skip to Main Content
This website use cookies which are necessary to its functioning and required to achieve the purposes illustrated in the privacy policy. To learn more or withdraw consent please click on Learn More. By continued use of this website you are consenting to our use of cookies.


Common Weakness Enumeration (CWE)

Common Weakness Enumeration (CWE) is a classification and categorization of common software vulnerability types.

Common Weakness Enumeration (CWE) is a classification and categorization of common software vulnerability types. There are currently over 600 categories ranging from buffer overflows, cross-site scripting to insecure random numbers. Weaknesses are generally vulnerabilities that may consist of flaws, bugs, or other errors in hardware or software, code, design, or architecture. These vulnerabilities create potential exposure to a cyberattack. The list of CWEs is organized with a taxonomy that makes it easier to find, identify and describe these weaknesses in a way that is easily understood by the entire community.

The objective of the CWE is to eliminate vulnerabilities by identifying the most common errors made by developers and engineers so that they avoid these problems in the products and systems they build. The CWE describes weaknesses with an easily navigable taxonomy and common language, helps developers check for weaknesses in existing software and products, and more. 

Sponsorship and Management of the CWE Community

The CWE is community-developed and includes participants from both industry and government. CWE is sponsored by the U.S. Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA), and is managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI), which is, in turn, operated by The Mitre Corporation (MITRE). 

The Department of Homeland Security has a mission to secure the nation from a variety of threats. DHS has over 240,000 employees in positions that range from aviation and border security to emergency response, from cybersecurity analyst to chemical facility inspector. 

CISA works with partners to defend against threats and collaborates to build a more secure and resilient infrastructure. For example, CISA leads efforts to protect the federal “.gov” domain of civilian government networks and collaborate with the private sector – the “.com” domain – to increase the security of critical networks. 

The Homeland Security Act of 2002 authorized the Secretary of Homeland Security, through the Under Secretary for Science and Technology (USST), to establish one or more Federally Funded Research and Development Centers (FFRDCs). The goal of the FFRDCs is to provide an independent analysis of homeland security issues or to carry out other responsibilities under the Act. In 2009, DHS selected the MITRE Corporation to operate the Homeland Security Systems Engineering and Development Institute (HSSEDI) FFRDC. DHS established HSSEDI to serve as its primary systems engineering resource and to meet DHS-wide demand for rapid access to critical technical expertise.

MITRE is a non-profit that works in the public interest across federal, state, and local governments and industry and academia. MITRE develops innovative ideas in areas as varied as artificial intelligence, intuitive data science, quantum information science, health informatics, space security, policy, and economic expertise, trustworthy autonomy, cyber threat sharing, and cyber resilience. In addition, MITRE provides strong leadership in cybersecurity with well-known recent important innovations to include the MITRE ATT&CK matrix and much more.

The CWE List

The CWE list may be viewed or downloaded and is also searchable via It can be searched by software development, hardware design, research concepts, or other criteria.  

The software development view organizes weaknesses around critical concepts used in software development, such as the software development lifecycle from design, architecture, and implementation. This view is generally helpful for architects, developers, and other related parties. In addition, it provides categories that simplify navigation, browsing, and mapping.

The hardware design view organizes weaknesses around essential concepts used in hardware design. As a result, this view maps nicely to the needs of designers and manufacturers. The hardware design view also provides a variety of categories that simplify navigation, browsing, and mapping.

The research concept view is intended to facilitate research into weaknesses and their inter-dependencies. It is organized according to abstractions of behaviors, where they appear in code or are introduced in the development life cycle. 

Scoring and Examples of Weaknesses

The relative severity of weaknesses is scored using the Common Weakness Scoring System combined with a Common Weakness Risk Analysis Framework


  • Power, clock, and reset concerns related to voltage, electrical current, temperature, clock control, and state saving/restoring
  • Core and compute issues typically associated with CPUs, graphics, vision, AI, FPGA, and uControllers


  • Structure and validity problems
  • Handler errors
  • Authentication errors
  • Code evaluation and injection
  • Common special element manipulations

The CWE Top 25

The CWE Top 25 Most Dangerous Software Weaknesses is a community resource that identifies the most widespread and dangerous errors that lead to high-risk software vulnerabilities. The Top 25 includes those weaknesses that are easy to find and exploit. These weaknesses might enable an adversary to exfiltrate data, shut down critical applications, or completely take over a system.

For example, below is the Top 25 as of November 2021 as published on the CWE.MITRE.ORG website. For an updated list, please visit the CWE MITRE website


RankIDNameScore2020 Rank Change
[1]CWE-787Out-of-bounds Write65.93+1
[2]CWE-79Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)46.84-1
[3]CWE-125Out-of-bounds Read24.9+1
[4]CWE-20Improper Input Validation20.47-1
[5]CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)19.55+5
[6]CWE-89Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)19.540
[7]CWE-416Use After Free16.83+1
[8]CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)14.69+4
[9]CWE-352Cross-Site Request Forgery (CSRF)14.460
[10]CWE-434Unrestricted Upload of File with Dangerous Type8.45+5
[11]CWE-306Missing Authentication for Critical Function7.93+13
[12]CWE-190Integer Overflow or Wraparound7.12-1
[13]CWE-502Deserialization of Untrusted Data6.71+8
[14]CWE-287Improper Authentication6.580
[15]CWE-476NULL Pointer Dereference6.54-2
[16]CWE-798Use of Hard-coded Credentials6.27+4
[17]CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer5.84-12
[18]CWE-862Missing Authorization5.47+7
[19]CWE-276Incorrect Default Permissions5.09+22
[20]CWE-200Exposure of Sensitive Information to an Unauthorized Actor4.74-13
[21]CWE-522Insufficiently Protected Credentials4.21-3
[22]CWE-732Incorrect Permission Assignment for Critical Resource4.2-6
[23]CWE-611Improper Restriction of XML External Entity Reference4.02-4
[24]CWE-918Server-Side Request Forgery (SSRF)3.78+3
[25]CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)3.58+6


Want to learn more? Check out our FREE Bugcrowd University to sharpen your hacking skills.

Organizations the world over need your help! Join our researcher community to connect with hundreds of organization programs focused on finding their security vulnerabilities. Our vast directory includes programs for all skill levels, across many industries and from around the world.

Back To Top