The list was developed by the Homeland Security Systems Engineering and Development Institute, sponsored by the Cybersecurity and Infrastructure Security Agency (CISA) and operated by MITRE. It uses Common Vulnerabilities and Exposures (CVE) data to compile the most frequent and critical errors that can lead to serious vulnerabilities. “This list demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working,” said CWE. “Many professionals who deal with software will find the CWE Top 25 a practical and convenient resource to help mitigate risk. This may include software architects, designers, developers, testers, users, project managers, security researchers, educators, and contributors to standards developing organizations,” it noted. SEE: Phishing gang that stole millions by luring victims to fake bank websites is broken up by police The dataset used to calculate the 2022 Top 25 contained a total of 37,899 CVE records from the previous two calendar years, according to MITRE. The 2022 Top 25 list is also based on data from CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities (KEV) Catalog. CISA launched that catalog in late 2021, requiring federal agencies to patch known exploited vulnerabilities in a given timeframe. The top two vulnerabilities remain the same as last year: CWE-787 or out-of-bounds write memory flaw, and CWE-79 for cross-site scripting flaws. But SQL injection or CWE-89 as a category jumped three spots up to third, replacing the memory flaw CWE-125 for out-of-bounds read, which dropped two places to fifth. In fourth place, with no change in ranking, was CWE-20 for improper input validation, while OS command injection (CWE-78) dropped one place to sixth. In seventh spot was CWE-416 or ‘use after free’. Rounding out the top 10 were path traversal vulnerabilities (CWE-22), cross-site request forgery (CWE-352), and unrestricted upload of file with dangerous type (CWE-434). Command injection flaws (CWE-77) jumped eight places in the list to 17th spot, while race condition (CWE-362) rose 11 spots to 22nd. Each of the CWE entries has a detailed explanation of the flaw and past examples of publicly disclosed flaws.