Glossary
What Is CWE?
CWE (Common Weakness Enumeration) is a community-developed taxonomy of software and hardware weakness types maintained by MITRE. Each CWE-N identifier names a specific weakness pattern (e.g. CWE-79 = Cross-Site Scripting, CWE-89 = SQL Injection, CWE-639 = Authorization Bypass via Predictable Token). CWEs describe the bug class; CVSS scores the impact.
CWE vs CVE
CWE is the weakness type (a pattern, like "buffer overflow"). CVE (Common Vulnerabilities and Exposures) is a specific instance of a vulnerability in a specific product version (like "CVE-2024-12345: buffer overflow in OpenSSL 3.0.5"). Every CVE is classified with one or more CWE identifiers. Pentest findings reference CWEs; security advisories reference CVEs.
Top CWE classes for web apps
- CWE-89 — SQL Injection
- CWE-79 — Cross-Site Scripting (XSS)
- CWE-639 — Authorization Bypass via Predictable Token (incl. BOLA)
- CWE-918 — SSRF
- CWE-611 — XXE
- CWE-915 — Mass Assignment
- CWE-352 — CSRF
- CWE-862/863 — Missing/Incorrect Authorization
Why CWEs matter in a report
For compliance reporting (ISO 27001 A.8.8, SOC 2 CC7.1), CWE classification lets auditors group findings by weakness pattern and verify your remediation cadence per class. For engineering remediation, the CWE links to a canonical fix-guide and known-good patterns. SQUR includes both CWE and OWASP class on every finding.
Frequently asked questions
Is CWE the same as OWASP Top-10?
No. OWASP Top-10 is a curated annual list of the most impactful web-app risk categories. CWE is the comprehensive taxonomy. Each OWASP Top-10 entry maps to multiple CWEs.