CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2023  
ID

Trends in Real-World CWEs: 2019 to 2023

Top 25 Home
View historical rank data
Trends in Real-World CWEs: 2019 to 2023
×

Note: A "-" indicates the CWE-ID was not within the top 40 for the given year

Current Rank ID Name 2022 Rank 2021 Rank 2020 Rank 2019 Rank
1 CWE-787 Out-of-bounds Write 1 1 2 12
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 2 2 1 2
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 3 6 6 6
4 CWE-416 Use After Free 7 7 8 7
5 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 6 5 10 11
6 CWE-20 Improper Input Validation 4 4 3 3
7 CWE-125 Out-of-bounds Read 5 3 4 5
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8 8 12 10
9 CWE-352 Cross-Site Request Forgery (CSRF) 9 9 9 9
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10 10 15 16
11 CWE-862 Missing Authorization 16 18 25 36
12 CWE-476 NULL Pointer Dereference 11 15 13 14
13 CWE-287 Improper Authentication 14 14 14 13
14 CWE-190 Integer Overflow or Wraparound 13 12 11 8
15 CWE-502 Deserialization of Untrusted Data 12 13 21 23
16 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 17 25 31 30
17 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 19 17 5 1
18 CWE-798 Use of Hard-coded Credentials 15 16 20 19
19 CWE-918 Server-Side Request Forgery (SSRF) 21 24 27 32
20 CWE-306 Missing Authentication for Critical Function 18 11 24 38
21 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 22 33 34 31
22 CWE-269 Improper Privilege Management 29 29 22 24
23 CWE-94 Improper Control of Generation of Code ('Code Injection') 25 28 17 18
24 CWE-863 Incorrect Authorization 28 38 29 35
25 CWE-276 Incorrect Default Permissions 20 19 - -
26 CWE-617 Reachable Assertion - - - -
27 CWE-427 Uncontrolled Search Path Element 27 34 - -
28 CWE-611 Improper Restriction of XML External Entity Reference 24 23 19 17
29 CWE-770 Allocation of Resources Without Limits or Throttling - 40 39 -
30 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 33 20 7 4
31 CWE-732 Incorrect Permission Assignment for Critical Resource 30 22 16 15
32 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 35 37 35 34
33 CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 34 - - -
34 CWE-295 Improper Certificate Validation 26 26 28 25
35 CWE-522 Insufficiently Protected Credentials 38 21 18 28
36 CWE-401 Missing Release of Memory after Effective Lifetime 36 32 32 -
37 CWE-400 Uncontrolled Resource Consumption 23 27 23 20
38 CWE-639 Authorization Bypass Through User-Controlled Key - - - -
39 CWE-59 Improper Link Resolution Before File Access ('Link Following') 37 31 40 -
40 CWE-668 Exposure of Resource to Wrong Sphere 32 - - -

While this year’s 2023 CWE Top 25 list is very important, it is also important to consider how the list has changed from year to year. This can identify interesting trends in real-world, exploitable weaknesses that can inform security policy and investment decision-making. To observe both upward and downward trends in CWE ranks, we tracked CWEs that have shown consistent movement since the CWE Top 25 list’s inception in 2019.

It is important to note that NVD/Top 25 data is very dynamic year to year due to several factors including the types of vulnerabilities reported each year, changes to the remapping strategy, the addition of new CWE entries into the CWE mapping view, and more. Thus, rankings are less reliable as one goes much beyond “the cusp” (i.e., position #40) using the Top 25 methodology due to data biases (e.g., an increase of a few CVEs in the data can drastically change the position of a CWE between the 60 and 100+ ranks). These factors and their impacts will be discussed in a future publication.

Consistent Upward Movers

The following weaknesses have shown a consistently upward trend in ranking. Software developers and maintainers should be aware of these and consider prioritizing them in their remediation efforts.

  • CWE-862: Missing Authorization — CWE-862 started out ranked 36th in 2019, which put it on the cusp. It entered the CWE Top 25 in 2020 ranked 25th and has consistently moved up every year, now ranking 11th in 2023 (the highest among consistently upward movers). This could indicate that developers are not consistently implementing authorization techniques when needed, even though the weakness has been present in the CWE Top 25 since 2020. The community should remain diligent about the implementation of authorization.
  • CWE-918: Server-Side Request Forgery (SSRF) — CWE-918 started out ranked 32nd in 2019, also putting it on the cusp. It first entered the CWE Top 25 in 2021 with a rank of 24th. While this CWE has not climbed in rank as much as CWE-862, it has steadily climbed to a rank of 19th in 2023.
  • CWE-639: Authorization Bypass Through User-Controlled Key — CWE-639 started out ranked far outside of the top 40 in 2019 but saw a steady climb in rank throughout the following years until making its way to 38th in 2023. This puts CWE-639 “on the cusp” for the first time this year and, considering the upward trends, it will be interesting to keep an eye on and take note of its further movement.

Upward Movers Graph 2019-2023

Other Upward Movers

Other upward moving CWEs have never moved down in the rankings but have had at least one year with no rank change. While these trends are not as consistent as CWEs which have increased in ranking every year, they are still interesting to note. These are:


Consistent Downward Movers

Weaknesses that have shown a downward trend in ranking could potentially indicate improved awareness and mitigation from the community, although some of these weaknesses remain in the CWE Top 25. Despite the promising trend, these remain important enough for IT professionals to consider. These downward trending CWEs are described below.

  • CWE-190: Integer Overflow or Wraparound — CWE-190 started out ranked 8th in 2019 and is now ranked 14th in 2023. Although this is the least amount of change amongst consistently downward movers, it is notable because of its presence in the Top 25 each year. Regardless of what is causing this downward movement, its current rank shows that more awareness and mitigation is still needed by the community.
  • CWE-732: Incorrect Permission Assignment for Critical Resource — CWE-732 started out ranked 15th in 2019 and is now ranked 31st in 2023. It first dropped out of the Top 25 in 2022 and saw a decrease of only one rank in 2023. It is difficult to determine for certain what is causing this steady decrease in rank, but it could possibly be attributed to a greater emphasis on correctly mapping access control CWEs.
  • CWE-611: Improper Restriction of XML External Entity Reference — CWE-611 started out ranked 17th in 2019 and is now ranked 28th in 2023. It has decreased in rank steadily, albeit in minor increments, and just recently dropped out of the CWE Top 25 this year.
  • CWE-426: Untrusted Search Path — CWE-426 has decreased in rank the most among consistently downward movers, starting out ranked 22nd in 2019 and then completely falling out of the Top 40 starting in 2021. It is unusual for a previous CWE Top 25 weakness to be well below the cusp. Although it only dropped 4 ranks from 2019 to 2020, it has consistently dropped in the rankings from there. This is likely due to more accurate mappings of vulnerabilities to CWE-427: Uncontrolled Search Path Element, which has moved from out of the cusp in 2019 to 27th in 2023. These CWEs share some similarities, so extra care has been taken in recent years to ensure CVE Records are properly mapped between these two.

Downward Movers Graph 2019-2023

Back to top
Page Last Updated: August 01, 2023
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.