What is CWE Top 25 (CWE Top 25 Most Dangerous Software Weaknesses)?
MITRE's annual ranking of the 25 most common and impactful Common Weakness Enumerations (CWEs). Calculated from CVE data weighted by frequency × severity. Complements OWASP Top 10: OWASP describes risks in web apps; CWE Top 25 describes concrete technical weaknesses across all software.
Full explanation
MITRE publishes the CWE Top 25 yearly, ranking weaknesses by a normalized score combining CVE frequency and CVSS severity. Top entries year-over-year include CWE-79 (XSS), CWE-787 (out-of-bounds write), CWE-89 (SQL injection), CWE-416 (use-after-free), CWE-78 (OS command injection), CWE-20 (improper input validation), CWE-125 (out-of-bounds read), CWE-22 (path traversal), CWE-352 (CSRF), CWE-434 (unrestricted file upload). Many compliance frameworks (NIST, FedRAMP, regulators) cite CWE Top 25 as a baseline; mappings between OWASP categories and underlying CWEs are standard.
Example
A buyer's vendor questionnaire asks 'do you scan for the CWE Top 25?' The honest answer maps to which specialists you run: CWE-79 -> XSS specialist, CWE-89 -> SQL injection specialist, CWE-78 -> command injection specialist, CWE-22 -> path traversal specialist, CWE-352 -> CSRF specialist, CWE-434 -> file-upload specialist. Securie's launch roster covers most of the application-layer Top 25; memory-safety entries (CWE-787, CWE-416, CWE-125) are out of scope at launch (no C/C++ specialist).
Related
FAQ
Is CWE Top 25 the same as OWASP Top 10?
No. OWASP Top 10 describes risks in web applications (broken access control, injection, etc.). CWE Top 25 describes concrete weaknesses in software more broadly (out-of-bounds write, SQL injection, etc.). Each OWASP item maps to multiple CWEs.
How often is it updated?
Annually. MITRE publishes the new ranking each summer based on the prior year's CVE data.