A CWE (Common Weakness Enumeration) is a community-maintained catalog of software and hardware weakness types, the underlying flaw categories like SQL injection or out-of-bounds write, each given a stable ID such as CWE-89, so the industry has a shared vocabulary for the root causes behind vulnerabilities. If you have ever wondered what a CWE is when a scanner report lists "CWE-79" next to a finding, that is the answer: it is naming the kind of mistake, not the specific vulnerability. CWE is maintained by MITRE, sponsored by CISA, and it is the taxonomy that lets you talk about classes of bugs instead of one-off incidents.
What Is a CWE in Cyber Security?
A CWE identifies a category of weakness that can lead to vulnerabilities. Each entry has an ID (CWE-<number>), a name, a description of the flaw, examples, common consequences, and mitigation guidance. A few you will see constantly:
- CWE-79: Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
- CWE-787: Out-of-bounds Write
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
- CWE-416: Use After Free
The key idea: a CWE is a type, reusable across thousands of products and years. CWE-89 describes the SQL injection pattern in the abstract. Every actual SQL injection bug ever found is an instance of it.
CWE vs CVE: The Distinction That Trips People Up
These get confused constantly, and the difference is the whole point.
- A CVE (Common Vulnerabilities and Exposures) is a specific vulnerability in a specific product: "CVE-2022-22965, a remote code execution flaw in Spring Framework." It is a concrete instance.
- A CWE is the type of weakness behind it: the SQL injection class, the deserialization class, the XSS class.
The relationship is one-to-many and hierarchical. One CWE (say, CWE-89) maps to thousands of CVEs across different products. A single CVE is usually tagged with one or a few CWEs describing its root cause. Put simply: CVE answers "which vulnerability, in what?", CWE answers "what kind of mistake caused it?"
This matters operationally. Patching a CVE fixes one bug. Understanding its CWE lets you ask "where else in our code does this same weakness pattern exist?", which is the question that actually reduces risk over time.
The Structure: Weaknesses, Categories, and Views
CWE is not a flat list; it is a graph with several thousand entries organized into relationships:
- Base and variant weaknesses: the specific, actionable entries (CWE-79, CWE-89).
- Class weaknesses: more abstract parents (CWE-74, "Injection", is the parent of both CWE-79 and CWE-89).
- Categories: groupings that collect related weaknesses for navigation.
- Views: curated slices for a purpose, such as the "Weaknesses in the OWASP Top Ten" view or the research view.
The hierarchy lets you zoom. A report can say "this is CWE-79" for precision, or roll up to "this is an injection-class (CWE-74) issue" for an executive summary. Both are valid; they are different altitudes on the same tree.
The CWE Top 25
Each year CISA and MITRE publish the CWE Top 25 Most Dangerous Software Weaknesses, ranked by how often each weakness appears in real, exploited vulnerabilities. The 2024 edition analyzed more than 31,000 CVEs disclosed between June 2023 and June 2024. Its top three were CWE-79 (Cross-site Scripting), CWE-787 (Out-of-bounds Write), and CWE-89 (SQL Injection). XSS took the number-one spot that year, up from second in 2023.
The Top 25 is a useful prioritization anchor: if a weakness type is on that list, it is both common and actively exploited, which makes it a defensible place to focus training, secure-coding rules, and gate policies. It is not a compliance mandate; it is an evidence-based "these are the ones hurting people right now" signal.
How CWE Shows Up in Your Tooling
You encounter CWE IDs whether you seek them out or not:
- SAST and DAST tools tag findings with CWE IDs so you can group and route them ("assign all CWE-89 findings to the data-access team").
- SCA tools surface the CWE(s) behind each CVE in your dependencies, so a report is not just a list of CVE numbers but a distribution of weakness types.
- Compliance and metrics: tracking your open findings by CWE tells you what kind of security debt you carry. A team drowning in CWE-79 has an output-encoding problem; a team full of CWE-798 (hardcoded credentials) has a secrets-management problem. The CWE distribution is a diagnosis.
An SCA tool such as Safeguard maps each finding to its CWE so you can see whether your risk is concentrated in a few weakness classes, which is where systemic fixes (a secure template default, a parameterized-query lint rule) beat one-by-one patching. If you want to go deeper on any specific class, our security fundamentals material walks through the common ones with remediation patterns.
Using CWE to Fix Root Causes, Not Just Instances
The highest-leverage use of CWE is turning a single finding into a systemic control:
- Classify the finding. A scanner reports a reflected XSS: CWE-79.
- Generalize. CWE-79 is "untrusted input rendered without context-aware encoding." Ask where else that pattern lives.
- Introduce a structural fix. Adopt a template engine that auto-escapes, add a lint rule that flags raw output sinks, and the entire class shrinks, not just the one bug.
- Track the class over time. If CWE-79 findings trend down after the control ships, the fix worked. If they do not, the control has a gap.
This is why CWE is more than report-noise: it is the bridge from "we patched a bug" to "we removed a category of bugs." Individual CVEs are whack-a-mole; CWE-level thinking is where you stop the moles from breeding.
FAQ
What is a CWE in simple terms?
A CWE is a standardized name and ID for a type of software weakness, like SQL injection (CWE-89) or cross-site scripting (CWE-79). It describes the category of flaw, not a specific vulnerability in a specific product. MITRE maintains the list under CISA sponsorship.
What is the difference between a CWE and a CVE?
A CVE is a specific vulnerability in a specific product (e.g., CVE-2022-22965 in Spring). A CWE is the weakness type behind it (e.g., the injection or RCE class). One CWE maps to thousands of CVEs; each CVE is tagged with the CWE(s) describing its root cause.
What is the CWE Top 25?
It is an annual, evidence-based ranking by CISA and MITRE of the most dangerous software weakness types, scored on how frequently each appears in real, exploited vulnerabilities. The 2024 list was led by CWE-79 (XSS), CWE-787 (out-of-bounds write), and CWE-89 (SQL injection).
How do I use CWE data in practice?
Group your scanner findings by CWE to see which weakness classes dominate your risk, then apply structural fixes at the class level (auto-escaping templates, parameterized-query rules, secrets management) rather than patching instances one at a time. Track the class counts over time to confirm the control worked.