Knowledge Center / SANS / CWE
MITRE / SANS · Global

SANS / CWE Top 25

The most dangerous and common software weaknesses developers must avoid.

The CWE Top 25 Most Dangerous Software Weaknesses — historically associated with SANS and maintained by MITRE — is a ranked list of the most common and impactful software weaknesses (CWEs). Where OWASP focuses on web application risks, the CWE Top 25 is language- and platform-agnostic, covering weaknesses across all software.

What is a CWE?

A Common Weakness Enumeration (CWE) is a community-standard identifier for a type of software or hardware weakness — the root cause that can lead to a vulnerability (CVE). For example, CWE-79 is Cross-site Scripting and CWE-89 is SQL Injection. The list is derived by analysing real CVE data weighted by prevalence and severity.

Representative top weaknesses

CWEWeakness
CWE-787 / CWE-125Out-of-bounds write / read (memory safety)
CWE-79Cross-site Scripting (XSS)
CWE-89SQL Injection
CWE-20Improper Input Validation
CWE-78OS Command Injection
CWE-416 / CWE-476Use After Free / NULL Pointer Dereference
CWE-22Path Traversal
CWE-352Cross-Site Request Forgery (CSRF)
CWE-287 / CWE-862Improper Authentication / Missing Authorization
CWE-190Integer Overflow or Wraparound

The exact ranking is refreshed periodically as CVE data changes; the categories above are consistently near the top.

CWE Top 25 vs OWASP Top 10

CWE Top 25OWASP Top 10
FocusSpecific software weaknesses (all software)Broad web application risk categories
GranularityIndividual weakness types (CWE IDs)Grouped risk areas
Best useSecure coding, SAST rules, code reviewWeb app risk awareness and pentest scoping

Using CWE in secure development

  1. Adopt secure-coding standards that address the top CWEs for your languages.
  2. Configure SAST tools to detect these weakness classes and gate builds.
  3. Include the CWE Top 25 in code-review checklists and developer training.
  4. Track and remediate findings by CWE ID to measure improvement over time.
  5. Validate fixes with secure code review and penetration testing.
How CyberSigma helps
Our secure source-code review and application testing map findings to CWE IDs and the Top 25, so your developers get precise, prioritised remediation and your SAST pipeline improves release over release.

Frequently asked questions

What is the difference between CWE Top 25 and OWASP Top 10?
OWASP Top 10 covers broad web application risk categories; the CWE Top 25 is a ranked list of specific software weaknesses across all software types. They overlap but serve different purposes.
What is a CWE?
A Common Weakness Enumeration is a community-standard identifier for a type of software or hardware weakness (e.g., CWE-79 is Cross-site Scripting).

Need help with SANS / CWE?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.