Mitre published the 2022 Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses list, which includes the currently most common and impactful software weaknesses. Most of the weaknesses on the list can be easily found and exploited, leading to exploitable vulnerabilities that allow unauthorized third parties to take over a system, steal data, or prevent applications from working.
37,899 CVE records from the last two years
The list was created by leveraging Common Vulnerabilities and Exposures (CVE) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record, including a focus on CVE Records from the Cybersecurity and Infrastructure Security Agency (CISA) Known Exploited Vulnerabilities (KEV) Catalog. A formula was applied to the data to score each weakness based on prevalence and severity.
The top 25 weaknesses in 2022 and their overall scores are:
| Rank | ID | Name | Score | KEV Count (CVEs) | Rank Change vs. 2021 |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 64.20 | 62 | 0 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.97 | 2 | 0 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 22.11 | 7 | +3 |
| 4 | CWE-20 | Improper Input Validation | 20.63 | 20 | 0 |
| 5 | CWE-125 | Out-of-bounds Read | 17.67 | 1 | -2 |
| 6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 17.53 | 32 | -1 |
| 7 | CWE-416 | Use After Free | 15.50 | 28 | 0 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.08 | 19 | 0 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.53 | 1 | 0 |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 9.56 | 6 | 0 |
| 11 | CWE-476 | NULL Pointer Dereference | 7.15 | 0 | +4 |
| 12 | CWE-502 | Deserialization of Untrusted Data | 6.68 | 7 | +1 |
| 13 | CWE-190 | Integer Overflow or Wraparound | 6.53 | 2 | -1 |
| 14 | CWE-287 | Improper Authentication | 6.35 | 4 | 0 |
| 15 | CWE-798 | Use of Hard-coded Credentials | 5.66 | 0 | +1 |
| 16 | CWE-862 | Missing Authorization | 5.53 | 1 | +2 |
| 17 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 5.42 | 5 | +8 |
| 18 | CWE-306 | Missing Authentication for Critical Function | 5.15 | 6 | -7 |
| 19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.85 | 6 | -2 |
| 20 | CWE-276 | Incorrect Default Permissions | 4.84 | 0 | -1 |
| 21 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.27 | 8 | +3 |
| 22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) | 3.57 | 6 | +11 |
| 23 | CWE-400 | Uncontrolled Resource Consumption | 3.56 | 2 | +4 |
| 24 | CWE-611 | Improper Restriction of XML External Entity Reference | 3.38 | 0 | -1 |
| 25 | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 3.32 | 4 | +3 |
While some weaknesses moved to higher positions on the list from the last year’s list, there are also some weaknesses that made their first appearance.
The biggest movers up the list are:
- CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)): from #33 to #22
- CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #28 to #25
- CWE-400 (Uncontrolled Resource Consumption): from #27 to #23
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #25 to #17
- CWE-476 (NULL Pointer Dereference): from #15 to #11
The biggest downward movers are:
- CWE-306 (Missing Authentication for Critical Function): from #11 to #18
- CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor): from #20 to #33
- CWE-522 (Insufficiently Protected Credentials): from #21 to #38
- CWE-732 (Incorrect Permission Assignment for Critical Resource): from #22 to #30
New entries in the Top 25 are:
- CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)): from #33 to #22
- CWE-94 (Improper Control of Generation of Code (‘Code Injection’)): from #28 to #25
- CWE-400 (Uncontrolled Resource Consumption): from #27 to #23
Year-over-year changes from 2019 to 2022 are shown in the chart below:
