October 3, 2023

The US government has published a list of the most common and impactful software weaknesses of the past two years.

The CWE Top 25 list was announced by the Homeland Security Systems Engineering and Development Institute, sponsored by the DHS and operated by non-profit MITRE.

Software weaknesses are errors, bugs, flaws and more that can lead to vulnerabilities. Unlike the Common Vulnerabilities and Exposures (CVE) system, which provides a number for each discovered vulnerability, Common Weakness Enumeration (CWE) is more like a glossary of generic weakness types. In other words, it refers to types of software weakness rather than specific vulnerabilities.


Out-of-bounds write tops the list, followed by cross-site scripting and SQL injection. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working.

CISA urged developers and product security teams to review the top 25 list and decide which of the recommended mitigations to adopt. It explained that more articles will be published over the coming weeks to explain the methodology for calculating the top 25, vulnerability mapping trends and more.

CWEs are becoming increasingly important as developers and security teams look to avoid the root causes that can become vulnerabilities. In 2022, a record number (25,096) of CVEs were published to the NVD. This was a 25% year-on-year increase and the sixth year in a row that the volume of newly discovered vulnerabilities hit an all-time high.

RankIDNameScoreCVEs in KEVRank Change vs. 2022
1CWE-787Out-of-bounds Write63.72700
2CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)45.5440
3CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)34.2760
4CWE-416Use After Free16.71443
5CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)15.65231
6CWE-20Improper Input Validation15.535-2
7CWE-125Out-of-bounds Read14.62-2
8CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.11160
9CWE-352Cross-Site Request Forgery (CSRF)11.7300
10CWE-434Unrestricted Upload of File with Dangerous Type10.4150
11CWE-862Missing Authorization6.905
12CWE-476NULL Pointer Dereference6.590-1
13CWE-287Improper Authentication6.39101
14CWE-190Integer Overflow or Wraparound5.894-1
15CWE-502Deserialization of Untrusted Data5.5614-3
16CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)4.9541
17CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer4.7572
18CWE-798Use of Hard-coded Credentials4.572-3
19CWE-918Server-Side Request Forgery (SSRF)4.56162
20CWE-306Missing Authentication for Critical Function3.788-2
21CWE-362Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)3.5381
22CWE-269Improper Privilege Management3.3157
23CWE-94Improper Control of Generation of Code (‘Code Injection’)3.362
24CWE-863Incorrect Authorization3.1604
25CWE-276Incorrect Default Permissions3.160-5

Leave a Reply

%d bloggers like this: