Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2025

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Podcast: “Root Cause Mapping and the CWE Top 25”

April 15, 2025 | Share this article

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In this episode, CWE Program Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly, about Root Cause Mapping (RCM) and the CWE Top 25.

Topics include the value and history of the CWE Top 25 and an analysis of the most recent Top 25 list and which weaknesses moved up and down on the list; purpose and benefits of mapping the root causes of vulnerabilities identified in CVE Records to CWE weaknesses; methodology used for RCM of the 2024 CWE Top 25 to develop the list and how CVE Numbering Authorities (CNAs) were integral to the process; and, a discussion of follow-on Top 25 lists including the “2024 On the Cusp – Other Dangerous Software Weaknesses” and “2024 CWE Top 10 KEV Weaknesses” lists. In addition, tips for helping improve your RCM are also discussed, such as how best to leverage the CWE website for your research, using CWE List keyword search, where to find the vulnerability mapping pointers on all CWE entry pages and what the different indicators mean, the benefits of being a member of the Root Cause Mapping Working Group (RCM WG), and much more.

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you!

CWE Version 4.17 Now Available

April 3, 2025 | Share this article

CWE Version 4.17 has been posted on the CWE List page to add 3 new weaknesses and make usability improvements to 20 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.16 and Version 4.17.

Main Changes

CWE 4.17 includes 3 new weaknesses for “Reliance on HTTP instead of HTTPS,” “Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface,” and “Driving Intermediate Cryptographic State/Results to Hardware Module Outputs;” major updates to the AI-related “Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability” (see the “Usability Improvements” section below for details).

Three new weaknesses added:

• CWE-1428: Reliance on HTTP instead of HTTPS
• CWE-1429: Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface
• CWE-1431: Driving Intermediate Cryptographic State/Results to Hardware Module Outputs

Major updates to an AI-related weakness:

• CWE-1039: Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism – This weakness underwent major updates to reflect the advances in understanding of adversarial perturbation attacks since its initial publication in 2018

Usability Improvements

• This release includes the third installment of major usability improvements that are underway for the CWE website. For this installment, 20 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first two installments of the major usability improvements, see the CWE 4.15 and CWE 4.16 release notes news articles.
  
  To further improve the usability of the entry pages, the “Alternate Terms,” “Comon Consequences,” and “Mitigations” sections will continue be reordered so that they appear directly below this new introductory section. In addition, the display of many fields now have better separation between data elements and a cleaner tabular format (see before and after examples beneath the list of improved weakness pages). The remaining sections of the page (such as “Relationships,” “Applicable Platforms,” “Demonstrative Examples,” etc.) will not be changed.
  
  In this third installment of the usability improvements, the following 20 CWE Entry pages have been upgraded to the new look and feel. We especially thank Abhi Balakrishnan for contributing some of the visual aid images included in these CWEs.
  
  
  • CWE-20: Improper Input Validation
  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
  • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection')
  • CWE-94: Improper Control of Generation of Code ('Code Injection')
  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
  • CWE-117: Improper Output Neutralization for Log
  • CWE-126: Buffer Over-read
  • CWE-134: Use of Externally-Controlled Format String
  • CWE-204: Observable Response Discrepancy
  • CWE-259: Use of Hard-coded Password
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-312: Cleartext Storage of Sensitive Information
  • CWE-319: Cleartext Transmission of Sensitive Information
  • CWE-321: Use of Hard-coded Cryptographic Key
  • CWE-401: Missing Release of Memory after Effective Lifetime
  • CWE-415: Double Free
  • CWE-548: Exposure of Information Through Directory Listing
  • CWE-565: Reliance on Cookies without Validation and Integrity Checking
  • CWE-598: Use of GET Request Method With Sensitive Query Strings
  
  As mentioned above, we also increased separation between data elements and added a cleaner tabular format to reduce the “wall of text” effect for new users. Before and after examples of the cleaner tabular format are below (the new table format example is from the CWE-787: Out-of-bounds Write entry page).
  
  

  Old Table Format

  

  New Table Format

  
  
  Additional usability improvements will be included in future releases.

Schema Changes

There were no schema updates.

Summary

There are 943 weaknesses and a total of 1,432 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.16_v4.17.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2024 CWE Top 10 KEV Weaknesses” List Now Available

April 3, 2025 | Share this article

The “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website.

The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Our analysis/key insights about the 2024 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here.

View and Comment on Community Submissions in the “CWE Content Development Repository (CDR)”

April 3, 2025 | Share this article

The CWE Program is excited to announce that the “CWE Content Development Repository (CDR),” hosted on GitHub, is now fully public. The CDR enables the broader community to view, track, and contribute to the enhancement of the CWE corpus. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries.

Content suggestions begin with the CWE Submission Form. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development.

Interested? Check out the CDR’s README and the Guidelines for Content Submissions for more details and to better understand the process. All CWE content submissions must adhere to the CWE Terms of Use.

CWE Is Focus of Four Talks at VulnCon 2025

April 3, 2025 | Share this article

CWE is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025:

• “Vulnerability Root Cause Mapping with CWE: Challenges, Solutions, and Insights from Grounded LLM-based Analysis” by Alec Summers of the CVE Program and Chris Madden of Yahoo (Monday, April 7, 11:30-12:30)
• “Lessons Learned From Assigning CWE’s to Test Items for Security Assessments” by Yuichi Kikuchi, Takayuki Uchiyama of Panasonic PSIRT (Tuesday, April 8, 11:30–12:00)
• “How Do We Leverage CVE Root Cause Mapping and CWE Data to Prevent New Vulnerabilities?” by Alexander Bushkin and Jeremy West of Red Hat (Tuesday, April 8, 14:00–16:30)
• “Hard Problems in CWE, and What it Tells us about Hard Problems in the Industry (Virtual)” by Steve Christey Coley of the CWE Program (Thursday, April 10, 13:30–14:30)

Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations.

Follow the CWE Program on Bluesky

April 3, 2025 | Share this article

The CWE Program is now on Bluesky! Please follow us for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social.