Back
Cookies Notice
This site uses cookies to deliver services and to analyze traffic.
Common Weakness Enumeration
← Back to
glossary
← Back
to
glossary
What Is Common Weakness Enumeration (CWE)?
Common Weakness Enumeration (CWE) is a community-developed catalog of software and hardware weakness types maintained by MITRE Corporation. Each entry in the common weakness enumeration list describes a specific category of flaw, such as buffer overflow, SQL injection, or improper authentication, that can lead to exploitable vulnerabilities in real-world software.
The Mitre Common Weakness Enumeration serves as a shared language for describing security weaknesses across the industry. When a SAST tool flags a finding as CWE-79, every developer, security engineer, and auditor understands it refers to improper neutralization of input during web page generation (cross-site scripting). This standardization makes it possible to compare findings across tools, track weakness trends across codebases, and build training programs around the specific flaw types that matter most to an organization.
How the CWE List Is Structured and Maintained
The CWE list is organized as a hierarchical classification system with over 900 entries. Weaknesses are grouped at multiple levels of abstraction. These include:
- Pillars: The broadest categories representing fundamental weakness classes. Examples include CWE-664 (Improper Control of a Resource Through its Lifetime) and CWE-707 (Improper Neutralization).
- Classes: High-level groupings beneath pillars that describe general weakness patterns independent of any specific language or technology.
- Bases: More specific weaknesses tied to particular behaviors or coding patterns. Most tool findings map to base-level entries.
- Variants: The most granular entries, describing weaknesses specific to a language, framework, or technology context.
This hierarchy allows users to work at whatever level of detail fits their needs. A CISO reviewing portfolio risk might look at pillar-level trends. A developer fixing a specific finding works with base or variant entries that include code examples and remediation guidance.
MITRE maintains the list with input from industry contributors, tool vendors, researchers, and government agencies. Updates are released periodically to add new weakness types, refine descriptions, and adjust relationships between entries.
The CWE Top 25 Most Dangerous Software Weaknesses list, published annually, ranks weaknesses by prevalence and severity using real-world vulnerability data, giving teams a prioritized starting point for their secure coding efforts.
CWE vs CVE vs CVSS: How They Work Together
CWE, CVE, and CVSS serve different purposes in the vulnerability management ecosystem, but they connect directly:
| System | What It Does | Scope | Example |
| CWE | Classifies types of weaknesses in software and hardware | Weakness categories (abstract) | CWE-89: SQL Injection |
| CVE | Identifies specific, disclosed vulnerabilities in specific products | Individual vulnerability instances | CVE-2024-12345: SQL injection in Product X v2.1 |
| CVSS | Scores the severity of a specific vulnerability | Severity rating (0-10 scale) | CVSS 9.8: Critical, network-exploitable, no auth required |
A CWE vulnerability entry describes the general flaw pattern. A CVE record identifies a specific instance of that flaw in a specific product. CVSS provides a severity score for that specific instance.
In practice, these systems work together throughout the vulnerability lifecycle. A SAST tool detects a code pattern matching CWE-89 (SQL injection). If that flaw is disclosed publicly, it receives a CVE identifier. The CVE is then scored using CVSS to communicate severity. Security teams use all three to categorize, track, and prioritize their response.
Understanding why a significant share of CVEs trace directly to code-level vulnerabilities reinforces why CWE matters: most disclosed vulnerabilities map back to known weakness types that could have been caught during development.
Benefits of CWE for Vulnerability Management and Risk Prioritization
CWE provides several practical benefits for security and development teams, including:
- Standardized taxonomy: CWE gives teams a consistent vocabulary for discussing weaknesses across tools, teams, and vendors. When every scanner maps findings to CWE IDs, organizations can aggregate and compare results without manual translation.
- Tool evaluation and benchmarking: CWE compatibility is a recognized benchmark for security tools. Organizations can evaluate whether a scanner detects the weakness types most relevant to their technology stack and risk profile.
- Prioritization by weakness pattern: Aggregating findings by CWE ID reveals which weakness types appear most frequently across the codebase. Teams that approach application risk through multiple dimensions can use CWE data to focus remediation on the weakness categories that pose the greatest business risk.
- Training and secure coding: CWE entries include detailed descriptions, code examples, and mitigation guidance. Development teams can build targeted training programs around the specific CWE IDs that appear most often in their code, turning vulnerability data into actionable developer education.
- Compliance and reporting: Many compliance frameworks and regulatory standards reference CWE as part of their secure development requirements. Mapping findings to CWE IDs simplifies audit reporting and demonstrates that the organization uses a recognized classification system. Organizations with mature security frameworks use CWE data to measure program effectiveness over time.
Related Content: How LTP and Apiiro Together Forge a Stronger, Resilient Framework
FAQs
Who maintains the Common Weakness Enumeration list, and how often is it updated?
MITRE Corporation maintains CWE with community input. The list is updated periodically as new weakness types emerge, and the CWE Top 25 is published annually.
How is a CWE entry different from a CVE record for a specific vulnerability?
A CWE entry describes a general category of weakness (e.g., SQL injection). A CVE record identifies a specific instance of a vulnerability found in a specific product or version.
How do security tools and scanners use CWE IDs in their reports?
Tools map each finding to its corresponding CWE ID, providing a standardized classification. This enables cross-tool comparison, trend tracking, and consistent reporting across the organization.
How can development teams use CWE to improve their secure coding standards and training?
Teams identify their most frequent CWE findings and build targeted training around those weakness types. CWE entries include code examples and remediation guidance for each category.
Does CWE only cover software weaknesses, or are there hardware weaknesses as well?
CWE covers both. The Hardware Design view, introduced in recent versions, catalogs weaknesses specific to hardware logic, firmware, and physical security mechanisms alongside software entries.
See Apiiro in action
Meet with our team of application security experts and learn how Apiiro is transforming the way modern applications and software supply chains are secured. Supporting the world’s brightest application security and development teams: