The Common Weakness Enumeration (CWE) is used by professionals around the world to identify the most widespread and critical weaknesses that are known to cause serious vulnerabilities in software. According to Howard Solomon at IT World Canada, the list hasn’t been updated in eight years, but it recently used a new data-driven approach based on real-world vulnerabilities reported by security researchers to refresh the 25 Most Dangerous Software Errors list.

Explaining its methodology in more detail, the CWE website says they obtained data about vulnerabilities and exposures from the National Vulnerability Database (NVD) and then developed a scoring formula to calculate a rank order of weaknesses.

The complete list of 25 most dangerous software errors is listed below, including the overall score of each as well as its ID, which is linked to more information about the error on the CWE website.

1. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
   Score: 75.56
2. CWE-79: Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
   Score: 45.69
3. CWE-20: Improper Input Validation
   Score: 43.61
4. CWE-200: Information Exposure
   Score: 32.12
5. CWE-125: Out-of-bounds Read
   Score: 26.53
6. CWE-89: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
   Score: 24.54
7. CWE-416: Use After Free
   Score: 17.94
8. CWE-190: Integer Overflow or Wraparound
   Score: 17.35
9. CWE-352: Cross-Site Request Forgery (CSRF)
   Score: 15.54
10. CWE-22: Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
    Score: 14.10
11. CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
    Score: 11.47
12. CWE-787: Out-of-bounds Write
    Score: 11.08
13. CWE-287: Improper Authentication
    Score: 10.78
14. CWE-476: NULL Pointer Dereference
    Score: 9.74
15. CWE-732: Incorrect Permission Assignment for Critical Resource
    Score: 6.33
16. CWE-434: Unrestricted Upload of File with Dangerous Type
    Score: 5.50
17. CWE-611: Improper Restriction of XML External Entity Reference
    Score: 5.48
18. CWE-94: Improper Control of Generation of Code (‘Code Injection’)
    Score: 5.36
19. CWE-798: Use of Hard-coded Credentials
    Score: 5.12
20. CWE-400: Uncontrolled Resource Consumption: 5.04
21. CWE-772: Missing Release of Resource after Effective Lifetime
    Score: 5.04
22. CWE-426: Untrusted Search Path
    Score: 4.40
23. CWE-502: Deserialization of Untrusted Data
    Score: 4.30
24. CWE-269: Improper Privilege Management
    Score: 4.23
25. CWE-295: Improper Certificate Validation
    Score: 4.06

Print Friendly Version