Search by CWE ID number
Need Professional Security Testing?
Our penetration testers find vulnerabilities before attackers do. Get a comprehensive security assessment.
What Is CWE (Common Weakness Enumeration)
CWE (Common Weakness Enumeration) is a community-developed catalog of software and hardware security weakness types maintained by MITRE Corporation. Each CWE entry describes a specific class of vulnerability—such as buffer overflow, SQL injection, or improper authentication—with a unique identifier (e.g., CWE-79 for Cross-Site Scripting), technical description, examples, mitigations, and relationships to other weaknesses.
While CVE (Common Vulnerabilities and Exposures) identifies specific vulnerabilities in specific products, CWE classifies the underlying weakness patterns that cause vulnerabilities. A single CWE can be the root cause of thousands of CVEs. Understanding CWEs helps developers write more secure code, security teams prioritize remediation efforts, and organizations build systematic defenses against entire categories of vulnerabilities.
How CWE Is Organized
CWE uses a hierarchical structure with multiple abstraction levels:
| Level | Description | Example |
|---|---|---|
| Pillar | Highest abstraction (broad categories) | CWE-664: Improper Control of a Resource |
| Class | A general weakness category | CWE-20: Improper Input Validation |
| Base | A specific weakness type | CWE-89: SQL Injection |
| Variant | A detailed sub-type | CWE-564: SQL Injection: Hibernate |
MITRE CWE Top 25 Most Dangerous Software Weaknesses (2024 selection):
| Rank | CWE | Name | Impact |
|---|---|---|---|
| 1 | CWE-79 | Cross-Site Scripting (XSS) | Code execution in browsers |
| 2 | CWE-787 | Out-of-Bounds Write | Memory corruption, code execution |
| 3 | CWE-89 | SQL Injection | Data breach, data manipulation |
| 4 | CWE-352 | Cross-Site Request Forgery | Unauthorized actions |
| 5 | CWE-22 | Path Traversal | Unauthorized file access |
| 6 | CWE-125 | Out-of-Bounds Read | Information disclosure |
| 7 | CWE-78 | OS Command Injection | System compromise |
| 8 | CWE-416 | Use After Free | Memory corruption |
| 9 | CWE-862 | Missing Authorization | Unauthorized access |
| 10 | CWE-434 | Unrestricted File Upload | Code execution |
Common Use Cases
- Secure development: Reference CWE entries during code review to identify and prevent common weakness patterns
- Vulnerability classification: Map CVEs to their underlying CWEs to understand root causes and prioritize systemic fixes
- Security training: Use CWE descriptions and examples to educate developers about specific vulnerability categories
- Tool evaluation: Assess SAST/DAST tools by which CWEs they can detect (CWE coverage)
- Compliance: CWE is referenced by PCI-DSS, NIST SSDF, and OWASP standards for vulnerability classification
Best Practices
- Focus on the CWE Top 25 — These weaknesses cause the most real-world vulnerabilities; prioritize defenses against them
- Map your vulnerabilities to CWEs — Understanding root cause categories reveals systemic issues that point fixes miss
- Use CWE to guide SAST tool selection — Evaluate static analysis tools by their CWE detection coverage for your technology stack
- Integrate CWE into developer training — Train developers on the specific CWEs most relevant to your application's technology stack
- Track CWE trends over time — If your team consistently introduces CWE-79 (XSS) bugs, invest in framework-level protections and targeted training
ℹ️ Disclaimer
This tool is provided for informational and educational purposes only. All processing happens entirely in your browser - no data is sent to or stored on our servers. While we strive for accuracy, we make no warranties about the completeness or reliability of results. Use at your own discretion.