Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2025

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

2025 “CWE Top 25” Now Available!

December 11, 2025 | Share this article

The “ 2025 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses” (2025 CWE Top 25) is now available on the CWE website! The Top 25 highlights the most severe and prevalent weaknesses behind the 39,080 CVE™ Records in this year’s dataset. Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working.

What’s Changed

There are several notable shifts in ranked positions of weakness types from last year’s list, including weaknesses dropping away or making their first appearance in a CWE Top 25.

The 2025 Top 25’s #1 ranked weakness is CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross Site Scripting’), retaining the top position from last year while being the only CWE to not change in ranking. Notable shifts in rankings included CWE-862: Missing Authorization moving up 5 ranks to #4, CWE-20: Improper Input Validation moving down 6 ranks to #18, and CWE-77: Command Injection moving down 10 ranks to #23. Six new CWEs also appeared in the 2025 Top 25, most notably CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') at #11, CWE-352: Stack-based Buffer Overflow at #14, and CWE-122: Heap-based Buffer Overflow at #16. These new introductions are likely due to a change in methodology this year that allowed for better representation of more specific weaknesses.

Visit the Key Insights page for additional information.

Leveraging Real-World Data

The 2025 CWE Top 25 is the second year in a row where the CVE Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves.

To create the 2025 list, the CWE Program leveraged public vulnerability data containing CWE mappings and Common Vulnerability Scoring System (CVSS) scores.

The 2025 CWE Top 25 leverages CVE Records for vulnerabilities published between June 1, 2024, and June 1, 2025. A scoring formula is used to calculate a ranked order of weaknesses by combining the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities as measured by CVSS.

For more information about how the list was created and the ranking methodology, visit the Methodology page. Also, be sure to also check out the CWE Top 25 page going forward for additional articles and insight.

Over the coming weeks and months, the CWE Program will continue publishing further analyses to help illustrate how root cause mapping and vulnerability management plays an important role in shifting the balance of cybersecurity risk. These will include but may not be limited to the following:

• Weaknesses on the Cusp — those weaknesses that did not make the 2024 CWE Top 25 of which readers should be aware.
• Actively Exploited — Ranking Weaknesses by the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploited Vulnerabilities (KEV) Catalog.

Feedback Welcome

Please send any feedback or questions to the CWE Research email discussion list, CWE on X, CWE page on LinkedIn, CWE on Mastodon, CWE on Bluesky, or contact us directly with any comments or concerns.

CWE Version 4.19 Now Available

December 11, 2025 | Share this article

CWE Version 4.19 has been posted on the CWE List page to add support for the “2025 CWE Top 25 Most Dangerous Software Weaknesses” list, 2 new views, 10 new categories, and make usability improvements to 11 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.18 and Version 4.19.

Main Changes

CWE 4.19 includes 1 new view for the weaknesses in the “2025 CWE Top 25” list, 1 new view for the weaknesses in the “OWASP Top Ten 2025,” 10 new categories related to the OWASP 2025 (see list below), among other updates. Also, over 800 CWE entries were modified by filling in higher-priority elements to provide more complete information for users. The most frequently-added elements were Common Consequences, Applicable Platforms, Weakness Ordinalities, Detection Methods, and Time of Introduction. Over 200 CWEs had relationship changes, primarily due to the new OWASP Top Ten view. Over 100 descriptions were modified, typically by moving some of their contents to other elements. The schema was also updated, as noted below.

Two new views added:

• Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses
• Weaknesses in OWASP Top Ten RC1 (2025)

Ten new categories related to the “Weaknesses in OWASP Top Ten RC1 (2025)” view added:

• OWASP Top Ten 2025 Category A01:2025 - Broken Access Control
• OWASP Top Ten 2025 Category A02:2025 - Security Misconfiguration
• OWASP Top Ten 2025 Category A03:2025 - Software Supply Chain Failures
• OWASP Top Ten 2025 Category A04:2025 - Cryptographic Failures
• OWASP Top Ten 2025 Category A05:2025 - Injection
• OWASP Top Ten 2025 Category A06:2025 - Insecure Design
• OWASP Top Ten 2025 Category A07:2025 - Authentication Failures
• OWASP Top Ten 2025 Category A08:2025 - Software or Data Integrity Failures
• OWASP Top Ten 2025 Category A09:2025 - Logging & Alerting Failures
• OWASP Top Ten 2025 Category A10:2025 - Mishandling of Exceptional Conditions

Usability Improvements

• This release includes the fifth installment of major usability improvements that are underway for the CWE website. For this installment, 11 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first four installments of the major usability improvements, see the CWE 4.15, CWE 4.16, CWE 4.17, and CWE 4.18 release notes.
  
