News & Events - 2026Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org. CWE Version 4.19.1 Now Available January 21, 2026 | Share this article CWE Version 4.19.1 has been posted on the CWE List page. CWE 4.19.1 is an unscheduled release that fixes incorrect relationships in the Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses view. The updated View-1435 now contains the correct relationships. There were no other changes. A detailed report is available that lists specific changes between Version 4.19 and Version 4.19.1. Summary There are 944 weaknesses and a total of 1,447 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.19_v4.19.1.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns. 
2025 “CWE Top 25” Now Available! December 11, 2025 | Share this article The “ 2025 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses” (2025 CWE Top 25) is now available on the CWE website! The Top 25 highlights the most severe and prevalent weaknesses behind the 39,080 CVE™ Records in this year’s dataset. Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place. These weaknesses lead to serious vulnerabilities in software, and an attacker can often exploit them to take control of an affected system, steal data, or prevent applications from working. What’s Changed There are several notable shifts in ranked positions of weakness types from last year’s list, including weaknesses dropping away or making their first appearance in a CWE Top 25. The 2025 Top 25’s #1 ranked weakness is CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross Site Scripting’), retaining the top position from last year while being the only CWE to not change in ranking. Notable shifts in rankings included CWE-862: Missing Authorization moving up 5 ranks to #4, CWE-20: Improper Input Validation moving down 6 ranks to #18, and CWE-77: Command Injection moving down 10 ranks to #23. Six new CWEs also appeared in the 2025 Top 25, most notably CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') at #11, CWE-352: Stack-based Buffer Overflow at #14, and CWE-122: Heap-based Buffer Overflow at #16. These new introductions are likely due to a change in methodology this year that allowed for better representation of more specific weaknesses. Visit the Key Insights page for additional information. Leveraging Real-World Data The 2025 CWE Top 25 is the second year in a row where the CVE Numbering Authority (CNA) community directly contributed CWE mapping reviews within the dataset, leveraging their expert knowledge of the products and access to information that might not be present in the CVE Record. In general, CNAs are best positioned to provide accurate CWE mapping determinations compared to third-party analysts, as CNAs are the authority for vulnerability information within their CNA scope and those closest to the products themselves. To create the 2025 list, the CWE Program leveraged public vulnerability data containing CWE mappings and Common Vulnerability Scoring System (CVSS) scores. The 2025 CWE Top 25 leverages CVE Records for vulnerabilities published between June 1, 2024, and June 1, 2025. A scoring formula is used to calculate a ranked order of weaknesses by combining the frequency that a CWE is the root cause of a vulnerability with the average severity of each of those vulnerabilities as measured by CVSS. For more information about how the list was created and the ranking methodology, visit the Methodology page. Also, be sure to also check out the CWE Top 25 page going forward for additional articles and insight. Over the coming weeks and months, the CWE Program will continue publishing further analyses to help illustrate how root cause mapping and vulnerability management plays an important role in shifting the balance of cybersecurity risk. These will include but may not be limited to the following:
Feedback Welcome Please send any feedback or questions to the CWE Research email discussion list, CWE on X, CWE page on LinkedIn, CWE on Mastodon, CWE on Bluesky, or contact us directly with any comments or concerns. CWE Version 4.19 Now Available December 11, 2025 | Share this article CWE Version 4.19 has been posted on the CWE List page to add support for the “2025 CWE Top 25 Most Dangerous Software Weaknesses” list, 2 new views, 10 new categories, and make usability improvements to 11 additional weakness entry pages, among other updates. A detailed report is available that lists specific changes between Version 4.18 and Version 4.19. Main Changes CWE 4.19 includes 1 new view for the weaknesses in the “2025 CWE Top 25” list, 1 new view for the weaknesses in the “OWASP Top Ten 2025,” 10 new categories related to the OWASP 2025 (see list below), among other updates. Also, over 800 CWE entries were modified by filling in higher-priority elements to provide more complete information for users. The most frequently-added elements were Common Consequences, Applicable Platforms, Weakness Ordinalities, Detection Methods, and Time of Introduction. Over 200 CWEs had relationship changes, primarily due to the new OWASP Top Ten view. Over 100 descriptions were modified, typically by moving some of their contents to other elements. The schema was also updated, as noted below. Two new views added:
Ten new categories related to the “Weaknesses in OWASP Top Ten RC1 (2025)” view added:
Usability Improvements
Schema Changes The schema was updated to version 7.3 to add two new Language classes “Memory-Unsafe” and “Object-Oriented” to the LanguageClassEnumeration simpleType, and to add the “Increase Analytical Complexity” to the TechnicalImpactEnumeration simpleType. View the difference report. Summary There are 944 weaknesses and a total of 1,447 entries on the CWE List. Changes for the new version include the following:
See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.18_v4.19.html. Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns. |
