CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities
New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > 2025 On the Cusp 
ID

2025 “On the Cusp” – Other Dangerous Software Weaknesses

Top 25 Home
Share via: Share via
View in table format
On the Cusp Insights

2025 CWE Top 25 - On the Cusp
×
Rank ID NameScore CVEs in KEV Rank Change vs. 2024
26 CWE-266 Incorrect Privilege Assignment 2.40 0 N/A
27 CWE-276 Incorrect Default Permissions 2.37 0 +9
28 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') 2.32 0 N/A
29 CWE-269 Improper Privilege Management 2.08 4 -14
30 CWE-190 Integer Overflow or Wraparound 2.06 2 -7
31 CWE-287 Improper Authentication 2.04 2 -17
32 CWE-400 Uncontrolled Resource Consumption 2.02 0 -8
33 CWE-288 Authentication Bypass Using an Alternate Path or Channel 1.87 6 N/A
34 CWE-427 Uncontrolled Search Path Element 1.72 0 -5
35 CWE-798 Use of Hard-coded Credentials 1.59 2 -13
36 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 1.57 0 -2
37 CWE-401 Missing Release of Memory after Effective Lifetime 1.47 0 +11
38 CWE-732 Incorrect Permission Assignment for Critical Resource 1.47 0 -6
39 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 1.43 1 -19
40 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 1.41 0 -7
  1. Incorrect Privilege Assignment
    CWE-266 CVEs in KEV: 0 Rank Last Year: N/A
  2. Incorrect Default Permissions
    CWE-276 CVEs in KEV: 0 Rank Last Year: 36 (up 9) upward trend
  3. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
    CWE-98 CVEs in KEV: 0 Rank Last Year: N/A
  4. Improper Privilege Management
    CWE-269 CVEs in KEV: 4 Rank Last Year: 15 (down 14) downward trend
  5. Integer Overflow or Wraparound
    CWE-190 CVEs in KEV: 2 Rank Last Year: 23 (down 7) downward trend
  6. Improper Authentication
    CWE-287 CVEs in KEV: 2 Rank Last Year: 14 (down 17) downward trend
  7. Uncontrolled Resource Consumption
    CWE-400 CVEs in KEV: 0 Rank Last Year: 24 (down 8) downward trend
  8. Authentication Bypass Using an Alternate Path or Channel
    CWE-288 CVEs in KEV: 6 Rank Last Year: N/A
  9. Uncontrolled Search Path Element
    CWE-427 CVEs in KEV: 0 Rank Last Year: 29 (down 5) downward trend
  10. Use of Hard-coded Credentials
    CWE-798 CVEs in KEV: 2 Rank Last Year: 22 (down 13) downward trend
  11. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    CWE-362 CVEs in KEV: 0 Rank Last Year: 34 (down 2) downward trend
  12. Missing Release of Memory after Effective Lifetime
    CWE-401 CVEs in KEV: 0 Rank Last Year: 48 (up 11) upward trend
  13. Incorrect Permission Assignment for Critical Resource
    CWE-732 CVEs in KEV: 0 Rank Last Year: 32 (down 6) downward trend
  14. Improper Restriction of Operations within the Bounds of a Memory Buffer
    CWE-119 CVEs in KEV: 1 Rank Last Year: 20 (down 19) downward trend
  15. URL Redirection to Untrusted Site ('Open Redirect')
    CWE-601 CVEs in KEV: 0 Rank Last Year: 33 (down 7) downward trend
Back to top
Page Last Updated: January 27, 2026
 

Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2026, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.