  In this fifth installment of the usability improvements, the following 11 CWE Entry pages have been upgraded to the new look and feel. Note that CWE-276 did not receive any usability text updates, but does have a new visual aid image.
  
  
  • CWE-35: Path Traversal: '.../...//'
  • CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
  • CWE-276: Incorrect Default Permissions
  • CWE-285: Improper Authorization
  • CWE-308: Use of Single-factor Authentication
  • CWE-521: Weak Password Requirements
  • CWE-611: Improper Restriction of XML External Entity Reference
  • CWE-697: Incorrect Comparison
  • CWE-703: Improper Check or Handling of Exceptional Conditions
  • CWE-829: Inclusion of Functionality from Untrusted Control Sphere
  • CWE-1104: Use of Unmaintained Third Party Components
  
  Additional CWE Entry pages will be upgraded with these enhancements as part of future releases.

Schema Changes

The schema was updated to version 7.3 to add two new Language classes “Memory-Unsafe” and “Object-Oriented” to the LanguageClassEnumeration simpleType, and to add the “Increase Analytical Complexity” to the TechnicalImpactEnumeration simpleType. View the difference report.

Summary

There are 944 weaknesses and a total of 1,447 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.18_v4.19.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

New Video: “Effectively Mapping CVEs to CWEs”

December 4, 2025 | Share this article

Root Cause Mapping (RCM) is the main topics of a video entitled “ Effectively Mapping CVEs to CWEs” that was presented on October 22, 2025, at the CVE Program Technical Workshop 2025” for CVE Numbering Authorities (CNAs).

In the video, CWE Program Technical Lead Steve Christey Coley and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly discuss how mapping CVEs to their root cause CWEs is an important, yet sometimes difficult activity. Also discussed are best practices, available guidance, and identifying some common pitfalls seen in RCM to help CNAs arrive at the most accurate CWEs.

The video is available now on the CWE YouTube Channel. Or, watch below:

CWE Version 4.18 Now Available

September 9, 2025 | Share this article

CWE Version 4.18 has been posted on the CWE List page to add 1 new view, 1 new category, 1 new weakness, and make usability improvements to 14 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.17 and Version 4.18.

Main Changes

CWE 4.18 includes 1 new view and 1 new category related to the recently released “2025 Most Important Hardware Weaknesses;” 1 new AI-related weakness for “Insecure Setting of Generative AI/ML Model Inference Parameters;” modification of some references, mitigations, affected resources, and functional areas to more closely link with D3FEND concepts; and, many other changes related to “usability” (see the “Usability Improvements” section below for details). The CWE Program thanks the members of the Artificial Intelligence Working Group (AI WG) for their collaboration preparing for this new version.

One new view added:

• Weaknesses in the 2025 CWE Most Important Hardware Weaknesses List

One new category added:

• 2025 MIHW Supplement: Expert Insights – “Weaknesses in this category were not included in the 2025 Most Important Hardware Weaknesses (MIHW) because they did not have sufficient weakness data to support their inclusion. However, they stand out as expert-driven selections. Each of these weaknesses received high scores from Subject Matter Experts, reflecting strong consensus among those with deep domain knowledge.”

One new AI-related weakness added:

• CWE-1434: Insecure Setting of Generative AI/ML Model Inference Parameters – “The product has a component that relies on a generative AI/ML model configured with inference parameters that produce an unacceptably high rate of erroneous or unexpected outputs.”

Improved alignment with D3FEND concepts added:

• Modified some references, mitigations, affected resources, and functional areas to more closely link with D3FEND concepts.

Usability Improvements

• This release includes the fourth installment of major usability improvements that are underway for the CWE website. For this installment, 14 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first three installments of the major usability improvements, see the CWE 4.15, CWE 4.16, and CWE 4.17 release notes news articles.
  
