Safeguard
Vulnerability Analysis

The CWE Top 25 most dangerous software weaknesses

MITRE's 2023 CWE Top 25 ranks the software weaknesses behind 43,996 CVEs. Here's how it's scored, what moved, and how to prioritize fixes.

Yukti Singhal
Security Analyst
6 min read

MITRE's 2023 CWE Top 25 Most Dangerous Software Weaknesses ranked Out-of-bounds Write as the single riskiest coding flaw in software today, ahead of Cross-Site Scripting and SQL Injection. The list is built from 43,996 real-world CVE records published in the National Vulnerability Database across 2021 and 2022, scored by a formula that weighs how often a weakness appears against how severe its average CVSS score is. It is not a survey or an opinion piece — it's a data-driven ranking that CISA and MITRE update roughly every 12-18 months to tell security teams and developers where to spend limited remediation hours. For AppSec and platform engineering teams triaging thousands of open findings, the CWE Top 25 answers a narrow but critical question: which root-cause weakness categories, if fixed at the source, would eliminate the largest share of exploitable vulnerabilities across the industry.

What is the CWE Top 25?

The CWE Top 25 is an annually-refreshed ranking of the 25 most impactful software weakness categories, published by MITRE with sponsorship from the U.S. Department of Homeland Security's CISA. Each entry is a Common Weakness Enumeration (CWE) ID — a root-cause pattern like "improper input validation" — rather than a single CVE. The 2023 edition, released in October 2023, tops out with CWE-787 (Out-of-bounds Write), CWE-79 (Cross-site Scripting), CWE-89 (SQL Injection), CWE-416 (Use After Free), and CWE-78 (OS Command Injection) rounding out the top five. The list matters because CVE databases catalog individual vulnerabilities, while CWE catalogs the underlying coding mistakes that produce them — so a single Top 25 entry like CWE-79 maps to tens of thousands of individual CVEs across every language and framework in production use.

How is the CWE Top 25 ranking calculated?

MITRE calculates the ranking with a formula that multiplies each CWE's normalized frequency in the NVD dataset by its average CVSS severity score, then scales the result to a 0-100 range. For the 2023 list, MITRE and CISA analyzed 43,996 CVE records tagged with a CWE from calendar years 2021 and 2022, pulling from both the NVD and the CISA Known Exploited Vulnerabilities (KEV) catalog to weight real-world exploitation. A CWE that appears in 8,000 low-severity CVEs will score lower than one that appears in 2,000 CVEs that average a 9.0+ CVSS, which is why memory-corruption categories like CWE-787 consistently outrank higher-volume but lower-severity issues like CWE-200 (Information Exposure). This methodology has been published and iterated on since the first Top 25 in 2019, giving teams a consistent, comparable baseline year over year instead of a reshuffled list driven by headlines.

Which weaknesses moved the most in the 2023 list?

CWE-862 (Missing Authorization) made the largest jump in the 2023 edition, climbing from #19 in 2022 to #11 — an eight-spot rise driven by a wave of API and microservices vulnerabilities where endpoints simply skipped an authorization check rather than getting it wrong. CWE-276 (Incorrect Default Permissions) entered the list for the first time at #25, reflecting how often cloud-native deployments and container images ship with overly permissive default file, bucket, or IAM configurations. CWE-94 (Code Injection) and CWE-269 (Improper Privilege Management) both moved up several positions as well, tracking the growth of plugin architectures, serverless functions, and CI/CD pipelines where a single misconfigured privilege boundary can be chained into full compromise. These movements matter more than the top five because they signal where the next wave of exploitation is concentrating — authorization and configuration logic, not just raw memory handling.

Why does memory safety still dominate the top of the list?

Memory-safety weaknesses hold three of the top five spots — CWE-787 (#1), CWE-416 (#4), and CWE-125 Out-of-bounds Read (#7) — because C and C++ still underpin the operating systems, browsers, and embedded firmware that the entire software supply chain depends on. The 2023 CISA/NSA joint guidance on memory-safe languages explicitly cited this Top 25 concentration as justification for pushing vendors toward Rust, Go, and other memory-safe alternatives for new development. Google's own data on Android, published in 2022, showed memory-safety vulnerabilities dropping from 76% of high-severity bugs in 2019 to 35% by 2022 as new code shifted to Rust — direct evidence that language choice, not just better testing, moves these numbers. Until legacy C/C++ codebases in kernels, parsers, and low-level libraries are rewritten or sandboxed, CWE-787 and CWE-416 will keep anchoring the top of the list.

How does the CWE Top 25 differ from the OWASP Top 10?

The CWE Top 25 covers all software weakness types across every language and deployment model, while the OWASP Top 10 focuses narrowly on web application risk categories and is refreshed roughly every three to four years (the current edition dates to 2021). OWASP's list groups related CWEs into ten broader risk categories — for example, OWASP's "A03:2021 Injection" bucket absorbs CWE-89 (SQL Injection), CWE-78 (OS Command Injection), and CWE-79 (XSS), all of which appear as distinct, separately-ranked entries in the CWE Top 25. That difference in granularity is why security teams use both: OWASP Top 10 is useful for structuring a web-app-specific training or testing program, while the CWE Top 25 is the right reference when triaging a mixed fleet of services, embedded systems, and infrastructure code where injection, memory corruption, and access-control bugs all compete for the same limited remediation budget.

How Safeguard Helps

Safeguard maps every CWE Top 25 category directly to the vulnerabilities Griffin AI surfaces across your SCA, SAST, and container scans, then uses reachability analysis to show which findings — a CWE-787 in a transitive dependency, a CWE-862 in an internal API — are actually exercised by your running code rather than sitting dormant in an unused code path. That distinction routinely cuts triage volume by 70-90% for teams drowning in raw scanner output. Safeguard ingests and generates SBOMs so you always know which components carry a Top 25 weakness before it ships, and where auto-fix PRs are available, Griffin AI opens a pull request with the patched dependency version or code change already validated against your test suite. Instead of chasing every CVE tagged with a Top 25 CWE, teams using Safeguard fix the reachable, exploitable subset first — the same prioritization logic MITRE built into the ranking itself.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.