a socket to all network interfaces |
| CWE‑664 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑664 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
| CWE‑664 | Python | py/code-injection | Code injection |
| CWE‑664 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑664 | Python | py/flask-debug | Flask app is run in debug mode |
| CWE‑664 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑664 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑664 | Python | py/insecure-temporary-file | Insecure temporary file |
| CWE‑664 | Python | py/unsafe-deserialization | Deserializing untrusted input |
| CWE‑664 | Python | py/url-redirection | URL redirection from remote source |
| CWE‑664 | Python | py/xxe | XML external entity expansion |
| CWE‑664 | Python | py/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑664 | Python | py/redos | Inefficient regular expression |
| CWE‑664 | Python | py/regex-injection | Regular expression injection |
| CWE‑664 | Python | py/overly-permissive-file | Overly permissive file permissions |
| CWE‑664 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑664 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑664 | Python | py/full-ssrf | Full server-side request forgery |
| CWE‑664 | Python | py/partial-ssrf | Partial server-side request forgery |
| CWE‑664 | Python | py/zipslip | Arbitrary file write during archive extraction ("Zip Slip") |
| CWE‑664 | Python | py/pam-auth-bypass | Authorization bypass due to incorrect usage of PAM |
| CWE‑664 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
| CWE‑664 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑664 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑665 | Python | py/implicit-string-concatenation-in-list | Implicit string concatenation in a list |
| CWE‑668 | Python | py/bind-socket-all-network-interfaces | Binding a socket to all network interfaces |
| CWE‑668 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑668 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
| CWE‑668 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑668 | Python | py/flask-debug | Flask app is run in debug mode |
| CWE‑668 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑668 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑668 | Python | py/insecure-temporary-file | Insecure temporary file |
| CWE‑668 | Python | py/overly-permissive-file | Overly permissive file permissions |
| CWE‑668 | Python | py/zipslip | Arbitrary file write during archive extraction ("Zip Slip") |
| CWE‑668 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑669 | Python | py/xxe | XML external entity expansion |
| CWE‑670 | Python | py/asserts-tuple | Asserting a tuple |
| CWE‑671 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑674 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑674 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑685 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
| CWE‑685 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
| CWE‑685 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
| CWE‑687 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
| CWE‑691 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑691 | Python | py/code-injection | Code injection |
| CWE‑691 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑691 | Python | py/asserts-tuple | Asserting a tuple |
| CWE‑691 | Python | py/exit-from-finally | 'break' or 'return' statement in finally |
| CWE‑691 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑693 | Python | py/count-untrusted-data-external-api | Frequency counts for external APIs that are used with untrusted data |
| CWE‑693 | Python | py/untrusted-data-to-external-api | Untrusted data passed to external API |
| CWE‑693 | Python | py/incomplete-hostname-regexp | Incomplete regular expression for hostnames |
| CWE‑693 | Python | py/incomplete-url-substring-sanitization | Incomplete URL substring sanitization |
| CWE‑693 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑693 | Python | py/paramiko-missing-host-key-validation | Accepting unknown SSH host keys when using Paramiko |
| CWE‑693 | Python | py/request-without-cert-validation | Request without certificate validation |
| CWE‑693 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑693 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑693 | Python | py/weak-crypto-key | Use of weak cryptographic key |
| CWE‑693 | Python | py/weak-cryptographic-algorithm | Use of a broken or weak cryptographic algorithm |
| CWE‑693 | Python | py/insecure-default-protocol | Default version of SSL/TLS may be insecure |
| CWE‑693 | Python | py/insecure-protocol | Use of insecure SSL/TLS version |
| CWE‑693 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
| CWE‑693 | Python | py/csrf-protection-disabled | CSRF protection weakened or disabled |
| CWE‑693 | Python | py/overly-permissive-file | Overly permissive file permissions |
| CWE‑693 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑693 | Python | py/pam-auth-bypass | Authorization bypass due to incorrect usage of PAM |
| CWE‑693 | Python | py/improper-ldap-auth | Improper LDAP Authentication |
| CWE‑693 | Python | py/jwt-missing-verification | JWT missing secret or public key verification |
| CWE‑693 | Python | py/ip-address-spoofing | IP address spoofing |
| CWE‑693 | Python | py/insecure-ldap-auth | Python Insecure LDAP Authentication |
| CWE‑693 | Python | py/cookie-injection | Construction of a cookie using user-supplied input. |
| CWE‑693 | Python | py/insecure-cookie | Failure to use secure cookies |
| CWE‑697 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑703 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑703 | Python | py/empty-except | Empty except |
