The CWE Top 25 Most Dangerous Software Weaknesses — historically associated with SANS and maintained by MITRE — is a ranked list of the most common and impactful software weaknesses (CWEs). Where OWASP focuses on web application risks, the CWE Top 25 is language- and platform-agnostic, covering weaknesses across all software.
What is a CWE?
A Common Weakness Enumeration (CWE) is a community-standard identifier for a type of software or hardware weakness — the root cause that can lead to a vulnerability (CVE). For example, CWE-79 is Cross-site Scripting and CWE-89 is SQL Injection. The list is derived by analysing real CVE data weighted by prevalence and severity.
Representative top weaknesses
| CWE | Weakness |
|---|---|
| CWE-787 / CWE-125 | Out-of-bounds write / read (memory safety) |
| CWE-79 | Cross-site Scripting (XSS) |
| CWE-89 | SQL Injection |
| CWE-20 | Improper Input Validation |
| CWE-78 | OS Command Injection |
| CWE-416 / CWE-476 | Use After Free / NULL Pointer Dereference |
| CWE-22 | Path Traversal |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-287 / CWE-862 | Improper Authentication / Missing Authorization |
| CWE-190 | Integer Overflow or Wraparound |
The exact ranking is refreshed periodically as CVE data changes; the categories above are consistently near the top.
CWE Top 25 vs OWASP Top 10
| CWE Top 25 | OWASP Top 10 | |
|---|---|---|
| Focus | Specific software weaknesses (all software) | Broad web application risk categories |
| Granularity | Individual weakness types (CWE IDs) | Grouped risk areas |
| Best use | Secure coding, SAST rules, code review | Web app risk awareness and pentest scoping |
Using CWE in secure development
- Adopt secure-coding standards that address the top CWEs for your languages.
- Configure SAST tools to detect these weakness classes and gate builds.
- Include the CWE Top 25 in code-review checklists and developer training.
- Track and remediate findings by CWE ID to measure improvement over time.
- Validate fixes with secure code review and penetration testing.
Frequently asked questions
Need help with SANS / CWE?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
