The MITRE Corporation has released the 25 most dangerous software “weaknesses” in a new list that will help inform developers, network defenders and procurement teams.
The annual CWE Top 25 list was this year compiled from the weaknesses (CWEs) behind 39,080 CVEs.
“Uncovering the root causes of these vulnerabilities serves as a powerful guide for investments, policies, and practices to prevent these vulnerabilities from occurring in the first place – benefiting both industry and government stakeholders,” MITRE claimed.
Top of the list once again was cross-site scripting (XSS), while SQL injection moved up one place to second and cross-site request forgery moved up one to third. Use-after-free (in eighth place) and code injection (tenth) both moved up one from last year.
Among the top 10, out-of-bounds write (fifth), path traversal (sixth), out-of-bounds read (eighth) and OS command injection (ninth) all dropped down from their rankings last year.
Read more on CWEs: MITRE Unveils Top 25 Most Critical Software Flaws
The rankings are calculated by scoring each weakness based on its severity and the frequency of in-the-wild exploits.
This year, there were new entries for classic buffer overflow, stack-based buffer overflow, heap-based buffer overflow, improper access control, authorization bypass through user-controlled key, and allocation of resources without limits or throttling.
However, AppOmni CSO, Cory Michal, argued that there should have been a place on the Top 25 for “insufficiently protected credentials,” given how dangerous weak credential handling is.
“When major SaaS integration providers like Commvault, Salesloft/Drift and Gainsight are breached and attackers walk away with OAuth2 tokens, those ‘credentials’ become a skeleton key into thousands of downstream SaaS tenants,” he explained.
“We’re seeing adversaries use those stolen tokens to access CRM and collaboration data without ever touching a user’s password, and I’d expect that pattern, and therefore CWE-522’s real-world impact to keep growing in 2026.”
That said, the new list highlights how identity, authorization and access control issues are now very much front and center for security teams.
“When weaknesses like missing authentication, improper access control and authorization bypass, all climb or enter the Top 25, it’s a signal that attackers are consistently succeeding at finding and exploiting gaps in authentication and authorization logic,” Michal said.
“In today’s SaaS and AI world, where apps are interconnected by APIs and integrations, these weaknesses quickly turn into lateral movement, data exposure and realized risk.”
