CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2025 CWE Top 10 KEV Weaknesses 
ID

2025 CWE Top 10 KEV Weaknesses

Top 25 Home
Share via:
View in table format
KEV Key Insights
KEV Methodology
2025 CWE Top 10 KEV Weaknesses
×
Rank ID NameScore CVEs in KEV Rank Change vs. 2024
1 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 80.43 20 +2
2 CWE-416 Use After Free 51.89 14 +7
3 CWE-787 Out-of-bounds Write 50.39 12 -2
4 CWE-306 Missing Authentication for Critical Function 50.27 11 +3
5 CWE-502 Deserialization of Untrusted Data 46.31 11 0
6 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 36.96 10 0
7 CWE-94 Improper Control of Generation of Code ('Code Injection') 26.62 7 -3
8 CWE-288 Authentication Bypass Using an Alternate Path or Channel 22.31 6 +6
9 CWE-122 Heap-based Buffer Overflow 20.25 6 +2
10 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 17.99 7 +11
  1. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
    CWE-78 CVEs in KEV: 20 Rank Last Year: 3 (up 2) upward trend
  2. Use After Free
    CWE-416 CVEs in KEV: 14 Rank Last Year: 9 (up 7) upward trend
  3. Out-of-bounds Write
    CWE-787 CVEs in KEV: 12 Rank Last Year: 1 (down 2) downward trend
  4. Missing Authentication for Critical Function
    CWE-306 CVEs in KEV: 11 Rank Last Year: 7 (up 3) upward trend
  5. Deserialization of Untrusted Data
    CWE-502 CVEs in KEV: 11 Rank Last Year: 5
  6. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
    CWE-22 CVEs in KEV: 10 Rank Last Year: 6
  7. Improper Control of Generation of Code ('Code Injection')
    CWE-94 CVEs in KEV: 7 Rank Last Year: 4 (down 3) downward trend
  8. Authentication Bypass Using an Alternate Path or Channel
    CWE-288 CVEs in KEV: 6 Rank Last Year: 14 (up 6) upward trend
  9. Heap-based Buffer Overflow
    CWE-122 CVEs in KEV: 6 Rank Last Year: 11 (up 2) upward trend
  10. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    CWE-79 CVEs in KEV: 7 Rank Last Year: 21 (up 11) upward trend
Back to top
Page Last Updated: January 27, 2026
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.