· 2 min read

2021 CWE Top 25 Most Dangerous Software Weaknesses

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.

The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.

These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.

The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record.

A formula was applied to the data to score each weakness based on prevalence and severity.

Here is the Top 25 Most Dangerous Software Weaknesses (CWE Top 25):

  1. CWE-787 Out-of-bounds Write
  2. CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  3. CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  4. CWE-20 Improper Input Validation
  5. CWE-125 Out-of-bounds Read
  6. CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  7. CWE-416 Use After Free
  8. CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  9. CWE-352 Cross-Site Request Forgery (CSRF)
  10. CWE-434 Unrestricted Upload of File with Dangerous Type
  11. CWE-476 NULL Pointer Dereference
  12. CWE-502 Deserialization of Untrusted Data
  13. CWE-190 Integer Overflow or Wraparound
  14. CWE-287 Improper Authentication
  15. CWE-798 Use of Hard-coded Credentials
  16. CWE-862 Missing Authorization
  17. CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’)
  18. CWE-306 Missing Authentication for Critical Function
  19. CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
  20. CWE-276 Incorrect Default Permissions
  21. CWE-918 Server-Side Request Forgery (SSRF)
  22. CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)
  23. CWE-400 Uncontrolled Resource Consumption
  24. CWE-611 Improper Restriction of XML External Entity Reference
  25. CWE-94 Improper Control of Generation of Code (‘Code Injection’)

Read the full article and discover the Most Dangerous Software Weaknesses on cwe.mitre.org

Share:
Back to Blog