CWE Top 25 Most Dangerous Software Weaknesses - 2020

CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)





CWE-787 Out-of-bounds Write

CWE-20 Improper Input Validation





CWE-125 Out-of-bounds Read

CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer





CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)

CWE-200 Exposure of Sensitive Information to an Unauthorized Actor





CWE-416 Use After Free

CWE-352 Cross-Site Request Forgery (CSRF)





CWE-78 Improper Neutralization of Special Elements used in an OS Command Injection

CWE-190 Integer Overflow or Wraparound





CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

CWE-476 NULL Pointer Dereference





CWE-287 Improper Authentication

CWE-434 Unrestricted Upload of File with Dangerous Type





CWE-732 Incorrect Permission Assignment for Critical Resource

CWE-94 Improper Control of Generation of Code (‘Code Injection’)





CWE-522 Insufficiently Protected Credentials

CWE-611 Improper Restriction of XML External Entity Reference





CWE-798 Use of Hard-coded Credentials

CWE-502 Deserialization of Untrusted Data





CWE-269 Improper Privilege Management

CWE-400 Uncontrolled Resource Consumption





CWE-306 Missing Authentication for Critical Function

CWE-862 Missing Authorization



CWE Top 25 Most Dangerous Software Weaknesses – 2020