Skip to main content




Common Weakness Enumeration Top 25 (CWE Top 25) is a demonstrative list and valuable community resource of the most common and impactful issues experienced over the previous two calendar years. It can help developers, testers and users to provide insight into the most severe and current security weaknesses. The version used in this section is CWE Top 25 2022.


20. Improper input validation173. Discard unsafe inputs
342. Validate request parameters
22. Improper limitation of a pathname to a restricted directory (path traversal)173. Discard unsafe inputs
320. Avoid client-side control enforcement
342. Validate request parameters
77. Improper neutralization of special elements used in a command (command injection)172. Encrypt connection strings
173. Discard unsafe inputs
344. Avoid dynamic code execution
78. Improper neutralization of special elements used in an OS command (OS command injection)173. Discard unsafe inputs
265. Restrict access to critical processes
266. Disable insecure functionalities
79. Improper neutralization of input during web page generation (cross-site scripting)029. Cookies with security attributes
173. Discard unsafe inputs
89. Improper neutralization of special elements used in an SQL command (SQL injection)169. Use parameterized queries
173. Discard unsafe inputs
119. Improper restriction of operations within the bounds of a memory buffer158. Use a secure programming language
266. Disable insecure functionalities
125. Out-of-bounds read158. Use a secure programming language
345. Establish protections against overflows
190. Integer overflow or wraparound345. Establish protections against overflows
276. Incorrect default permissions142. Change system default credentials
161. Define secure default options
287. Improper authentication114. Deny access with inactive credentials
122. Validate credential ownership
130. Limit password lifespan
138. Define lifespan for temporary passwords
140. Define OTP lifespan
229. Request access credentials
264. Request authentication
319. Make authentication options equally secure
362. Assign MFA mechanisms to a single account
306. Missing authentication for critical function265. Restrict access to critical processes
352. Cross-site request forgery (CSRF)029. Cookies with security attributes
174. Transactions without a distinguishable pattern
362. Concurrent execution using shared resource with improper synchronization (Race condition)264. Request authentication
337. Make critical logic flows thread safe
416. User after free157. Use the strict mode
158. Use a secure programming language
266. Disable insecure functionalities
434. Unrestricted upload of file with dangerous type039. Define maximum file size
040. Compare file format and extension
476. NULL pointer dereference161. Define secure default options
266. Disable insecure functionalities
359. Avoid using generic exceptions
502. Deserialization of untrusted data321. Avoid deserializing untrusted data
611. Improper restriction of XML external entity reference173. Discard unsafe inputs
798. Use of hard-coded credentials126. Set a password regeneration mechanism
127. Store hashed passwords
134. Store passwords with salt
185. Encrypt sensitive information
862. Missing authorization035. Manage privilege modifications
095. Define users with privileges
096. Set user's required privileges
918. Server-side request forgery (SSRF)173. Discard unsafe inputs
324. Control redirects
348. Use consistent encoding