CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2023  
ID

2023 CWE Top 25 Most Dangerous Software Weaknesses

Top 25 Home
Share via:
View in table format
Key Insights
Methodology

2023 CWE Top 25
×
Rank ID NameScore CVEs in KEV Rank Change vs. 2022
1 CWE-787 Out-of-bounds Write 63.72 70 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.54 4 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 34.27 6 0
4 CWE-416 Use After Free 16.71 44 +3
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 15.65 23 +1
6 CWE-20 Improper Input Validation 15.50 35 -2
7 CWE-125 Out-of-bounds Read 14.60 2 -2
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.11 16 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.73 0 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.41 5 0
11 CWE-862 Missing Authorization 6.90 0 +5
12 CWE-476 NULL Pointer Dereference 6.59 0 -1
13 CWE-287 Improper Authentication 6.39 10 +1
14 CWE-190 Integer Overflow or Wraparound 5.89 4 -1
15 CWE-502 Deserialization of Untrusted Data 5.56 14 -3
16 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 4.95 4 +1
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.75 7 +2
18 CWE-798 Use of Hard-coded Credentials 4.57 2 -3
19 CWE-918 Server-Side Request Forgery (SSRF) 4.56 16 +2
20 CWE-306 Missing Authentication for Critical Function 3.78 8 -2
21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 3.53 8 +1
22 CWE-269 Improper Privilege Management 3.31 5 +7
23 CWE-94 Improper Control of Generation of Code ('Code Injection') 3.30 6 +2
24 CWE-863 Incorrect Authorization 3.16 0 +4
25 CWE-276 Incorrect Default Permissions 3.16 0 -5
  1. Out-of-bounds Write
    CWE-787 CVEs in KEV: 70 Rank Last Year: 1
  2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    CWE-79 CVEs in KEV: 4 Rank Last Year: 2
  3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    CWE-89 CVEs in KEV: 6 Rank Last Year: 3
  4. Use After Free
    CWE-416 CVEs in KEV: 44 Rank Last Year: 7 (up 3) upward trend
  5. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    CWE-78 CVEs in KEV: 23 Rank Last Year: 6 (up 1) upward trend
  6. Improper Input Validation
    CWE-20 CVEs in KEV: 35 Rank Last Year: 4 (down 2) downward trend
  7. Out-of-bounds Read
    CWE-125 CVEs in KEV: 2 Rank Last Year: 5 (down 2) downward trend
  8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    CWE-22 CVEs in KEV: 16 Rank Last Year: 8
  9. Cross-Site Request Forgery (CSRF)
    CWE-352 CVEs in KEV: 0 Rank Last Year: 9
  10. Unrestricted Upload of File with Dangerous Type
    CWE-434 CVEs in KEV: 5 Rank Last Year: 10
  11. Missing Authorization
    CWE-862 CVEs in KEV: 0 Rank Last Year: 16 (up 5) upward trend
  12. NULL Pointer Dereference
    CWE-476 CVEs in KEV: 0 Rank Last Year: 11 (down 1) downward trend
  13. Improper Authentication
    CWE-287 CVEs in KEV: 10 Rank Last Year: 14 (up 1) upward trend
  14. Integer Overflow or Wraparound
    CWE-190 CVEs in KEV: 4 Rank Last Year: 13 (down 1) downward trend
  15. Deserialization of Untrusted Data
    CWE-502 CVEs in KEV: 14 Rank Last Year: 12 (down 3) downward trend
  16. Improper Neutralization of Special Elements used in a Command ('Command Injection')
    CWE-77 CVEs in KEV: 4 Rank Last Year: 17 (up 1) upward trend
  17. Improper Restriction of Operations within the Bounds of a Memory Buffer
    CWE-119 CVEs in KEV: 7 Rank Last Year: 19 (up 2) upward trend
  18. Use of Hard-coded Credentials
    CWE-798 CVEs in KEV: 2 Rank Last Year: 15 (down 3) downward trend
  19. Server-Side Request Forgery (SSRF)
    CWE-918 CVEs in KEV: 16 Rank Last Year: 21 (up 2) upward trend
  20. Missing Authentication for Critical Function
    CWE-306 CVEs in KEV: 8 Rank Last Year: 18 (down 2) downward trend
  21. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    CWE-362 CVEs in KEV: 8 Rank Last Year: 22 (up 1) upward trend
  22. Improper Privilege Management
    CWE-269 CVEs in KEV: 5 Rank Last Year: 29 (up 7) upward trend
  23. Improper Control of Generation of Code ('Code Injection')
    CWE-94 CVEs in KEV: 6 Rank Last Year: 25 (up 2) upward trend
  24. Incorrect Authorization
    CWE-863 CVEs in KEV: 0 Rank Last Year: 28 (up 4) upward trend
  25. Incorrect Default Permissions
    CWE-276 CVEs in KEV: 0 Rank Last Year: 20 (down 5) downward trend
Back to top
Page Last Updated: November 01, 2023
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.