The Common Weakness Enumeration (CWE) is used by professionals around the world to identify the most widespread and critical weaknesses that are known to cause serious vulnerabilities in software. According to Howard Solomon at IT World Canada, the list hasn’t been updated in eight years, but it recently used a new data-driven approach based on real-world vulnerabilities reported by security researchers to refresh the 25 Most Dangerous Software Errors list.
Explaining its methodology in more detail, the CWE website says they obtained data about vulnerabilities and exposures from the National Vulnerability Database (NVD) and then developed a scoring formula to calculate a rank order of weaknesses.
The complete list of 25 most dangerous software errors is listed below, including the overall score of each as well as its ID, which is linked to more information about the error on the CWE website.
- CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
Score: 75.56 - CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Score: 45.69 - CWE-20: Improper Input Validation
Score: 43.61 - CWE-200: Information Exposure
Score: 32.12 - CWE-125: Out-of-bounds Read
Score: 26.53 - CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
Score: 24.54 - CWE-416: Use After Free
Score: 17.94 - CWE-190: Integer Overflow or Wraparound
Score: 17.35 - CWE-352: Cross-Site Request Forgery (CSRF)
Score: 15.54 - CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Score: 14.10 - CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
Score: 11.47 - CWE-787: Out-of-bounds Write
Score: 11.08 - CWE-287: Improper Authentication
Score: 10.78 - CWE-476: NULL Pointer Dereference
Score: 9.74 - CWE-732: Incorrect Permission Assignment for Critical Resource
Score: 6.33 - CWE-434: Unrestricted Upload of File with Dangerous Type
Score: 5.50 - CWE-611: Improper Restriction of XML External Entity Reference
Score: 5.48 - CWE-94: Improper Control of Generation of Code (‘Code Injection’)
Score: 5.36 - CWE-798: Use of Hard-coded Credentials
Score: 5.12 - CWE-400: Uncontrolled Resource Consumption: 5.04
- CWE-772: Missing Release of Resource after Effective Lifetime
Score: 5.04 - CWE-426: Untrusted Search Path
Score: 4.40 - CWE-502: Deserialization of Untrusted Data
Score: 4.30 - CWE-269: Improper Privilege Management
Score: 4.23 - CWE-295: Improper Certificate Validation
Score: 4.06