Common Weakness Enumeration

CWE Glossary Definition

News & Events - 2026

Right-click and copy a URL to share an article. Send feedback about this page to cwe@mitre.org.

CWE Podcast: “CWE Top 25 Most Dangerous Software Weaknesses”

May 13, 2026 | Share this article

“Out-Of-Bounds Read” is the CWE Program’s free podcast about common weaknesses in software and hardware, the vulnerabilities they cause, how to reduce them, and how using CWE can help make products more secure by design.

In this episode, MITRE’s CWE™ and CVE™ Project Lead Alec Summers talks with CWE Technical Lead Steve Christey and CWE Top 25 Lead Connor Mullaly about the 2025 “CWE Top 25 Most Dangerous Software Weaknesses.”

Topics include what the CWE Top 25 is and why it matters for software security; how the list is calculated using prevalence and average severity; how the quality of mappings in CVE Records affects the accuracy and usefulness of the list; how CVE Numbering Authorities (CNAs) help build the list; common mapping problems, especially choosing overly broad or discouraged entries instead of more specific ones; changes in methodology for the 2025 list, especially moving away from normalizing everything into a smaller subset and instead reflecting what actually mapped in the full corpus; and practical advice for better root cause mapping, including using mapping notes, avoiding discouraged entries, and focusing on the underlying weakness rather than just the impact.

The podcast is available for free on the CWE Program Channel on YouTube. Please give our latest episode a listen and let us know what you think by commenting on the CWE page on LinkedIn, CWE on X, CWE on Mastodon, or CWE on Bluesky. We look forward to hearing from you!

CWE Version 4.20 Now Available

April 30, 2026 | Share this article

CWE Version 4.20 has been posted on the CWE List page. A detailed report is available that lists specific changes between Version 4.19.1 and Version 4.20.

Main Changes

CWE 4.20 includes 1 new view to congregate common AI-related weaknesses and 2 new categories related to the new AI view; added Observed Examples (i.e., in-the-wild CVE examples) to 20+ CWEs to improve entry completeness; added detection methods and mitigations to 20+ CWEs; updated vulnerability mapping notes for 15+ CWEs; added content modifications from several community submissions via the CWE Content Development Repository (CDR); usability improvements (i.e., diagrams, clarified language, better utility of schema elements) for 9 CWEs; added CWE version and release date information for older modifications before CWE 4.14; among other updates.

One new view added:

• Weaknesses Related to AI/ML Products

Two new categories related to the Weaknesses Related to AI/ML Products view added:

• Weaknesses That are Specific to AI/ML Technology
• General Software Weaknesses that Appear in Products that Use or Support AI/ML Technology

Usability Improvements

• This release includes the sixth installment of major usability improvements that are underway for the CWE website. For this installment, 9 CWE Entry pages (listed below the example image) have been upgraded and will now include a concise summary of the weakness along with a visual aid at the top of each entry page. An example image of this new introductory section is below.
  
  To view the first five installments of the major usability improvements, see the CWE 4.15, CWE 4.16, CWE 4.17, CWE 4.18, and CWE 4.19, release notes.
  
  In this sixth installment of the usability improvements, the following nine (9) CWE Entry pages have been upgraded to the new look and feel.
  
  
  • CWE-203: Observable Discrepancy
  • CWE-296: Improper Following of a Certificate's Chain of Trust
  • CWE-297: Improper Validation of Certificate with Host Mismatch
  • CWE-298: Improper Validation of Certificate Expiration
  • CWE-425: Direct Request ('Forced Browsing')
  • CWE-599: Missing Validation of OpenSSL Certificate
  • CWE-1004: Sensitive Cookie Without 'HttpOnly' Flag
  • CWE-1021: Improper Restriction of Rendered UI Layers or Frames
  • CWE-1333: Inefficient Regular Expression Complexity
  
  Additional CWE Entry pages will be upgraded with these enhancements as part of future releases.

Content History

• Added the CWE version and release date for older modifications before CWE 4.14, so that users can more easily understand when CWE entries changed. That data has been regularly included for modifications since CWE 4.14, but older content history was not as complete.

Schema Changes

There were no schema changes.

Summary

There are 944 weaknesses and a total of 1,450 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.19.1_v4.20.html.

Future updates will be noted here, on the CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.

CWE Is Focus of Three Talks at VulnCon 2026

April 8, 2026 | Share this article

CWE is the main focus of three talks at CVE/FIRST VulnCon 2026 being held at the DoubleTree Resort by Hilton Hotel Paradise Valley – Scottsdale, in Scottsdale, Arizona, USA, on April 13-16, 2026:

• “Deep Dive Workshop into CVE-to-CWE Root Cause Mapping” by Connor Mullaly, Steve Christey Coley (The MITRE Corporation) (Monday, April 13, 13:30–17:30)
• “Boosting Vulnerability Intelligence: How Accurate CWE Mappings Transform ML Model Performance” by David Starobinski, Sevval Simsek, Varsha Athreya (Boston University) (Tuesday, April 14, 14:35–15:05)
• “From Roadmap to Results: Measuring CWE Adoption to Enable Prevention” by Alec Summers, Steve Christey Coley (The MITRE Corporation) (Wednesday, April 15, 16:30–17:30)

Feel free to contact us on CWE social media or at cwe@mitre.org with any feedback about these presentations.

“2025 CWE Top 10 KEV Weaknesses” List Now Available

January 29, 2026 | Share this article

The “2025 CWE Top 10 KEV Weaknesses” list, which lists the top ten CWEs in the Cybersecurity and Infrastructure Security Agency’s (CISA) “Known Exploited Vulnerabilities (KEV) Catalog,” is now available on the CWE website.

The KEV is a database of security flaws in software applications and weaknesses that have been exposed and leveraged by attackers. Each vulnerability listed in KEV is identified by, and links to, a CVE Record. CISA recommends that organizations monitor the KEV catalog and use its content to help prioritize remediation activities in their systems to reduce the likelihood of compromise.

Our analysis/key insights about the 2025 Top 10 KEV Weaknesses list are available here, and our methodology for creating the list is here.

2025 CWE Top 25 Weaknesses “On the Cusp” List Now Available

January 29, 2026 | Share this article

A list of the fifteen additional weaknesses that were “on the cusp” of being included in the “2025 CWE Top 25 Most Dangerous Software Weaknesses” list is now available on the 2025 “On the Cusp” List page.

These CWEs, ranked in positions 26-40, were not included in the 2025 CWE Top 25 but continue to be prevalent and severe enough to cause concern. View the 2025 On the Cusp Insights.

CWE Version 4.19.1 Now Available

January 21, 2026 | Share this article

CWE Version 4.19.1 has been posted on the CWE List page. CWE 4.19.1 is an unscheduled release that fixes incorrect relationships in the Weaknesses in the 2025 CWE Top 25 Most Dangerous Software Weaknesses view. The updated View-1435 now contains the correct relationships. There were no other changes.

A detailed report is available that lists specific changes between Version 4.19 and Version 4.19.1.

Summary

There are 944 weaknesses and a total of 1,447 entries on the CWE List.

Changes for the new version include the following:

See the complete list of changes at https://cwe.mitre.org/data/reports/diff_reports/v4.19_v4.19.1.html.

Future updates will be noted here, on the CWE Research email discussion list, CWE page on LinkedIn, on CWE on X, and on CWE on Mastodon, and on CWE on Bluesky. Please contact us with any comments or concerns.