What is CWE (Common Weakness Enumeration)?

A community-developed catalog of software and hardware weakness types, providing standardized identifiers and descriptions for security vulnerabilities.

CWE (Common Weakness Enumeration) — Definition & Overview • DeepSource

Common Weakness Enumeration (CWE) is a categorized list of software and hardware security weaknesses maintained by MITRE Corporation with support from the U.S. Department of Homeland Security. Unlike CVE, which identifies specific vulnerabilities in specific products, CWE describes general types of weaknesses that can lead to vulnerabilities.

For example, CWE-89 describes "SQL Injection"—the general weakness pattern—while CVE-2024-XXXXX might describe a specific SQL injection vulnerability in a particular application version.

How CWE is organized

CWE uses a hierarchical structure:

Views: High-level organizational groupings for different audiences

CWE-1000: Research Concepts (comprehensive technical view)
CWE-699: Software Development (organized by development phase)
CWE-1194: Hardware Design (hardware-specific weaknesses)

Categories: Groups of related weaknesses

CWE-990: Tainted Input to Command (injection vulnerabilities)
CWE-1006: Bad Coding Practices

Weaknesses: Individual weakness types with full descriptions

CWE-79: Cross-site Scripting (XSS)
CWE-798: Use of Hard-coded Credentials
CWE-476: NULL Pointer Dereference

Each weakness entry includes:

Description and extended description
Likelihood of exploit
Common consequences
Potential mitigations
Related weaknesses and attack patterns
Code examples in multiple languages

CWE in practice

Security tools: SAST, DAST, and AI code review tools map their findings to CWE identifiers. This provides:

Standardized vocabulary across different tools
Links to detailed remediation guidance
Severity context from established research

Compliance: Standards like PCI DSS and frameworks like OWASP Top 10 reference CWE. Mapping vulnerabilities to CWE helps demonstrate compliance.

Training: CWE entries serve as educational resources, explaining not just what a weakness is but why it occurs and how to prevent it.

Key CWE lists

MITRE publishes curated lists of the most critical weaknesses:

CWE Top 25: The most dangerous software weaknesses based on prevalence and severity
CWE/SANS Top 25: Historical collaboration with SANS Institute
On the Cusp: Weaknesses that nearly made the Top 25 list

CWE vs CVE

CWE	CVE
Weakness types (abstract)	Specific vulnerabilities (concrete)
"SQL Injection"	"SQL Injection in Product X version 1.2"
Used for tool development, training	Used for patch management, disclosure
Maintained indefinitely	May be deprecated when fixed

A single CWE may be associated with thousands of CVEs. When a CVE is published, it typically references which CWE(s) describe the underlying weakness.

See also: CVE, OWASP Top 10, SANS Top 25, SAST