What is CWE?

Definition

CWE — Common Weakness Enumeration — is a community-developed catalog of software and hardware weakness types. Where CVE catalogs specific known vulnerabilities ("this version of this product has this bug"), CWE catalogs the underlying weakness categories that cause vulnerabilities. CWE-89 is SQL Injection (the weakness type), while CVE-2023-1234 might be a specific SQL injection vulnerability in a specific product.

CWE is maintained by MITRE with sponsorship from the US Department of Homeland Security's Cybersecurity and Infrastructure Security Agency (CISA). The catalog contains over 900 weakness entries organized in a hierarchical taxonomy.

How CWE is Organized

The CWE taxonomy organizes weaknesses at multiple levels of abstraction:

Pillar

The highest level of abstraction. A broad class of weakness that is independent of specific language, platform, or technology. Example: CWE-664 (Improper Control of a Resource Through its Lifetime).

Class

An abstract weakness with a general description not tied to a specific language or technology. Example: CWE-20 (Improper Input Validation).

Base

An abstract weakness that requires additional context for detection. Example: CWE-89 (Improper Neutralization of Special Elements used in an SQL Command — SQL Injection).

Variant

The most specific level — a weakness defined in the context of a specific language, technology, or condition. Example: CWE-564 (SQL Injection: Hibernate).

The CWE/SANS Top 25

The SANS Institute and MITRE jointly publish the CWE Top 25 Most Dangerous Software Weaknesses — an annual ranking of the most prevalent and impactful software weaknesses based on CVE data analysis. The Top 25 is widely used as a prioritized target list for security tools, secure coding training, and vulnerability management programs.

The 2024 CWE Top 25 top entries include:

1. CWE-787 — Out-of-bounds Write
2. CWE-79 — Improper Neutralization of Input During Web Page Generation (XSS)
3. CWE-89 — SQL Injection
4. CWE-416 — Use After Free
5. CWE-78 — OS Command Injection
6. CWE-20 — Improper Input Validation
7. CWE-125 — Out-of-bounds Read
8. CWE-22 — Path Traversal

CWE vs. CVE

How CWE is Used in Practice

SAST tool configuration

Static analysis tools map their detection rules to CWE IDs. When configuring a scanner, teams can target specific CWE categories relevant to their technology stack. CWE IDs provide a vendor-neutral way to communicate what a tool detects.

Secure coding standards

OWASP, CERT, and internal secure coding standards reference CWE IDs to specify the weakness being addressed. Developers can look up the CWE to understand the broader context of a security requirement.

Vulnerability research and triage

NVD maps CVE entries to CWE IDs, enabling aggregation of vulnerabilities by weakness type. Security teams can identify which weakness categories are most common in their technology stack.

CWE and Autonomous Code Governance

Hydra's detection engine is organized around CWE categories. Every finding Hydra produces maps to a CWE ID, enabling precise communication about what type of weakness was found, why it is a risk, and how the fix addresses the root cause. The CWE Top 25 defines the core detection coverage that every Hydra-governed codebase achieves — ensuring the most dangerous and prevalent weakness types are continuously monitored and remediated.