What is a CWE (Common Weakness Enumeration)?
Last reviewed June 2, 2026
A CWE (Common Weakness Enumeration) is an entry in a MITRE-maintained catalog of software and hardware weakness types: the root-cause categories of flaws that lead to vulnerabilities. Each CWE describes a kind of mistake, such as CWE-79 (Cross-site Scripting) or CWE-89 (SQL Injection), rather than any single bug in a specific product.
CWE: a catalog of weakness types
The Common Weakness Enumeration (CWE) is a community-developed, MITRE-maintained list of common software and hardware weakness types. A weakness is a flaw, fault, bug, or other condition in the design, architecture, code, or implementation that, if left unaddressed, could become exploitable. CWE gives each weakness type a stable identifier (for example, CWE-787) and a name (Out-of-bounds Write).
Crucially, a CWE describes the kind of flaw, not a specific instance. CWE-89 (SQL Injection) names the category of mistake; the actual SQL injection bug found in a particular version of a particular product is a CVE. One CWE can therefore be the root cause behind thousands of separate CVEs.
Common CWE examples
- CWE-79 - Improper Neutralization of Input During Web Page Generation (Cross-site Scripting / XSS).
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command (SQL Injection).
- CWE-787 - Out-of-bounds Write, a frequent cause of memory-corruption vulnerabilities.
- CWE-22 - Improper Limitation of a Pathname to a Restricted Directory (Path Traversal).
- CWE-416 - Use After Free, a common memory-safety weakness in C and C++.
How the CWE catalog is organized
CWE is hierarchical. Entries range from broad pillars and classes down to specific base and variant weaknesses, connected by ParentOf and ChildOf relationships. This lets you navigate from a general category (improper input validation) to a precise weakness (SQL injection) and back up.
Each entry carries rich metadata: a description, common consequences, likely platforms and languages, detection methods, potential mitigations, demonstrative examples, and observed CVE examples. CWE also publishes curated views, including the CWE Top 25 Most Dangerous Software Weaknesses.
Why CWE matters
Mapping a vulnerability to its CWE turns a one-off finding into a pattern you can act on. If many of your CVEs map to CWE-79 or CWE-89, the fix is not just patching individual bugs but improving input handling and output encoding across the codebase.
CWE also underpins other standards. CVE records are typically tagged with a primary CWE, the CWE Top 25 is generated from CVE and NVD data, and CAPEC attack patterns reference the CWEs they target.
Keep exploring
- Browse the CWE directoryExplore weakness types and the CVEs mapped to them.
- What is a CVE?How a single vulnerability instance is identified.
- CVE vs CWESide-by-side: instance versus weakness type.
- CWE Top 25The most dangerous software weaknesses each year.
- What is CAPEC?Attack patterns that target CWE weaknesses.
- What is MITRE ATT&CK?Knowledge base of adversary tactics and techniques.
Frequently asked questions
- What is the difference between a CWE and a CVE?
- A CWE is a weakness type (the kind of flaw, such as SQL injection), while a CVE is a specific vulnerability instance in a specific product. A CVE is usually mapped to a primary CWE that describes its root cause.
- Who maintains CWE?
- CWE is maintained by MITRE with community input, sponsored by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It is updated periodically and is freely available.
- Does every CVE have a CWE?
- Most published CVEs are mapped to at least one CWE, but not all. CNAs and the NVD assign CWE mappings, and some older or less-detailed records may lack a precise mapping.
- How many CWEs are there?
- The catalog contains over 900 weakness entries spanning software and hardware, organized into pillars, classes, base weaknesses, and variants.