  
  In this fourth installment of the usability improvements, the following 14 CWE Entry pages have been upgraded to the new look and feel:
  
  
  • CWE-23: Relative Path Traversal
  • CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS
  • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
  • CWE-209: Generation of Error Message Containing Sensitive Information
  • CWE-250: Execution with Unnecessary Privileges
  • CWE-256: Plaintext Storage of a Password
  • CWE-295: Improper Certificate Validation
  • CWE-330: Use of Insufficiently Random Values
  • CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition
  • CWE-489: Active Debug Code
  • CWE-614: Sensitive Cookie in HTTPS Session Without 'Secure' Attribute
  • CWE-770: Allocation of Resources Without Limits or Throttling
  • CWE-772: Missing Release of Resource after Effective Lifetime
  • CWE-1321: Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
  
  In addition, the visual aid image previously added to CWE-400: Uncontrolled Resource Consumption was updated to provide a more demonstrative visual example that the product does not properly control the allocation and maintenance of a limited resource.
  
  Additional usability improvements will be included in future releases.

Schema Changes

There were no schema updates.

Summary

There are 944 weaknesses and a total of 1,435 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.17_v4.18.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2025 CWE™ Most Important Hardware Weaknesses” Now Available

August 20, 2025 | Share this article

The “2025 CWE™ Most Important Hardware Weaknesses” is now available on the CWE website, delivering a major update to the original 2021 release. For the first time, the refreshed MIHW combines comprehensive weakness data with expert opinion from across the hardware security community, equipping organizations with actionable insights to tackle today’s most critical hardware risks.

Goals

The 2025 MIHW aims to drive awareness of critical hardware weaknesses and provide the cybersecurity community with practical guidance to prevent security issues at the source.

By combining advanced data analysis with expert consensus, the list helps organizations prioritize mitigations, strengthen design practices, and make informed decisions throughout the hardware lifecycle.

Suggested Use Cases

The 2025 MIHW serves as a practical resource for a wide range of stakeholders:

• Security Architects and Designers can use the list to prioritize and address key weaknesses
• Design Teams benefit by building review checklists around top weaknesses
• Security Researchers can focus their investigation and mitigation efforts
• Test Engineers are able to target critical weaknesses in their testing
• EDA Tool Vendors can enhance tool support for industry-prioritized issues
• Educators can align course material with major hardware weaknesses

A Community Effort

The 2025 MIHW is the result of broad collaboration within the hardware security community. We extend our deepest gratitude to the 2025 MIHW Working Group whose dedication and hard work made the weakness data collection possible. We also thank the many respondents to the MIHW polls for sharing their expert insights, and all Hardware CWE SIG members for their ongoing support and contributions.

Learn More

Visit the Most Important Hardware Weaknesses page to view the 2025 list, key insights, methodology, use cases, and more.

Mapping CVEs to CWEs Is Main Topic of “We Speak CVE” Podcast

August 13, 2025 | Share this article

Root Cause Mapping (RCM) is the main topics of a “We Speak CVE” podcast entitled “Mapping the Root Causes of CVEs.”

In the episode, host Shannon Sabens chats with CVE™/CWE™ Project Lead Alec Summers and CWE Top 25 task lead/CWE Root Causes Mapping Working Group lead Connor Mullaly about the importance of mapping CVE Records (vulnerabilities) to their technical root causes using CWE. Additional topics include the benefits of RCM for CVE Numbering Authorities (CNAs) and consumers of CVE data, Common Vulnerability Scoring System (CVSS) and other vulnerability metadata and their differences with CWE, the CWE Top 25 Most Dangerous Software Weaknesses list, and the tools and guidance available to improve the RCM process (e.g., examples of mappings and best practices on the CWE website, mapping usage labels on CWE entry pages on the website, the RCM WG, and an LLM tool), and more.

The podcast is available now on the CWE YouTube Channel. Or, listen below:

Videos of Three CWE-Focused Sessions at VulnCon 2025 Now Available

June 18, 2025 | Share this article

Videos of three CWE-focused sessions — “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry” (presentation), “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” (presentation), and “Vulnerability Root Cause Mapping with CWE” (presentation) — from CVE/FIRST VulnCon 2025 are now available on the CWE YouTube Channel. Or, watch below:

CWE Podcast: “Root Cause Mapping and the CWE Top 25”

April 15, 2025 | Share this article

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In this episode, entitled “Root Cause Mapping and the CWE Top 25,” CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, that focuses Root Cause Mapping (RCM) and the CWE Top 25.

Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp – Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists. In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more.

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you!

