Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2025

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Version 4.18 Now Available

September 9, 2025 | Share this article

CWE Version 4.18 has been posted on the CWE List page to add 1 new view, 1 new category, 1 new weakness, and make usability improvements to 14 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.17 and Version 4.18.

Main Changes

CWE 4.18 includes 1 new view and 1 new category related to the recently released “2025 Most Important Hardware Weaknesses;” 1 new AI-related weakness for “Insecure Setting of Generative AI/ML Model Inference Parameters;” modification of some references, mitigations, affected resources, and functional areas to more closely link with D3FEND concepts; and, many other changes related to “usability” (see the “Usability Improvements” section below for details). The CWE Program thanks the members of the Artificial Intelligence Working Group (AI WG) for their collaboration preparing for this new version.

One new view added:

• Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List

One new category added:

• 2025 MIHW Supplement: Expert Insights – “Weaknesses in this category were not included in the 2025 Most Important Hardware Weaknesses (MIHW) because they did not have sufficient weakness data to support their inclusion. However, they stand out as expert-driven selections. Each of these weaknesses received high scores from Subject Matter Experts, reflecting strong consensus among those with deep domain knowledge.”

One new AI-related weakness added:

• CWE-1434: Insecure Setting of Generative AI/ML Model Inference Parameters – “The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.”

Improved alignment with D3FEND concepts added:

• Modified some references, mitigations, affected resources, and functional areas to more closely link with D3FEND concepts.

Usability Improvements

• This release includes the fourth installment of major usability improvements that are underway for the CWE website. For this installment, 14 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first three installments of the major usability improvements, see the CWE 4.15, CWE 4.16, and CWE 4.17 release notes news articles.
  
  
  In this fourth installment of the usability improvements, the following 14 CWE Entry pages have been upgraded to the new look and feel:
  
  
  • CWE-23: Relative Path Traversal
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-209: Generation of Error Message Containing Sensitive Information
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-256: Plaintext Storage of a Password
  • CWE-295: Improper Certificate Validation
  • CWE-330: Use of Insufficiently Random Values
  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-489: Active Debug Code
  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-772: Missing Release of Resource after Effective Lifetime
  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  
  In addition, the visual aid image previously added to CWE-400: Uncontrolled Resource Consumption was updated to provide a more demonstrative visual example that the product does not properly control the allocation and maintenance of a limited resource.
  
  Additional usability improvements will be included in future releases.

Schema Changes

There were no schema updates.

Summary

There are 944 weaknesses and a total of 1,435 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.17_v4.18.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2025 CWE™ Most Important Hardware Weaknesses” Now Available

August 20, 2025 | Share this article

The “2025 CWE™ Most Important Hardware Weaknesses” is now available on the CWE website, delivering a major update to the original 2021 release. For the first time, the refreshed MIHW combines comprehensive weakness data with expert opinion from across the hardware security community, equipping organizations with actionable insights to tackle today’s most critical hardware risks.

Goals

The 2025 MIHW aims to drive awareness of critical hardware weaknesses and provide the cybersecurity community with practical guidance to prevent security issues at the source.

By combining advanced data analysis with expert consensus, the list helps organizations prioritize mitigations, strengthen design practices, and make informed decisions throughout the hardware lifecycle.

Suggested Use Cases

The 2025 MIHW serves as a practical resource for a wide range of stakeholders:

• Security Architects and Designers can use the list to prioritize and address key weaknesses
• Design Teams benefit by building review checklists around top weaknesses
• Security Researchers can focus their investigation and mitigation efforts
• Test Engineers are able to target critical weaknesses in their testing
• EDA Tool Vendors can enhance tool support for industry-prioritized issues
• Educators can align course material with major hardware weaknesses

A Community Effort

The 2025 MIHW is the result of broad collaboration within the hardware security community. We extend our deepest gratitude to the 2025 MIHW Working Group whose dedication and hard work made the weakness data collection possible. We also thank the many respondents to the MIHW polls for sharing their expert insights, and all Hardware CWE SIG members for their ongoing support and contributions.

Learn More

Visit the Most Important Hardware Weaknesses page to view the 2025 list, key insights, methodology, use cases, and more.

Mapping CVEs to CWEs Is Main Topic of “We Speak CVE” Podcast

August 13, 2025 | Share this article

Root Cause Mapping (RCM) is the main topics of a “We Speak CVE” podcast entitled “Mapping the Root Causes of CVEs.”

In the episode, host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using CWE. Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadata and their differences with CWE, the CWE Top 25 Most Dangerous Software Weaknesses list, and the tools and guidance available to improve the RCM process (e.g., examples of mappings and best practices on the CWE website, mapping usage labels on CWE entry pages on the website, the RCM WG, and an LLM tool), and more.

