Dear CWE Community,


We are elated in announcing that 2022 CWE Top 25 Most Dangerous Software
Weaknesses is now available on our website -


The official version of the "
<> 2022 CWE Top
25 Most Dangerous Software Weaknesses," a demonstrative list of the most
common and impactful software weaknesses that can lead to exploitable
vulnerabilities in software, is now available on the CWE website.

These weaknesses are dangerous because they are often easy to find, exploit,
and can allow adversaries to completely take over a system, steal data, or
prevent an application from working. Many professionals who deal with
software will find the CWE Top 25 a practical and convenient resource to
help mitigate risk. This may include software architects, designers,
developers, testers, users, project managers, security researchers,
educators, and contributors to standards developing organizations.

What's Changed

The major difference between the 2021 and 2022 CWE Top 25 lists are the
addition of three new weakness types and several notable shifts in ranked
positions for weakness types, including three weakness types that fell
entirely off the list.

The three new additions are
<> CWE-362: Concurrent
Execution using Shared Resource with Improper Synchronization ('Race
Condition');  <> CWE-94:
Improper Control of Generation of Code ('Code Injection'); and
<> CWE-400: Uncontrolled
Resource Consumption.

Weakness types moving higher on the list include
<> CWE-77: Improper
Neutralization of Special Elements used in a Command ('Command Injection')
and  <> CWE-476: NULL Pointer
Dereference, while  <>
CWE-306: Missing Authentication for Critical Function moved lower. The three
weakness types that fell off the list are
<> CWE-200: Exposure of
Sensitive Information to an Unauthorized Actor;
<> CWE-522: Insufficiently
Protected Credentials; and
<> CWE-732: Incorrect
Permission Assignment for Critical Resource.

Leveraging Real-World Data

To create the 2022 list, the CWE Program leveraged  <>
Common Vulnerabilities and Exposures (CVER) data found within the National
Institute of Standards and Technology (NIST)  <>
National Vulnerability Database (NVD) and the
<> Common Vulnerability Scoring System
(CVSS) scores associated with each CVE Record, including a focus on CVE
Records from the Cybersecurity and Infrastructure Security Agency (CISA)
<> Known
Exploited Vulnerabilities (KEV) Catalog. A formula was then applied to the
data to score each weakness based on prevalence and severity.

The 2022 CWE Top 25 leverages NVD data from the years 2020 and 2021, which
consists of 37,899 CVEs that are associated with a weakness. A scoring
formula is used to calculate a ranked order of weaknesses which combines the
frequency that a CWE is the root cause of a vulnerability with the average
severity of each of those vulnerabilities' exploitation as measured by CVSS.
In both cases, the frequency and severity are normalized relative to the
minimum and maximum values seen.

For more detailed information including methodology, rankings, scoring, and
refined mappings, visit the
<> CWE Top 25

Feedback Welcome

Please send any feedback or questions to the
<> CWE Research email
discussion list,  <> @cwecapec on Twitter,
<> CWE page on LinkedIn, or
<> contact us directly.


Thank you,

Rushi Purohit


Attachment: smime.p7s
Description: S/MIME cryptographic signature

Reply via email to