CWE Top 25 Most Dangerous Software Weaknesses 2024 report
This report references the 2024 CWE Top 25 Most Dangerous Software Weaknesses list. This list, published by the CWE Team, highlights the most severe and prevalent weaknesses based on an analysis of Common Vulnerabilities and Exposures (CVE®) records from the National Vulnerability Database (NVD). This information reflects the integration of the 2024 list into AppScan Enterprise.
Why it matters
The 2024 CWE Top 25 list identifies critical software weaknesses that are frequently discovered and can have severe impacts. Understanding these weaknesses helps developers, testers, project managers, and security professionals prevent vulnerabilities.
These weaknesses are particularly dangerous because they are often easy for adversaries to find and exploit, potentially leading to system compromise, data theft, or application failure. To create the 2024 list, the CWE Team analyzed CVE® data from the NIST National Vulnerability Database (NVD), using Common Vulnerability Scoring System (CVSS) scores to rank weaknesses by observed prevalence and severity.
| Rank | ID | Name |
|---|---|---|
| 1 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| 2 | CWE-787 | Out-of-bounds Write |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| 4 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 5 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| 6 | CWE-125 | Out-of-bounds Read |
| 7 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| 8 | CWE-416 | Use After Free |
| 9 | CWE-862 | Missing Authorization |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| 11 | CWE-94 | Improper Control of Generation of Code ('Code Injection') |
| 12 | CWE-20 | Improper Input Validation |
| 13 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
| 14 | CWE-287 | Improper Authentication |
| 15 | CWE-269 | Improper Privilege Management |
| 16 | CWE-502 | Deserialization of Untrusted Data |
| 17 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor |
| 18 | CWE-863 | Incorrect Authorization |
| 19 | CWE-918 | Server-Side Request Forgery (SSRF) |
| 20 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| 21 | CWE-476 | NULL Pointer Dereference |
| 22 | CWE-798 | Use of Hard-coded Credentials |
| 23 | CWE-190 | Integer Overflow or Wraparound |
| 24 | CWE-400 | Uncontrolled Resource Consumption |
| 25 | CWE306 | Missing Authentication for Critical Function |
Related information
For more details on the 2024 CWE Top 25 Most Dangerous Software Weaknesses list, including methodology and a full description of each weakness, visit: CWE - 2024 CWE Top 25 Most Dangerous Software Weaknesses