CWE Version 4.17 Now Available

April 3, 2025 | Share this article

CWE Version 4.17 has been posted on the CWE List page to add 3 new weaknesses and make usability improvements to 20 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.16 and Version 4.17.

Main Changes

CWE 4.17 includes 3 new weaknesses for “Reliance on HTTP instead of HTTPS,” “Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface,” and “Driving Intermediate Cryptographic State/Results to Hardware Module Outputs;” major updates to the AI-related “Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability” (see the “Usability Improvements” section below for details).

Three new weaknesses added:

• CWE-1428: Reliance on HTTP instead of HTTPS
• CWE-1429: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
• CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Major updates to an AI-related weakness:

• CWE-1039: Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism – This weakness underwent major updates to reflect the advances in understanding of adversarial perturbation attacks since its initial publication in 2018

Usability Improvements

• This release includes the third installment of major usability improvements that are underway for the CWE website. For this installment, 20 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first two installments of the major usability improvements, see the CWE 4.15 and CWE 4.16 release notes news articles.
  
  To further improve the usability of the entry pages, the “Alternate Terms,” “Common Consequences,” and “Mitigations” sections will continue be reordered so that they appear directly below this new introductory section. In addition, the display of many fields now have better separation between data elements and a cleaner tabular format (see before and after examples beneath the list of improved weakness pages). The remaining sections of the page (such as “Relationships,” “Applicable Platforms,” “Demonstrative Examples,” etc.) will not be changed.
  
  In this third installment of the usability improvements, the following 20 CWE Entry pages have been upgraded to the new look and feel. We especially thank Abhi Balakrishnan for contributing some of the visual aid images included in these CWEs.
  
  
  • CWE-20: Improper Input Validation
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-117: Improper Output Neutralization for Log
  • CWE-126: Buffer Over-read
  • CWE-134: Use of Externally-Controlled Format String
  • CWE-204: Observable Response Discrepancy
  • CWE-259: Use of Hard-coded Password
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-312: Cleartext Storage of Sensitive Information
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-401: Missing Release of Memory after Effective Lifetime
  • CWE-415: Double Free
  • CWE-548: Exposure of Information Through Directory Listing
  • CWE-565: Reliance on Cookies without Validation and Integrity Checking
  • CWE-598: Use of GET Request Method With Sensitive Query Strings
  
  As mentioned above, we also increased separation between data elements and added a cleaner tabular format to reduce the “wall of text” effect for new users. Before and after examples of the cleaner tabular format are below (the new table format example is from the CWE-787: Out-of-bounds Write entry page).
  
  

  Old Table Format

  

  New Table Format

  
  
  Additional usability improvements will be included in future releases.

Schema Changes

There were no schema updates.

Summary

There are 943 weaknesses and a total of 1,432 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.16_v4.17.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2024 CWE Top 10 KEV Weaknesses” List Now Available

April 3, 2025 | Share this article

The “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website.

The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Our analysis/key insights about the 2024 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here.

View and Comment on Community Submissions in the “CWE Content Development Repository (CDR)”

April 3, 2025 | Share this article

The CWE Program is excited to announce that the “CWE Content Development Repository (CDR),” hosted on GitHub, is now fully public. The CDR enables the broader community to view, track, and contribute to the enhancement of the CWE corpus. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries.

Content suggestions begin with the CWE Submission Form. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development.

Interested? Check out the CDR’s README and the Guidelines for Content Submissions for more details and to better understand the process. All CWE content submissions must adhere to the CWE Terms of Use.

CWE Is Focus of Four Talks at VulnCon 2025

April 3, 2025 | Share this article

CWE is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025:

• “Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis” by Alec Summers of the CVE Program and Chris Madden of Yahoo (Monday, April 7, 11:30-12:30)
• “Lessons Learned From Assigning CWE’s to Test Items for Security Assessments” by Yuichi Kikuchi, Takayuki Uchiyama of Panasonic PSIRT (Tuesday, April 8, 11:30–12:00)
• “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” by Alexander Bushkin and Jeremy West of Red Hat (Tuesday, April 8, 14:00–16:30)
• “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry (Virtual)” by Steve Christey Coley of the CWE Program (Thursday, April 10, 13:30–14:30)

Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations.

Follow the CWE Program on Bluesky

April 3, 2025 | Share this article

The CWE Program is now on Bluesky! Please follow us for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social.