CWE (Common Weakness Enumeration)

CWE (Common Weakness Enumeration) is a community-developed list of software and hardware weakness types. Unlike CVE which identifies specific vulnerabilities, CWE categorizes the underlying weakness patterns that cause vulnerabilities.

CWE vs CVE

CVE: "CVE-2021-44228 - Log4j JNDI injection"
     → Specific vulnerability in specific software

CWE: "CWE-917 - Expression Language Injection"
     → Category of weakness causing the vulnerability

Common CWE Examples

CWE-79:  Cross-site Scripting (XSS)
CWE-89:  SQL Injection
CWE-22:  Path Traversal
CWE-78:  OS Command Injection
CWE-287: Improper Authentication
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-502: Deserialization of Untrusted Data
CWE-918: Server-Side Request Forgery (SSRF)

CWE Hierarchy

CWE-707: Improper Neutralization (Parent)
├── CWE-74: Injection (Child)
│   ├── CWE-79: XSS
│   ├── CWE-89: SQLi
│   └── CWE-78: OS Command Injection

Using CWE

• Categorize vulnerabilities in reports
• Map to OWASP Top 10
• Guide secure development training
• Prioritize remediation by weakness type
• Track organizational weakness patterns

CWE Top 25

MITRE publishes an annual "CWE Top 25 Most Dangerous Software Weaknesses" based on CVE data analysis.

See Also

• CVE
• CVSS
• OWASP Top 10