CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > News > News & Events - 2025  
ID

News & Events - 2025

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Version 4.17 Now Available

April 3, 2025 | Share this article

CWE Version 4.17 has been posted on the CWE List page to add 3 new weaknesses and make usability improvements to 20 additional weakness entry pages, among other updates.

A detailed report is available that lists specific changes between Version 4.16 and Version 4.17.

Main Changes

CWE 4.17 includes 3 new weaknesses for “Reliance on HTTP instead of HTTPS,” “Missing Security-Relevant Feedback for Unexecuted Operations in Hardware Interface,” and “Driving Intermediate Cryptographic State/Results to Hardware Module Outputs;” major updates to the AI-related “Inadequate Detection or Handling of Adversarial Input Perturbations in Automated Recognition Mechanism” weakness; addition of affected languages to many demonstrative examples; miscellaneous changes to various CWE entries under less-analyzed subtrees; and, many other changes related to “usability” (see the “Usability Improvements” section below for details).

Three new weaknesses added:

Major updates to an AI-related weakness:

Usability Improvements

Schema Changes

There were no schema updates.

Summary

There are 943 weaknesses and a total of 1,432 entries on the CWE List.

Changes for the new version include the following:

New Views Added:0
Views Deprecated:0
New Categories Added:0
Categories Deprecated:0
New Entries Added:3
Entries Deprecated:0
Entries with Major Changes:135
Entries with only Minor Changes:1
Entries Unchanged:1,293

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.16_v4.17.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

“2024 CWE Top 10 KEV Weaknesses” List Now Available

April 3, 2025 | Share this article

The “2024 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website.

The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Our analysis/key insights about the 2024 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here.

2024 CWE Top 10 KEV Weaknesses List Treemap Chart from the KEV Insights page
2024 CWE Top 10 KEV Weaknesses List Treemap Chart
View the full CWE Top 10 KEV list here.

View and Comment on Community Submissions in the “CWE Content Development Repository (CDR)”

April 3, 2025 | Share this article

The CWE Program is excited to announce that the “CWE Content Development Repository (CDR),” hosted on GitHub, is now fully public. The CDR enables the broader community to view, track, and contribute to the enhancement of the CWE corpus. This means greater transparency into the CWE working queue, and a further community collaboration in developing new CWE entries and modifying existing entries.

Content suggestions begin with the CWE Submission Form. Once processed, these submissions are transferred to the CDR public repository, allowing the entire CWE community to view and comment on them as they progress through various stages of development.

Interested? Check out the CDR’s README and the Guidelines for Content Submissions for more details and to better understand the process. All CWE content submissions must adhere to the CWE Terms of Use.

CWE Is Focus of Four Talks at VulnCon 2025

April 3, 2025 | Share this article

CWE is the main focus of four talks at CVE/FIRST VulnCon 2025 being held at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025:

The CVE Program and FIRST will co-host VulnCon 2025 at the McKimmon Center in Raleigh, North Carolina, USA, on April 7-10, 2025

Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations.

Follow the CWE Program on Bluesky

April 3, 2025 | Share this article

The CWE Program is now on Bluesky! Please follow us for program news, new versions, updates on community activities, and more at @cweprogram.bsky.social.

Bluesky logo
Page Last Updated: April 03, 2025