TheArtOfService
Back to Frameworks

CWE Top 25 Most Dangerous Software Weaknesses (2024)

Self-Assess
International
v2024
5 domains
25 controls

The 2024 CWE Top 25 Most Dangerous Software Weaknesses published by MITRE Corporation and supported by CISA. Based on analysis of 31,770 CVE records scored by frequency multiplied by severity (CVSS). Identifies the most common and impactful software weaknesses that developers and organizations should prioritize. Released November 19, 2024.

Verified

Framework summaries on this platform are AI-assisted interpretations for educational and compliance planning purposes. They do not reproduce or replace the official standards. Refer to the authoritative source for the definitive text. Framework names and trademarks belong to their respective organisations.

Framework Domains (5)

CWE Top 25 2024: Access Control and Authorization

6 controls
Controls in the CWE Top 25 2024: Access Control and Authorization domain of CWE Top 25 Most Dangerous Software Weaknesses (2024)6 controls
CodeTitle
CWE-200Exposure of Sensitive Information to an Unauthorized Actor
CWE-22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
CWE-269Improper Privilege Management
CWE-352Cross-Site Request Forgery (CSRF)
CWE-862Missing Authorization
CWE-863Incorrect Authorization

CWE Top 25 2024: Authentication and Credentials

3 controls
Controls in the CWE Top 25 2024: Authentication and Credentials domain of CWE Top 25 Most Dangerous Software Weaknesses (2024)3 controls
CodeTitle
CWE-287Improper Authentication
CWE-306Missing Authentication for Critical Function
CWE-798Use of Hard-coded Credentials

CWE Top 25 2024: Data and Resource Handling

3 controls
Controls in the CWE Top 25 2024: Data and Resource Handling domain of CWE Top 25 Most Dangerous Software Weaknesses (2024)3 controls
CodeTitle
CWE-400Uncontrolled Resource Consumption
CWE-502Deserialization of Untrusted Data
CWE-918Server-Side Request Forgery (SSRF)

CWE Top 25 2024: Injection and Input Handling

7 controls
Controls in the CWE Top 25 2024: Injection and Input Handling domain of CWE Top 25 Most Dangerous Software Weaknesses (2024)7 controls
CodeTitle
CWE-20Improper Input Validation
CWE-434Unrestricted Upload of File with Dangerous Type
CWE-77Improper Neutralization of Special Elements used in a Command (Command Injection)
CWE-78Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
CWE-79Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
CWE-89Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
CWE-94Improper Control of Generation of Code (Code Injection)

CWE Top 25 2024: Memory Safety

6 controls
Controls in the CWE Top 25 2024: Memory Safety domain of CWE Top 25 Most Dangerous Software Weaknesses (2024)6 controls
CodeTitle
CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-125Out-of-bounds Read
CWE-190Integer Overflow or Wraparound
CWE-416Use After Free
CWE-476NULL Pointer Dereference
CWE-787Out-of-bounds Write

Maps to 2 other frameworks

25 total controls
OWASP Top 10:2025
18 source controls mapped|6 target controls covered
72%
HL7 FHIR Security Framework
6 source controls mapped|1 target controls covered
24%
Compare CWE Top 25 Most Dangerous Software Weaknesses (2024) with OWASP Top 10:2025

Frequently Asked Questions

What is CWE Top 25 Most Dangerous Software Weaknesses (2024)?

CWE Top 25 Most Dangerous Software Weaknesses (2024) is a compliance framework from International with 5 domains and 25 controls. The 2024 CWE Top 25 Most Dangerous Software Weaknesses published by MITRE Corporation and supported by CISA. Based on analysis of 31,770 CVE records scored by frequency multiplied by severity (CVSS). Identifies the most common and impactful software weaknesses that developers and organizations should prioritize. Released November 19, 2024. It is used by organisations to establish and maintain compliance with industry standards and regulatory requirements.

How many controls does CWE Top 25 Most Dangerous Software Weaknesses (2024) have?

CWE Top 25 Most Dangerous Software Weaknesses (2024) has 25 controls organised across 5 domains. The largest domains are CWE Top 25 2024: Injection and Input Handling (7 controls), CWE Top 25 2024: Access Control and Authorization (6 controls), CWE Top 25 2024: Memory Safety (6 controls). Each control defines specific requirements that organisations must implement to achieve compliance.

What frameworks does CWE Top 25 Most Dangerous Software Weaknesses (2024) map to?

CWE Top 25 Most Dangerous Software Weaknesses (2024) maps to 2 other compliance frameworks. The top mapping partners are OWASP Top 10:2025 (72% coverage), HL7 FHIR Security Framework (24% coverage). Use our comparison tool to explore control-level mappings between frameworks.

How do I get started with CWE Top 25 Most Dangerous Software Weaknesses (2024) compliance?

Start your CWE Top 25 Most Dangerous Software Weaknesses (2024) compliance journey by running a self-assessment on our platform to identify your current compliance posture. Our AI advisory can answer specific questions about CWE Top 25 Most Dangerous Software Weaknesses (2024) requirements, and cross-framework mapping helps you leverage existing controls from other frameworks you may already comply with. Create a free account to access all 25 controls and track your progress.

Start Your Compliance Journey

Create a free account to run self-assessments, get AI advisory, and track your compliance progress across 700 frameworks.

Get Started Free →

Free forever — no credit card required