CWE top 25 most dangerous software weaknesses
The CWE list of the 25 most dangerous software weaknesses demonstrates the currently most common and impactful software flaws. Identifying the root causes of these vulnerabilities provides insights to shape investments, policies, and practices that proactively prevent their occurrence.
The CWE top 25 most dangerous software weaknesses list was calculated by analyzing public vulnerability information in Common Vulnerabilities and Exposures (CVE) Records for CWE root cause mappings.
This year’s dataset included 31,770 CVE Records for vulnerabilities published between June 1, 2023 and June 1, 2024. Data was initially pulled on July 30, 2024, to share with CNA community partners for review. Data was pulled again on November 4, 2024, to ensure the most up-to-date CVE Records information was used in the top 25 list calculations. For more in-depth details about the methodology, go here.
CWE Top 25 for 2024
- CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- CWE-787: Out-of-bounds Write
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
- CWE-125: Out-of-bounds Read
- CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- CWE-416: Use After Free
- CWE-862: Missing Authorization
- CWE-434: Unrestricted Upload of File with Dangerous Type
- CWE-94: Improper Control of Generation of Code (‘Code Injection’)
- CWE-20: Improper Input Validation
- CWE-77: Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
- CWE-287: Improper Authentication
- CWE-269: Improper Privilege Management
- CWE-502: Deserialization of Untrusted Data
- CWE-200: Exposure of Sensitive Information to an Unauthorized Actor
- CWE-863: Incorrect Authorization
- CWE-918: Server-Side Request Forgery (SSRF)
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
- CWE-476: NULL Pointer Dereference
- CWE-798: Use of Hard-coded Credentials
- CWE-190: Integer Overflow or Wraparound
- CWE-400: Uncontrolled Resource Consumption
- CWE-306: Missing Authentication for Critical Function
source: HelpNetSecurity
Free security scan for your website
Top News:
Microsoft 365 outage impacts Exchange Online, Teams, Sharepoint
November 25, 2024APT-K-47 Uses Hajj-Themed Lures to Deliver Advanced Asyncshell Malware
November 23, 2024Cloudflare says it lost 55% of logs pushed to customers for 3.5 hours
November 28, 2024