Dear CWE Research Community,

I hope you are all well! I am emailing to let you know that the “2021 CWE Top 
25 Most Dangerous Software Weaknesses<>,” 
a demonstrative list of the most widespread and critical weaknesses that can 
lead to serious vulnerabilities in software, is now available on the CWE 

These weaknesses are dangerous because they are often easy to find, exploit, 
and can allow adversaries to completely take over a system, steal data, or 
prevent an application from working. The CWE Top 25 is a valuable community 
resource that can help developers, testers, and users — as well as project 
managers, security researchers, and educators — provide insight into the most 
severe and current security weaknesses.

What’s Changed
The major difference between the 2020 and 2021 CWE Top 25 lists is the 
continued transition to more specific weaknesses as opposed to abstract 
class-level weaknesses.

Significant downward movement from high-level classes included CWE-200: 
Exposure of Sensitive Information to an Unauthorized 
Actor<>; CWE-119: Improper 
Restriction of Operations within the Bounds of a Memory 
Buffer<>; CWE-94: Improper 
Control of Generation of Code (‘Code 
Injection’)<>; CWE-269: Improper 
Privilege Management<>; and 
CWE-732: Incorrect Permission Assignment for Critical 

With the relative decline of class-level weaknesses, more specific CWEs have 
moved higher up in the rankings, such as CWE-78: Improper Neutralization of 
Special Elements used in an OS Command (‘OS Command 
Injection’)<>; CWE-22: Improper 
Limitation of a Pathname to a Restricted Directory (‘Path 
Traversal’)<>; CWE-434: 
Unrestricted Upload of File with Dangerous 
Type<>; CWE-306: Missing 
Authentication for Critical 
Function<>; CWE-502: 
Deserialization of Untrusted 
Data<>; CWE-862: Missing 
Authorization<>; and CWE-276: 
Incorrect Default Permissions<>.

Leveraging Real-World Data
To create the 2021 list, the CWE Team used a data-driven approach that 
leverages published Common Vulnerabilities and Exposures 
(CVE®)<> data and related CWE mappings found within the 
National Institute of Standards and Technology (NIST) National Vulnerability 
Database (NVD)<>, as well as the Common Vulnerability 
Scoring System (CVSS)<> scores associated 
with each of the CVEs. A scoring formula was then applied to determine the 
level of prevalence and danger each weakness presents.

The 2021 CWE Top 25 leverages NVD data from the years 2019 and 2020, which 
consists of approximately 32,500 CVEs that are associated with a weakness. A 
scoring formula is used to calculate a ranked order of weaknesses which 
combines the frequency that a CWE is the root cause of a vulnerability with the 
projected severity of its exploitation. In both cases, the frequency and 
severity are normalized relative to the minimum and maximum values seen.

For more detailed information including methodology, rankings, scoring, and 
refined mappings, visit the CWE Top 25<> 

Feedback Welcome
Please send any feedback or questions to the CWE 
Research<> email discussion 
list, @cwecapec on Twitter<>, CWE page on 
LinkedIn<>, or contact 
us<> directly.


Alec J. Summers
Cyber Solutions Innovation Center
Group Leader, Software Assurance Research & Practice
Cyber Security Engineer, Lead
O: (781) 271-6970
C: (781) 496-8426
MITRE - Solving Problems for a Safer World

Reply via email to