CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2024  
ID

2024 CWE Top 25 Most Dangerous Software Weaknesses

Top 25 Home
Share via:
View in table format
Key Insights
Methodology

2024 CWE Top 25
×
Rank ID NameScore CVEs in KEV Rank Change vs. 2023
1 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 56.92 3 +1
2 CWE-787 Out-of-bounds Write 45.20 18 -1
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 35.88 4 0
4 CWE-352 Cross-Site Request Forgery (CSRF) 19.57 0 +5
5 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 12.74 4 +3
6 CWE-125 Out-of-bounds Read 11.42 3 +1
7 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 11.30 5 -2
8 CWE-416 Use After Free 10.19 5 -4
9 CWE-862 Missing Authorization 10.11 0 +2
10 CWE-434 Unrestricted Upload of File with Dangerous Type 10.03 0 0
11 CWE-94 Improper Control of Generation of Code ('Code Injection') 7.13 7 +12
12 CWE-20 Improper Input Validation 6.78 1 -6
13 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 6.74 4 +3
14 CWE-287 Improper Authentication 5.94 4 -1
15 CWE-269 Improper Privilege Management 5.22 0 +7
16 CWE-502 Deserialization of Untrusted Data 5.07 5 -1
17 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 5.07 0 +13
18 CWE-863 Incorrect Authorization 4.05 2 +6
19 CWE-918 Server-Side Request Forgery (SSRF) 4.05 2 0
20 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 3.69 2 -3
21 CWE-476 NULL Pointer Dereference 3.58 0 -9
22 CWE-798 Use of Hard-coded Credentials 3.46 2 -4
23 CWE-190 Integer Overflow or Wraparound 3.37 3 -9
24 CWE-400 Uncontrolled Resource Consumption 3.23 0 +13
25 CWE-306 Missing Authentication for Critical Function 2.73 5 -5
  1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    CWE-79 CVEs in KEV: 3 Rank Last Year: 2 (up 1) upward trend
  2. Out-of-bounds Write
    CWE-787 CVEs in KEV: 18 Rank Last Year: 1 (down 1) downward trend
  3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    CWE-89 CVEs in KEV: 4 Rank Last Year: 3
  4. Cross-Site Request Forgery (CSRF)
    CWE-352 CVEs in KEV: 0 Rank Last Year: 9 (up 5) upward trend
  5. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    CWE-22 CVEs in KEV: 4 Rank Last Year: 8 (up 3) upward trend
  6. Out-of-bounds Read
    CWE-125 CVEs in KEV: 3 Rank Last Year: 7 (up 1) upward trend
  7. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    CWE-78 CVEs in KEV: 5 Rank Last Year: 5 (down 2) downward trend
  8. Use After Free
    CWE-416 CVEs in KEV: 5 Rank Last Year: 4 (down 4) downward trend
  9. Missing Authorization
    CWE-862 CVEs in KEV: 0 Rank Last Year: 11 (up 2) upward trend
  10. Unrestricted Upload of File with Dangerous Type
    CWE-434 CVEs in KEV: 0 Rank Last Year: 10
  11. Improper Control of Generation of Code ('Code Injection')
    CWE-94 CVEs in KEV: 7 Rank Last Year: 23 (up 12) upward trend
  12. Improper Input Validation
    CWE-20 CVEs in KEV: 1 Rank Last Year: 6 (down 6) downward trend
  13. Improper Neutralization of Special Elements used in a Command ('Command Injection')
    CWE-77 CVEs in KEV: 4 Rank Last Year: 16 (up 3) upward trend
  14. Improper Authentication
    CWE-287 CVEs in KEV: 4 Rank Last Year: 13 (down 1) downward trend
  15. Improper Privilege Management
    CWE-269 CVEs in KEV: 0 Rank Last Year: 22 (up 7) upward trend
  16. Deserialization of Untrusted Data
    CWE-502 CVEs in KEV: 5 Rank Last Year: 15 (down 1) downward trend
  17. Exposure of Sensitive Information to an Unauthorized Actor
    CWE-200 CVEs in KEV: 0 Rank Last Year: 30 (up 13) upward trend
  18. Incorrect Authorization
    CWE-863 CVEs in KEV: 2 Rank Last Year: 24 (up 6) upward trend
  19. Server-Side Request Forgery (SSRF)
    CWE-918 CVEs in KEV: 2 Rank Last Year: 19
  20. Improper Restriction of Operations within the Bounds of a Memory Buffer
    CWE-119 CVEs in KEV: 2 Rank Last Year: 17 (down 3) downward trend
  21. NULL Pointer Dereference
    CWE-476 CVEs in KEV: 0 Rank Last Year: 12 (down 9) downward trend
  22. Use of Hard-coded Credentials
    CWE-798 CVEs in KEV: 2 Rank Last Year: 18 (down 4) downward trend
  23. Integer Overflow or Wraparound
    CWE-190 CVEs in KEV: 3 Rank Last Year: 14 (down 9) downward trend
  24. Uncontrolled Resource Consumption
    CWE-400 CVEs in KEV: 0 Rank Last Year: 37 (up 13) upward trend
  25. Missing Authentication for Critical Function
    CWE-306 CVEs in KEV: 5 Rank Last Year: 20 (down 5) downward trend
Back to top
Page Last Updated: November 20, 2024
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2024, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.