CWE (Common Weakness Enumeration): A Developer Reference

CWE stands for Common Weakness Enumeration, a community-developed catalog of software and hardware weakness types maintained by MITRE. While a CVE identifies a specific vulnerability in a specific product, a CWE classifies the type of flaw that makes that vulnerability possible.

Each CWE entry has a unique identifier (e.g., CWE-89: SQL Injection, CWE-79: Cross-site Scripting) and includes a description, potential consequences, detection methods, and remediation guidance. The catalog organizes weaknesses into a hierarchical structure, from abstract categories down to specific variant weaknesses.

CWE is essential for static analysis because it provides a standardized taxonomy for what tools detect. When a SAST tool reports a finding as CWE-78: OS Command Injection, any security engineer worldwide understands exactly what class of weakness was found, regardless of which tool generated the report.

The CWE Top 25 Most Dangerous Software Weaknesses, published annually by MITRE, ranks weakness types by frequency and severity in real-world CVE data, giving development teams a prioritized list for their security programs.

CWE and CVE are complementary systems that serve different purposes in security communication:

• CWE (Weakness): Describes a category of flaw in software design or implementation. Example: CWE-89 describes the class "Improper Neutralization of Special Elements used in an SQL Command." It is abstract and applies to any codebase.
• CVE (Vulnerability): Describes a specific, publicly known vulnerability in a specific product. Example: CVE-2023-34362 is a specific SQL injection in MOVEit Transfer. It references CWE-89 as the underlying weakness type.

The relationship flows from general to specific: one CWE can underlie thousands of CVEs. CWE-79 (XSS) has been associated with tens of thousands of CVEs across different products over the past two decades.

When to Use Each

• Use CWE when discussing weakness types in your own code ("our codebase has CWE-89 patterns"), in SAST tool configuration, and in secure coding standards
• Use CVE when discussing specific known vulnerabilities in dependencies ("we need to patch CVE-2021-44228"), in incident response, and in vulnerability management

A vulnerability in the abstract is a weakness (CWE). A vulnerability in a specific product version is an exposure (CVE).

Based on MITRE's CWE Top 25 and real-world SAST data, these weaknesses appear most frequently in web application code:

• CWE-79: Cross-site Scripting (XSS) – Improper neutralization of input rendered in web pages. Enables session hijacking, defacement, and phishing.
• CWE-89: SQL Injection – Unsanitized input in SQL queries. Enables data theft, authentication bypass, and database manipulation.
• CWE-78: OS Command Injection – User input passed to system shell commands. Enables full server compromise.
• CWE-22: Path Traversal – Directory traversal allowing file access outside intended paths. Enables reading credentials and configuration files.
• CWE-352: Cross-Site Request Forgery – Missing anti-CSRF tokens on state-changing requests. Enables unauthorized actions on behalf of authenticated users.
• CWE-502: Deserialization of Untrusted Data – Deserializing user-controlled data without validation. Enables remote code execution.
• CWE-918: Server-Side Request Forgery – Server-side HTTP requests with user-controlled URLs. Enables access to internal services and cloud metadata.
• CWE-327: Use of a Broken Cryptographic Algorithm – Using MD5, SHA-1, DES, or other deprecated algorithms for security-sensitive operations.

CodeSlick maps every one of its 294 security checks to the corresponding CWE identifier. This means every finding in a scan result carries its CWE classification, making it immediately actionable for compliance reporting and security triage.

• Injection checks: CWE-89, CWE-79, CWE-78, CWE-918, CWE-943 across all 5 supported languages
• Cryptographic checks: CWE-327, CWE-328, CWE-330 for weak algorithms, insufficient hashing, and predictable randomness
• Access control checks: CWE-22, CWE-284, CWE-352 for path traversal, improper access control, and CSRF
• Data integrity checks: CWE-502 for insecure deserialization, CWE-611 for XXE

CVSS 3.1 severity scores accompany each CWE mapping, and AI-powered fix suggestions provide remediation specific to the weakness type and your code context.