CWE Top 25 Most Dangerous Software Weaknesses 2023 report
This report displays Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses found on your site. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.
Why it matters
The CWE Top 25 Most Dangerous Software Weaknesses report is a list of the most significant programming errors that can lead to serious software vulnerabilities. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.Rank | ID | Name |
---|---|---|
1 | CWE-787 | Out-of-bounds Write |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
4 | CWE-416 | Use After Free |
5 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
6 | CWE-20 | Improper Input Validation |
7 | CWE-125 | Out-of-bounds Read |
8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) |
10 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
11 | CWE-862 | Missing Authorization |
12 | CWE-476 | NULL Pointer Dereference |
13 | CWE-287 | Improper Authentication |
14 | CWE-190 | Integer Overflow or Wraparound |
15 | CWE-502 | Deserialization of Untrusted Data |
16 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') |
17 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
18 | CWE-798 | Use of Hard-coded Credentials |
19 | CWE-918 | Server-Side Request Forgery (SSRF) |
20 | CWE-306 | Missing Authentication for Critical Function |
21 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') |
22 | CWE-269 | Improper Privilege Management |
23 | CWE-94 | Improper Control of Generation of Code ('Code Injection') |
24 | CWE-863 | Incorrect Authorization |
25 | CWE-276 | Incorrect Default Permissions |