Back to Resource Centre
Blog Img

The 25 Most Dangerous Software Errors Has Been Updated

The Common Weakness Enumeration (CWE) is used by professionals around the world to identify the most widespread and critical weaknesses that are known to cause serious vulnerabilities in software. According to Howard Solomon at IT World Canada, the list hasn't been updated in eight years, but it recently used a new data-driven approach based on real-world vulnerabilities reported by security researchers to refresh the 25 Most Dangerous Software Errors list. Explaining its methodology in more detail, the CWE website says they obtained data about vulnerabilities and exposures from the National Vulnerability Database (NVD) and then developed a scoring formula to calculate a rank order of weaknesses. The complete list of 25 most dangerous software errors is listed below, including the overall score of each as well as its ID, which is linked to more information about the error on the CWE website.

  1. CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer Score: 75.56

  2. CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') Score: 45.69

  3. CWE-20: Improper Input Validation Score: 43.61

  4. CWE-200: Information Exposure Score: 32.12

  5. CWE-125: Out-of-bounds Read Score: 26.53

  6. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') Score: 24.54

  7. CWE-416: Use After Free Score: 17.94

  8. CWE-190: Integer Overflow or Wraparound Score: 17.35

  9. CWE-352: Cross-Site Request Forgery (CSRF) Score: 15.54

  10. CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Score: 14.10

  11. CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') Score: 11.47

  12. CWE-787: Out-of-bounds Write Score: 11.08

  13. CWE-287: Improper Authentication Score: 10.78

  14. CWE-476: NULL Pointer Dereference Score: 9.74

  15. CWE-732: Incorrect Permission Assignment for Critical Resource Score: 6.33

  16. CWE-434: Unrestricted Upload of File with Dangerous Type Score: 5.50

  17. CWE-611: Improper Restriction of XML External Entity Reference Score: 5.48

  18. CWE-94: Improper Control of Generation of Code ('Code Injection') Score: 5.36

  19. CWE-798: Use of Hard-coded Credentials Score: 5.12

  20. CWE-400: Uncontrolled Resource Consumption: 5.04

  21. CWE-772: Missing Release of Resource after Effective Lifetime Score: 5.04

  22. CWE-426: Untrusted Search Path Score: 4.40

  23. CWE-502: Deserialization of Untrusted Data Score: 4.30

  24. CWE-269: Improper Privilege Management Score: 4.23

  25. CWE-295: Improper Certificate Validation Score: 4.06