Most developers are familiar with the CWE Top 25, the annual list of the most dangerous software weaknesses. But fewer know about the lesser-publicized lists that accompany it, which reveal what’s coming next.
Each year, alongside the Top 25, CWE also publishes the Top 10 KEV Weaknesses, based on real-world exploitation and the “On the Cusp” Weaknesses Insights, which highlights vulnerabilities rising quickly in prevalence. These lists offer a glimpse into how the threat landscape is shifting and where attention should be focused next.
The CWE Top 10 KEV Weaknesses ranks the most dangerous software weaknesses based on real-world exploitation data. It’s built using CISA’s KEV (Known Exploited Vulnerabilities) Catalog. It tracks which CVEs (Common Vulnerabilities and Exposures) have been actively exploited.
To create this list, CWE analysts mapped the 144 exploited CVEs recorded in the KEV Catalog between June 2023 and June 2024 to their corresponding CWEs. Using the same methodology behind the CWE Top 25, they ranked weaknesses most linked to actual attacks.
What’s especially interesting is that not all KEV weaknesses appear in the CWE Top 25. In fact, at least two of them only show up on the “On the Cusp” list, a sign that real-world exploitation doesn’t always match what’s statistically common.
The “On the Cusp” Weaknesses Insights highlights 15 additional CWEs that are just outside the Top 25. This is either because they’ve recently dropped off or are steadily climbing the ranks.
This list is a valuable signal of emerging trends. It shows which issues are gaining traction and why. For example, some weaknesses have seen significant jumps in ranking due to AI-related vulnerabilities. In 2024, both CWE-203: Observable Discrepancy and CWE-74 Improper Neutralization of Special Elements Used by a Downstream Component surged from near the 50th position to the Top 25. Their rise may reflect new security challenges introduced by AI-assisted development.
The top CWE spots rarely shift. SQL injection, cross-site scripting, and out-of-bounds writes have been revolving through the top five CWEs for a while. The real story is in the bottom 10. This is where new weaknesses surface, driven by evolving tech like AI-assisted development, and where organizations have blind spots.
By tracking movement across the Top 25, KEV, and “On the Cusp” lists, teams can better anticipate where risk is headed.
To help you stay ahead, Security Journey is launching new training focused on these “On the Cusp” CWEs, so your developers can get hands-on with the threats just around the corner. Schedule a demo to learn more about our CWE training.