The podcast is available now on the CWE YouTube Channel. Or, listen below:

Videos of Three CWE-Focused Sessions at VulnCon 2025 Now Available

June 18, 2025 | Share this article

Videos of three CWE-focused sessions — “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry” (presentation), “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” (presentation), and “Vulnerability Root Cause Mapping with CWE” (presentation) — from CVE/FIRST VulnCon 2025 are now available on the CWE YouTube Channel. Or, watch below:

CWE Podcast: “Root Cause Mapping and the CWE Top 25”

April 15, 2025 | Share this article

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In this episode, entitled “Root Cause Mapping and the CWE Top 25,” CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, that focuses Root Cause Mapping (RCM) and the CWE Top 25.

Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp – Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists. In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more.

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you!

CWE Version 4.17 Now Available

April 3, 2025 | Share this article

CWE Version 4.17 has been posted on the CWE List page to add 3 new weaknesses and make usability improvements to 20 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.16 and Version 4.17.

Main Changes

CWE 4.17 includes 3 new weaknesses for “Reliance on HTTP instead of HTTPS,” “Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface,” and “Driving Intermediate Cryptographic State/Results to Hardware Module Outputs;” major updates to the AI-related “Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability” (see the “Usability Improvements” section below for details).

Three new weaknesses added:

• CWE-1428: Reliance on HTTP instead of HTTPS
• CWE-1429: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
• CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Major updates to an AI-related weakness:

• CWE-1039: Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism – This weakness underwent major updates to reflect the advances in understanding of adversarial perturbation attacks since its initial publication in 2018

Usability Improvements

• This release includes the third installment of major usability improvements that are underway for the CWE website. For this installment, 20 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first two installments of the major usability improvements, see the CWE 4.15 and CWE 4.16 release notes news articles.
  
  To further improve the usability of the entry pages, the “Alternate Terms,” “Common Consequences,” and “Mitigations” sections will continue be reordered so that they appear directly below this new introductory section. In addition, the display of many fields now have better separation between data elements and a cleaner tabular format (see before and after examples beneath the list of improved weakness pages). The remaining sections of the page (such as “Relationships,” “Applicable Platforms,” “Demonstrative Examples,” etc.) will not be changed.
  
  In this third installment of the usability improvements, the following 20 CWE Entry pages have been upgraded to the new look and feel. We especially thank Abhi Balakrishnan for contributing some of the visual aid images included in these CWEs.
  
  
  • CWE-20: Improper Input Validation
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-117: Improper Output Neutralization for Log
  • CWE-126: Buffer Over-read
  • CWE-134: Use of Externally-Controlled Format String
  • CWE-204: Observable Response Discrepancy
  • CWE-259: Use of Hard-coded Password
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-312: Cleartext Storage of Sensitive Information
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-401: Missing Release of Memory after Effective Lifetime
  • CWE-415: Double Free
  • CWE-548: Exposure of Information Through Directory Listing
  • CWE-565: Reliance on Cookies without Validation and Integrity Checking
  • CWE-598: Use of GET Request Method With Sensitive Query Strings
  
  As mentioned above, we also increased separation between data elements and added a cleaner tabular format to reduce the “wall of text” effect for new users. Before and after examples of the cleaner tabular format are below (the new table format example is from the CWE-787: Out-of-bounds Write entry page).
  
  

  Old Table Format

  

  New Table Format

  
  
  Additional usability improvements will be included in future releases.

Schema Changes

There were no schema updates.

Summary

There are 943 weaknesses and a total of 1,432 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.16_v4.17.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2024 CWE Top 10 KEV Weaknesses” List Now Available

April 3, 2025 | Share this article

The “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website.

The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Our analysis/key insights about the 2024 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here.

View and Comment on Community Submissions in the “CWE Content Development Repository (CDR)”

April 3, 2025 | Share this article

The CWE Program is excited to announce that the “CWE Content Development Repository (CDR),” hosted on GitHub, is now fully public. The CDR enables the broader community to view, track, and contribute to the enhancement of the CWE corpus. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries.

Content suggestions begin with the CWE Submission Form. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development.

Interested? Check out the CDR’s README and the Guidelines for Content Submissions for more details and to better understand the process. All CWE content submissions must adhere to the CWE Terms of Use.

CWE Is Focus of Four Talks at VulnCon 2025

April 3, 2025 | Share this article

CWE is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025:

• “Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis” by Alec Summers of the CVE Program and Chris Madden of Yahoo (Monday, April 7, 11:30-12:30)
• “Lessons Learned From Assigning CWE’s to Test Items for Security Assessments” by Yuichi Kikuchi, Takayuki Uchiyama of Panasonic PSIRT (Tuesday, April 8, 11:30–12:00)
• “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” by Alexander Bushkin and Jeremy West of Red Hat (Tuesday, April 8, 14:00–16:30)
• “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry (Virtual)” by Steve Christey Coley of the CWE Program (Thursday, April 10, 13:30–14:30)

Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations.

Follow the CWE Program on Bluesky

April 3, 2025 | Share this article

The CWE Program is now on Bluesky! Please follow us for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social.