| CWE‑703 | Python | py/ignored-return-value | Ignored return value |
| CWE‑703 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑705 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑705 | Python | py/exit-from-finally | 'break' or 'return' statement in finally |
| CWE‑706 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑706 | Python | py/tarslip | Arbitrary file write during tarfile extraction |
| CWE‑706 | Python | py/xxe | XML external entity expansion |
| CWE‑706 | Python | py/zipslip | Arbitrary file write during archive extraction ("Zip Slip") |
| CWE‑707 | Python | py/path-injection | Uncontrolled data used in path expression |
| CWE‑707 | Python | py/command-line-injection | Uncontrolled command line |
| CWE‑707 | Python | py/jinja2/autoescape-false | Jinja2 templating with autoescape=False |
| CWE‑707 | Python | py/reflective-xss | Reflected server-side cross-site scripting |
| CWE‑707 | Python | py/sql-injection | SQL query built from user-controlled sources |
| CWE‑707 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
| CWE‑707 | Python | py/code-injection | Code injection |
| CWE‑707 | Python | py/bad-tag-filter | Bad HTML filtering regexp |
| CWE‑707 | Python | py/log-injection | Log Injection |
| CWE‑707 | Python | py/xpath-injection | XPath query built from user-controlled sources |
| CWE‑707 | Python | py/template-injection | Server Side Template Injection |
| CWE‑707 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
| CWE‑707 | Python | py/header-injection | HTTP Header Injection |
| CWE‑707 | Python | py/nosql-injection | NoSQL Injection |
| CWE‑710 | Python | py/equals-hash-mismatch | Inconsistent equality and hashing |
| CWE‑710 | Python | py/call/wrong-named-class-argument | Wrong name for an argument in a class instantiation |
| CWE‑710 | Python | py/call/wrong-number-class-arguments | Wrong number of arguments in a class instantiation |
| CWE‑710 | Python | py/unreachable-except | Unreachable 'except' block |
| CWE‑710 | Python | py/super-not-enclosing-class | First argument to super() is not enclosing class |
| CWE‑710 | Python | py/comparison-of-constants | Comparison of constants |
| CWE‑710 | Python | py/comparison-of-identical-expressions | Comparison of identical values |
| CWE‑710 | Python | py/comparison-missing-self | Maybe missing 'self' in comparison |
| CWE‑710 | Python | py/redundant-comparison | Redundant comparison |
| CWE‑710 | Python | py/duplicate-key-dict-literal | Duplicate key in dict literal |
| CWE‑710 | Python | py/call/wrong-named-argument | Wrong name for an argument in a call |
| CWE‑710 | Python | py/percent-format/wrong-arguments | Wrong number of arguments for format |
| CWE‑710 | Python | py/call/wrong-arguments | Wrong number of arguments in a call |
| CWE‑710 | Python | py/import-deprecated-module | Import of deprecated module |
| CWE‑710 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑710 | Python | py/constant-conditional-expression | Constant in conditional expression or statement |
| CWE‑710 | Python | py/redundant-assignment | Redundant assignment |
| CWE‑710 | Python | py/ineffectual-statement | Statement has no effect |
| CWE‑710 | Python | py/unreachable-statement | Unreachable code |
| CWE‑710 | Python | py/multiple-definition | Variable defined multiple times |
| CWE‑710 | Python | py/unused-local-variable | Unused local variable |
| CWE‑710 | Python | py/unused-global-variable | Unused global variable |
| CWE‑732 | Python | py/overly-permissive-file | Overly permissive file permissions |
| CWE‑754 | Python | py/ignored-return-value | Ignored return value |
| CWE‑755 | Python | py/catch-base-exception | Except block handles 'BaseException' |
| CWE‑755 | Python | py/empty-except | Empty except |
| CWE‑755 | Python | py/stack-trace-exposure | Information exposure through an exception |
| CWE‑772 | Python | py/file-not-closed | File is not always closed |
| CWE‑776 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑776 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑798 | Python | py/hardcoded-credentials | Hard-coded credentials |
| CWE‑827 | Python | py/xxe | XML external entity expansion |
| CWE‑829 | Python | py/xxe | XML external entity expansion |
| CWE‑834 | Python | py/xml-bomb | XML internal entity expansion |
| CWE‑834 | Python | py/simple-xml-rpc-server-dos | SimpleXMLRPCServer DoS vulnerability |
| CWE‑913 | Python | py/code-injection | Code injection |
| CWE‑913 | Python | py/unsafe-deserialization | Deserializing untrusted input |
| CWE‑916 | Python | py/weak-sensitive-data-hashing | Use of a broken or weak cryptographic hashing algorithm on sensitive data |
| CWE‑918 | Python | py/full-ssrf | Full server-side request forgery |
| CWE‑918 | Python | py/partial-ssrf | Partial server-side request forgery |
| CWE‑922 | Python | py/clear-text-logging-sensitive-data | Clear-text logging of sensitive information |
| CWE‑922 | Python | py/clear-text-storage-sensitive-data | Clear-text storage of sensitive information |
| CWE‑943 | Python | py/sql-injection | SQL query built from user-controlled sources |
| CWE‑943 | Python | py/ldap-injection | LDAP query built from user-controlled sources |
| CWE‑943 | Python | py/xpath-injection | XPath query built from user-controlled sources |
| CWE‑943 | Python | py/xslt-injection | XSLT query built from user-controlled sources |
| CWE‑943 | Python | py/nosql-injection | NoSQL Injection |
| CWE‑1333 | Python | py/polynomial-redos | Polynomial regular expression used on uncontrolled data |
| CWE‑1333 | Python | py/redos | Inefficient regular expression |