MITRE has released the 2025 CWE Top 25 list, with cross-site scripting (XSS) remaining the top software weakness, followed by SQL injection and cross-site request forgery (CSRF).
The update notes six new entries this year, including four CWEs that were not previously ranked, among them three buffer overflow weaknesses (classic on 11, stack-based on 14, and heap-based on 16), plus improper access control on 19, and authorization bypass through a user-controlled key on 24, and allocation of resources without limits or throttling on 25. The top 10 also features path traversal, use-after-free, out-of-bounds read, OS command injection, and code injection vulnerabilities.
These changes were influenced by prior calculation methods and include a reduced number of mappings, with MITRE publishing the methodology used for the 2025 list; according to the US cybersecurity agency CISA, the Top 25 is intended to support reduction of vulnerabilities and bolster benchmarking and secure design practices. The article is dated 12 December 2025 and is written by Ionut Arghire for SecurityWeek.