The Common Weakness Enumeration (CWE) is a community-developed catalog of software and hardware security weaknesses maintained by the MITRE Corporation. It assigns each type of vulnerability a unique identifier, a description, and guidance on prevention. If you work in application security — or write code that needs to be secure — CWE is a foundational reference.

What CWE Is (and Is Not)

CWE describes types of weaknesses, not specific bugs in specific software. A single CWE entry like CWE-79 (Cross-Site Scripting) covers every instance of that weakness across every application that has ever been vulnerable to it.

This is what distinguishes CWE from CVE: a CVE identifies a specific vulnerability in a specific product, while CWE identifies the underlying class of flaw. Think of it this way — CVE-2026-27696 describes an SSRF bug in changedetection.io. That bug is an instance of CWE-918 (SSRF). The CWE tells you the pattern; the CVE tells you a specific occurrence.

How CWE Is Structured

The CWE list is organized hierarchically:

  • Pillars — the highest level of abstraction, like “Improper Input Validation” (CWE-20)
  • Classes — broad weakness types that are still somewhat abstract
  • Bases — more specific weaknesses that describe a particular flaw pattern
  • Variants — the most specific level, describing a weakness in the context of a particular language or technology

Each CWE entry includes:

  • A description of the weakness
  • Common consequences (confidentiality, integrity, availability impact)
  • Demonstrative examples with code
  • Observed instances (links to CVEs)
  • Potential mitigations
  • Related weaknesses

Key CWEs Every Developer Should Know

CWE-79: Cross-Site Scripting (XSS)

The application includes untrusted data in web output without proper encoding, allowing attackers to execute scripts in other users’ browsers. Leads to session hijacking, defacement, and phishing. Mitigate with output encoding and Content Security Policy.

CWE-89: SQL Injection

User input is incorporated into SQL queries without parameterization. Attackers can read, modify, or delete database contents. Use parameterized queries or prepared statements — never concatenate user input into SQL.

CWE-352: Cross-Site Request Forgery (CSRF)

The application doesn’t verify that a state-changing request was intentionally submitted by the authenticated user. Mitigate with anti-CSRF tokens and SameSite cookie attributes.

CWE-918: Server-Side Request Forgery (SSRF)

The application fetches a remote resource using a user-supplied URL without validating the destination. Attackers can access internal services and cloud metadata endpoints. Mitigate with URL allowlisting and network segmentation.

CWE-611: XML External Entity (XXE)

The application parses XML input containing references to external entities. Attackers can read local files, perform SSRF, or cause denial of service. Mitigate by disabling external entity resolution.

CWE-502: Deserialization of Untrusted Data

The application deserializes data from an untrusted source. Attackers can craft payloads that execute arbitrary code during deserialization. Especially dangerous in Java and PHP. Mitigate by avoiding deserialization of untrusted data or using safe formats like JSON.

Relationship to CVE and CVSS

CWE, CVE, and CVSS work together in the vulnerability management ecosystem:

  • CWE describes the type of weakness (the pattern)
  • CVE (Common Vulnerabilities and Exposures) identifies a specific instance of a vulnerability in a specific product
  • CVSS (Common Vulnerability Scoring System) assigns a severity score to a specific CVE

When a new vulnerability is reported, it gets a CVE identifier, is mapped to one or more CWE entries, and receives a CVSS score.

How to Use CWE in Practice

  • During development — use CWE as a checklist when designing features that handle user input
  • In code reviews — reference specific CWE identifiers when flagging issues. “This looks like CWE-89” is more precise than “this might have a SQL injection problem”
  • In security tooling — most SAST and DAST tools map findings to CWE identifiers, giving you a common language across tools
  • In bug bounty reports — CWE identifiers help classify findings consistently
  • In training — the CWE Top 25 covers the most commonly exploited weaknesses

The full list is available at cwe.mitre.org.

See also: