Common Weakness Enumeration

2023 CWE Top 25 Key Insights

To create the 2023 CWE Top 25 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) U.S. National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE Record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was applied to the data to score each weakness based on prevalence and severity.

The dataset analyzed to calculate the 2023 Top 25 contained a total of 43,996 CVE Records across 2021 and 2022.

Analysis

There are several notable shifts in ranked positions of weakness types from last year's list, including weaknesses dropping away or making their first appearance in a Top 25.

The biggest movers up the list are:

• CWE-416: Use After Free from #7 to #4
• CWE-862: Missing Authorization from #16 to #11
• CWE-269: Improper Privilege Management from #29 to #22
• CWE-863: Incorrect Authorization from #28 to #24

The biggest downward movers are:

• CWE-502: Deserialization of Untrusted Data from #12 to #15
• CWE-798: Use of Hardcoded Credentials from #15 to #18
• CWE-276: Incorrect Default Permissions from #20 to #25

New entries in the Top 25 are:

• CWE-269: Improper Privilege Management from #29 to #22
• CWE-863: Incorrect Authorization from #28 to #24

Entries that fell off the Top 25 are:

• CWE-400: Uncontrolled Resource Consumption from #23 to #37
• CWE-611: Improper Restriction of XML External Entity Reference from #24 to #28

Also see Trends in Real-World CWEs: 2019 to 2023.