What is a CWE (Common Weakness Enumeration)?
The not-so-secret codes behind your scanner alerts
~15mins estimatedGeneral
What is a CWE (Common Weakness Enumeration)?
Ever seen something like CWE-89
in a security tool or report and wondered what it meant? That’s a Common Weakness Enumeration (CWE). It’s a standardized way of describing the types of mistakes developers can make that lead to security vulnerabilities. Think of it as a dictionary of software security issues.
A CWE isn’t a vulnerability itself, instead, it’s a classification. It tells you what kind of coding pattern or behavior could lead to a security problem. For example, CWE-79
refers to cross-site scripting (XSS), while CWE-89 is about SQL injection. When a scanner detects a vulnerable line of code, it often tags it with a CWE ID so you can look it up, understand it, and fix it more confidently.
CWEs are maintained by MITRE, the same non-profit that manages the CVE list (which tracks actual vulnerabilities). The goal of CWEs is to help developers, security teams, and tools speak the same language when identifying, discussing, and fixing weaknesses in code.
About this lesson
In this lesson, you’ll learn what a CWE is and why it matters in software development. We’ll walk through how CWEs are structured, what makes them different from things like CVEs and attack patterns, and how you can use them to level up your secure coding skills. You’ll also get a hands-on look at CWE in action to see how these weaknesses appear in real code and how to fix them.
The Common Weakness Enumeration gives you a shared vocabulary to understand and discuss security issues, both with your team and with the tools you use. Instead of a vague “you have a SQL injection,” a static analysis tool might report:
This kind of label connects your code directly to a well-defined weakness with a detailed description, examples, and remediation tips (such as links to Snyk Learn!).
Most SAST (Static Application Security Testing) and DAST (Dynamic Application Security Testing) tools use CWE IDs to tag findings. This makes it easier to look up what the issue is and how to fix it, especially if you're unfamiliar with the underlying vulnerability.
It also allows everyone in the room (or virtual room) to speak the same security language. When a developer refers to CWE-79
, there is no room for miscommunication and everyone will be able to understand what they are referencing.
Some organizations track which CWEs occur most frequently in their codebase or map them to severity levels (using resources like the CWE Top 25). This helps teams focus on the most dangerous or most common issues first.
Let’s see what a CWE looks like in the real world. We'll focus on CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
, one of the most common and dangerous weaknesses in software today.
Imagine you're building a Python app with a SQLite database and you need to fetch user data by username. Here’s a simple version of what that might look like:
This code works, but it's dangerously vulnerable to SQL injection. Check out this Snyk Learn lesson to learn more about this in greater detail. An attacker can use this type of vulnerability to extract sensitive data, bypass authentication, or even modify the database.
But thankfully, your security tool (maybe Snyk) flags the issue in the IDE. That alert might even spark curiosity. What is CWE-79? Are there other CWE-79-type issues in this project? Could the same pattern show up somewhere else in the codebase?
Since we showed some vulnerable code above, let's show some mitigated code:
The CWE system is a structured way of organizing types of weaknesses. Each CWE entry fits into a bigger picture based on how it behaves, what it affects, or how it’s typically introduced.
Here are the three main building blocks:
Weaknesses
These are the individual entries you’ll usually see, like CWE-79 (Cross-site Scripting)
or CWE-327 (Use of a Broken or Risky Cryptographic Algorithm)
. They describe specific coding or design flaws.
Categories
Categories are groupings of related weaknesses. They don’t describe flaws themselves but help organize the space by behavior, language features, or development stages.
For example, CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer. This category contains lower-level CWEs like buffer overflows (CWE-121, CWE-122).
Views
Views are curated collections of CWEs based on use case or industry focus. These are especially useful when you’re working with compliance requirements or trying to prioritize.
- CWE Top 25: The most dangerous software weaknesses, updated annually based on real-world CVEs.
- View 1003: Mappings to the OWASP Top 10, making it easier to align app sec tools with secure development goals.
If you checked out both of those lists, you may have noticed that CWE-79 (Cross-site Scripting)
appears in both the Top 25 and the OWASP Top 10 view because it’s so widespread and impactful.
Understanding CWEs is a powerful tool for developers. Whether you're reading scanner output, reviewing code, or learning from past vulnerabilities, CWEs provide context that helps you make better decisions and write more secure software.
One of the most direct ways CWEs show up in a developer's workflow is through static analysis tools or code scanning platforms. These tools often flag issues using CWE identifiers, pointing to specific weaknesses like CWE-89
for SQL injection or CWE-79
for cross-site scripting. On their own, these codes might look cryptic, but looking them up can give you clear explanations, example scenarios, and practical ways to fix or prevent the issue. Over time, you'll start recognizing these patterns in your own code before the tools even catch them.
CWEs also play a role in how developers triage and prioritize bugs. If a scanner returns multiple findings, knowing which CWEs are considered high-impact, such as those that appear in the CWE Top 25, can help you decide what to fix first. Instead of treating every issue as equally important, you can focus your attention on weaknesses that are both common and dangerous in real-world attacks.
During code reviews, familiarity with CWEs can help you identify potential security risks, even if they aren't immediately flagged by tools. For example, understanding the underlying issues in deserialization, input validation, or improper access control gives you the vocabulary to question design decisions and offer safer alternatives. Security becomes something you consider early and often, not just something that gets tacked on at the end.
CWEs are also useful for learning and growth. If you encounter a vulnerability in a library you’re using, the associated CVE often includes CWE references. Following that path back to the CWE entry can give you a better understanding of the weakness itself, how it’s exploited, and what a more secure implementation might look like.
Ultimately, CWEs help developers see security issues not just as isolated bugs, but as part of broader patterns. Recognizing those patterns across languages, projects, and frameworks can lead to better habits, smarter tooling choices, and more resilient code. Whether you're fixing a bug, reviewing a pull request, or just trying to write clean, safe software, having some working knowledge of CWEs gives you a clear advantage.
Test your knowledge!
Keep learning
Here is a bit more information for you to keep learning about CWEs and vulnerabilities in the wild:
- MITRE CWE Official Catalog. Explore the comprehensive list of Common Weakness Enumerations (CWEs) maintained by MITRE, including detailed descriptions, examples, and mitigation strategies.
- Snyk Top 10 Code Vulnerabilities Report. Discover the most common vulnerability types across popular programming languages, based on Snyk's extensive data analysis.