MITRE publishes the top 25 most dangerous software weaknesses

lots of lime-coloured padlocks set against a green background, with one orange padlock in the middle that's unlocked
(Image credit: Getty Images)

US not-for-profit cyber security research organization MITRE has published its list of the top 25 most dangerous software weaknesses for 2023, with the top three remaining unchanged from last year.

The 2023 Common Weakness Enumeration (CWE) list is calculated by analyzing public vulnerability data in the National Vulnerability Database (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years.

The vulnerabilities can be exploited by an attacker to take control of, steal data from or otherwise disrupt the working of applications and systems.

The top three weaknesses are unchanged from last year and are once again topped by out-of-bounds write flaws, represented as CWE-787.

An out-of-bounds write occurs when a product writes data past the end or before the beginning of the intended buffer. 

The result can be a crash, corruption, or code execution. 70 such vulnerabilities were added to the Known Exploited Vulnerabilities (KEV) list, according to the team.

At second was improper neutralization of input during web page generation, also known as cross-site scripting (XSS), of which there are three types.

The first is reflected XSS, where the server reads data directly from the HTTP request and reflects it back in the HTTP response. Malicious content might then be executed by the victim’s browser.


Red whitepaper cover with title and logo above circular images of colleagues using laptops, and servers

(Image credit: Trend Micro)

Beat cyber criminals at their own game

Win the vulnerability race and protect your organization


The second is stored XSS where malicious data is stored in a database - for example a message forum - and then included in dynamic content.

The third is DOM-based XSS, where the client performs the injection of XSS into the page.

Rounding out the top three is SQL Injection, where elements of an improperly formatted SQL query can be treated as commands. 

SQL Injection attacks can take a variety of forms and include user inputs that are passed to the database for processing without appropriate safeguards and poisoned queries based on cookies.

Moving up to positions four and five respectively were use after free flaws, represented as CWE-416, and improper neutralization of special elements used in an os command, represented as CWE-78 and also known as 'OS command injection'.

‘Use after free’ refers to the practice of referencing memory after it has been freed, causing a program to crash or unexpected code to be executed. 

OS command injection, as the name suggests, allows an OS command to be constructed and executed in a way that should not normally be permitted. 

The potential consequences include elevation of privileges which, when chained with other vulnerability exploits, can lead to attackers gaining the ability to execute commands on an organization’s machine with the necessary privileges to inflict the most damage.

As well as the ‘use after free’ vulnerability, missing authorization (CWE-862), improper privilege management (CWE-269), and incorrect authorization (CWE-863) all moved up the list of vulnerabilities, the latter entering the top 25.

Deserialization of untrusted data (CWE-502), use of hardcoded credentials (CWE-798), and incorrect default permissions CWE-276 all moved down. 

The team reported that improper restriction of XML external entity reference (CWE-611) dropped out of the top 25 this year.

The complete list was:

  • CWE-787 - out-of-bounds write
  • CWE-79 - improper neutralization of input during web page generation ('cross-site scripting')
  • CWE-89 - improper neutralization of special elements used in an sql command ('sql injection')
  • CWE-416 - use after free
  • CWE-78 - improper neutralization of special elements used in an os command ('os command injection')
  • CWE-20 - improper input validation
  • CWE-125 - out-of-bounds read
  • CWE-22 - improper limitation of a pathname to a restricted directory ('path traversal')
  • CWE-352 - cross-site request forgery (csrf)
  • CWE-434 - unrestricted upload of file with dangerous type
  • CWE-862 - missing authorization
  • CWE 476 - null pointer dereference
  • CWE-287 - improper authentication
  • CWE-190 - integer overflow or wraparound
  • CWE-502 - deserialization of untrusted data
  • CWE-77 - improper neutralization of special elements used in a command ('command injection')
  • CWE-119 - improper restriction of operations within the bounds of a memory buffer
  • CWE-798 - use of hard-coded credentials
  • CWE-918 - server-side request forgery (ssrf)
  • CWE-306 - missing authentication for critical function
  • CWE-362 - concurrent execution using shared resource with improper synchronization ('race condition')
  • CWE-269 - improper privilege management
  • CWE-94 - improper control of generation of code ('code injection')
  • CWE-863 - incorrect authorization
  • CWE-276 - incorrect default permissions

Using this data

According to the team: “Trend analysis on vulnerability data like this enables organizations to make better investment and policy decisions in vulnerability management”.

“Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk.”

The list is a useful reference for enterprises seeking to harden their CI/CD environments. Despite the existence of scanning tools to check for vulnerabilities, the list is a reminder that errors still slip into even the most used products.

Richard Speed
Staff Writer

Richard Speed is an expert in databases, DevOps and IT regulations and governance. He was previously a Staff Writer for ITProCloudPro and ChannelPro, before going freelance. He first joined Future in 2023 having worked as a reporter for The Register. He has also attended numerous domestic and international events, including Microsoft's Build and Ignite conferences and both US and EU KubeCons.

Prior to joining The Register, he spent a number of years working in IT in the pharmaceutical and financial sectors.