MITRE has shared this year's top 25 list of the most dangerous software weaknesses behind over 39,000 security vulnerabilities disclosed between June 2024 and June 2025.
The list was released in cooperation with the Homeland Security Systems Engineering and Development Institute (HSSEDI) and the Cybersecurity and Infrastructure Security Agency (CISA), which manage and sponsor the Common Weakness Enumeration (CWE) program.
Software weaknesses can be flaws, bugs, vulnerabilities, or errors found in a software's code, implementation, architecture, or design, and attackers can abuse them to breach systems running the vulnerable software. Successful exploitation allows threat actors to gain control over compromised devices and trigger denial-of-service attacks or access sensitive data.
To create this year's ranking, MITRE scored each weakness based on its severity and frequency after analyzing 39,080 CVE Records for vulnerabilities reported between June 1, 2024, and June 1, 2025.
While Cross-Site Scripting (CWE-79) still retains its spot at the top of the Top 25, there were many changes in rankings from last year's list, including Missing Authorization (CWE-862), Null Pointer Dereference (CWE-476), and Missing Authentication (CWE-306), which were the biggest movers up the list.
The new entries in this year's top-most severe and prevalent weaknesses are Classic Buffer Overflow (CWE-120), Stack-based Buffer Overflow (CWE-121), Heap-based Buffer Overflow (CWE-122), Improper Access Control (CWE-284), Authorization Bypass Through User-Controlled Key (CWE-639), and Allocation of Resources Without Limits or Throttling (CWE-770).
Rank ID Name Score KEV CVEs Change 1 CWE-79 Cross-site Scripting 60.38 7 0 2 CWE-89 SQL Injection 28.72 4 +1 3 CWE-352 Cross-Site Request Forgery (CSRF) 13.64 0 +1 4 CWE-862 Missing Authorization 13.28 0 +5 5 CWE-787 Out-of-bounds Write 12.68 12 -3 6 CWE-22 Path Traversal 8.99 10 -1 7 CWE-416 Use After Free 8.47 14 +1 8 CWE-125 Out-of-bounds Read 7.88 3 -2 9 CWE-78 OS Command Injection 7.85 20 -2 10 CWE-94 Code Injection 7.57 7 +1 11 CWE-120 Classic Buffer Overflow 6.96 0 N/A 12 CWE-434 Unrestricted Upload of File with Dangerous Type 6.87 4 -2 13 CWE-476 NULL Pointer Dereference 6.41 0 +8 14 CWE-121 Stack-based Buffer Overflow 5.75 4 N/A 15 CWE-502 Deserialization of Untrusted Data 5.23 11 +1 16 CWE-122 Heap-based Buffer Overflow 5.21 6 N/A 17 CWE-863 Incorrect Authorization 4.14 4 +1 18 CWE-20 Improper Input Validation 4.09 2 -6 19 CWE-284 Improper Access Control 4.07 1 N/A 20 CWE-200 Exposure of Sensitive Information 4.01 1 -3 21 CWE-306 Missing Authentication for Critical Function 3.47 11 +4 22 CWE-918 Server-Side Request Forgery (SSRF) 3.36 0 -3 23 CWE-77 Command Injection 3.15 2 -10 24 CWE-639 Authorization Bypass via User-Controlled Key 2.62 0 +6 25 CWE-770 Allocation of Resources w/o Limits or Throttling 2.54 0 +1
"Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working," MITRE said.
"This annual list identifies the most critical weaknesses adversaries exploit to compromise systems, steal data, or disrupt services. CISA and MITRE encourage organizations to review this list and use it to inform their respective software security strategies," the U.S. Cybersecurity and Infrastructure Security Agency (CISA) added.
In recent years, CISA has issued multiple "Secure by Design" alerts spotlighting the prevalence of widely documented vulnerabilities that remain in software despite available mitigations.
... continue reading