CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2025 
ID

2025 CWE Top 25 Most Dangerous Software Weaknesses

Top 25 Home
Share via:
View in table format
Key Insights
Methodology

2025 CWE Top 25
×
Rank ID NameScore CVEs in KEV Rank Change vs. 2024
1 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 60.38 7 0
2 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 28.72 4 +1
3 CWE-352 Cross-Site Request Forgery (CSRF) 13.64 0 +1
4 CWE-862 Missing Authorization 13.28 0 +5
5 CWE-787 Out-of-bounds Write 12.68 12 -3
6 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 8.99 10 -1
7 CWE-416 Use After Free 8.47 14 +1
8 CWE-125 Out-of-bounds Read 7.88 3 -2
9 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 7.85 20 -2
10 CWE-94 Improper Control of Generation of Code ('Code Injection') 7.57 7 +1
11 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') 6.96 0 N/A
12 CWE-434 Unrestricted Upload of File with Dangerous Type 6.87 4 -2
13 CWE-476 NULL Pointer Dereference 6.41 0 +8
14 CWE-121 Stack-based Buffer Overflow 5.75 4 N/A
15 CWE-502 Deserialization of Untrusted Data 5.23 11 +1
16 CWE-122 Heap-based Buffer Overflow 5.21 6 N/A
17 CWE-863 Incorrect Authorization 4.14 4 +1
18 CWE-20 Improper Input Validation 4.09 2 -6
19 CWE-284 Improper Access Control 4.07 1 N/A
20 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 4.01 1 -3
21 CWE-306 Missing Authentication for Critical Function 3.47 11 +4
22 CWE-918 Server-Side Request Forgery (SSRF) 3.36 0 -3
23 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 3.15 2 -10
24 CWE-639 Authorization Bypass Through User-Controlled Key 2.62 0 +6
25 CWE-770 Allocation of Resources Without Limits or Throttling 2.54 0 +1
  1. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    CWE-79 CVEs in KEV: 7 Rank Last Year: 1
  2. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    CWE-89 CVEs in KEV: 4 Rank Last Year: 3 (up 1) upward trend
  3. Cross-Site Request Forgery (CSRF)
    CWE-352 CVEs in KEV: 0 Rank Last Year: 4 (up 1) upward trend
  4. Missing Authorization
    CWE-862 CVEs in KEV: 0 Rank Last Year: 9 (up 5) upward trend
  5. Out-of-bounds Write
    CWE-787 CVEs in KEV: 12 Rank Last Year: 2 (down 3) downward trend
  6. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    CWE-22 CVEs in KEV: 10 Rank Last Year: 5 (down 1) downward trend
  7. Use After Free
    CWE-416 CVEs in KEV: 14 Rank Last Year: 8 (up 1) upward trend
  8. Out-of-bounds Read
    CWE-125 CVEs in KEV: 3 Rank Last Year: 6 (down 2) downward trend
  9. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    CWE-78 CVEs in KEV: 20 Rank Last Year: 7 (down 2) downward trend
  10. Improper Control of Generation of Code ('Code Injection')
    CWE-94 CVEs in KEV: 7 Rank Last Year: 11 (up 1) upward trend
  11. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
    CWE-120 CVEs in KEV: 0 Rank Last Year: N/A
  12. Unrestricted Upload of File with Dangerous Type
    CWE-434 CVEs in KEV: 4 Rank Last Year: 10 (down 2) downward trend
  13. NULL Pointer Dereference
    CWE-476 CVEs in KEV: 0 Rank Last Year: 21 (up 8) upward trend
  14. Stack-based Buffer Overflow
    CWE-121 CVEs in KEV: 4 Rank Last Year: N/A
  15. Deserialization of Untrusted Data
    CWE-502 CVEs in KEV: 11 Rank Last Year: 16 (up 1) upward trend
  16. Heap-based Buffer Overflow
    CWE-122 CVEs in KEV: 6 Rank Last Year: N/A
  17. Incorrect Authorization
    CWE-863 CVEs in KEV: 4 Rank Last Year: 18 (up 1) upward trend
  18. Improper Input Validation
    CWE-20 CVEs in KEV: 2 Rank Last Year: 12 (down 6) downward trend
  19. Improper Access Control
    CWE-284 CVEs in KEV: 1 Rank Last Year: N/A
  20. Exposure of Sensitive Information to an Unauthorized Actor
    CWE-200 CVEs in KEV: 1 Rank Last Year: 17 (down 3) downward trend
  21. Missing Authentication for Critical Function
    CWE-306 CVEs in KEV: 11 Rank Last Year: 25 (up 4) upward trend
  22. Server-Side Request Forgery (SSRF)
    CWE-918 CVEs in KEV: 0 Rank Last Year: 19 (down 3) downward trend
  23. Improper Neutralization of Special Elements used in a Command ('Command Injection')
    CWE-77 CVEs in KEV: 2 Rank Last Year: 13 (down 10) downward trend
  24. Authorization Bypass Through User-Controlled Key
    CWE-639 CVEs in KEV: 0 Rank Last Year: 30 (up 6) upward trend
  25. Allocation of Resources Without Limits or Throttling
    CWE-770 CVEs in KEV: 0 Rank Last Year: 26 (up 1) upward trend
Back to top
Page Last Updated: December 11, 2025
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.