What is the CWE Top 25 Most Dangerous Software Weaknesses?

The CWE Top 25 Most Dangerous Software Weaknesses is a curated CWE view that MITRE publishes each year. It highlights the 25 weakness types that, based on observed data, are both frequently occurring and capable of serious impact. The goal is to give developers, security teams, and managers a focused, prioritized starting point for reducing risk.

Because it is built from CWE entries, the list names weakness types (for example, CWE-79 Cross-site Scripting or CWE-787 Out-of-bounds Write), not specific products or bugs.

The ranking is data-driven rather than opinion-based. MITRE analyzes CVE records from the National Vulnerability Database (NVD) over a recent period, looks at how each CVE maps to a CWE, and combines the frequency of each weakness with the average severity of its CVEs (using CVSS). Recent versions of the methodology also factor in whether the weakness appears in vulnerabilities listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.

The result is a scored, ranked list that reflects which weakness types are actually driving dangerous, real-world vulnerabilities in the analysis window. Because the inputs change each year, rankings shift between editions.

Treat the Top 25 as a prioritized backlog for prevention. Map your own CVEs to their CWEs, see which Top 25 weaknesses appear most in your environment, and target secure-coding controls, code review, and testing at those patterns first.

It pairs well with the OWASP Top 10: the CWE Top 25 covers weakness types across all software, while the OWASP Top 10 frames the top risk categories specifically for web applications.