CWE

Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE List > PDFs with Graphical Depictions of CWE (Version 4.16)  
ID

CWE List Version 4.16

PDFs with Graphical Depictions of CWE (Version 4.16)

The following PDF files provide graphical representations of various CWE views, which provides a way of quickly seeing the structure implied by the parent relationships in those views. Some files provide "coverage graphs," in which the members of a smaller view are highlighted within the context of a larger view. This provides a way to see how the entries of the smaller view are organized by the larger view.

The Research View with varying levels of weakness abstractions and entry types colored as specified below.
Research View with Abstractions Highlighted
Weakness Pillar
Weakness Class
Weakness Base
Weakness Variant
Compound Elements
The Development View with the varying levels of weakness abstractions and entry types colored as specified below.
Development View with Abstractions Highlighted
Category
Weakness Pillar
Weakness Class
Weakness Base
Weakness Variant
Compound Elements
The Hardware View with the varying levels of weakness abstractions and entry types colored as specified below.
Hardware View with Abstractions Highlighted
Category
Weakness Pillar
Weakness Class
Weakness Base
Weakness Variant
Compound Elements
The Weaknesses for Simplified Mapping of Published Vulnerabilities View with the varying levels of weakness abstractions and entry types colored as specified below.
Weaknesses for Simplified Mapping of Published Vulnerabilities View with Abstractions Highlighted
Weakness Pillar
Weakness Class
Weakness Base
Weakness Variant
Compound Elements
The Comprehensive Categorization View with the Category entry types colored as specified below.
Comprehensive Categorization View with Categories Highlighted
Category
The Development View with the Category entry types colored as specified below.
Development View with Categories Highlighted
Category
The OWASP Top 10 (2021) View with entries colored as specified below.
OWASP Top 10 (2021)
A01 - Broken Access Control
A02 - Cryptographic Failures
A03 - Injection
A04 - Insecure Design
A05 - Security Misconfiguration
A06 - Vulnerable and Outdated Components
A07 - Identification and Authentication Failures
A08 - Software and Data Integrity Failures
A09 - Security Logging and Monitoring Failures
A10 - Server-Side Request Forgery (SSRF)
Other visualizations of the OWASP Top 10 (2021), with entries colored as specified below.
A01 - Broken Access Control
A02 - Cryptographic Failures
A03 - Injection
A04 - Insecure Design
A05 - Security Misconfiguration
A06 - Vulnerable and Outdated Components
A07 - Identification and Authentication Failures
A08 - Software and Data Integrity Failures
A09 - Security Logging and Monitoring Failures
A10 - Server-Side Request Forgery (SSRF)
Visualizations related to the OWASP Top 10 (2004) entries, colored as specified below.
A1 - Unvalidated Input
A2 - Broken Access Control
A3 - Broken Authentication and Session Management
A4 - Cross-Site Scripting (XSS) Flaws
A5 - Buffer Overflows
A6 - Injection Flaws
A7 - Improper Error Handling
A8 - Insecure Storage
A9 - Denial of Service
A10 - Insecure Configuration Management
Red highlight, visible from a distance
The OWASP Top 10 (2007) entries that have been mapped to CWE entries.
OWASP Top 10 (2007) in CWE
A1 - Cross Site Scripting (XSS)
A2 - Injection Flaws
A3 - Malicious File Execution
A4 - Insecure Direct Object Reference
A5 - Cross Site Request Forgery (CSRF)
A6 - Information Leakage and Improper Error Handling
A7 - Broken Authentication and Session Management
A8 - Insecure Cryptographic Storage
A9 - Insecure Communications
A10 - Failure to Restrict URL Access
The OWASP Top 10 (2013) entries that have been mapped to CWE entries.
OWASP Top 10 (2013) in CWE
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
A4 - Insecure Direct Object References
A5 - Security Misconfiguration
A6 - Sensitive Data Exposure
A7 - Missing Function Level Access Control
A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
The Seven Pernicious Kingdoms View with entries colored as specified below.
Environment
Input Validation
API Abuse
Security Features
Time and State
Error Handling
Code Quality
Encapsulation
Red highlight, visible from a distance
The CERT C Secure Coding Standard (2008) view.
Preprocessor (PRE), Signals (SIG)
Declarations and Initialization (DCL), Error Handling (ERR)
Expressions (EXP), Miscellaneous (MSC)
Integers (INT)
Floating Point (FLP)
Arrays (ARR)
Characters and Strings (STR)
Memory Management (MEM)
Input Output (FIO)
Environment (ENV), POSIX (POS)
Red highlight, visible from a distance
The Research View with the CWE Cross-section entries highlighted in red for visibility at a distance.
Research View with CWE Cross-section in Red
CWE Cross-section Entry
The Development View with the CWE Cross-section entries highlighted in red for visibility at a distance.
Development View with CWE Cross-section in Red
CWE Cross-section Entry
Software Fault Pattern (SFP) Clusters in CWE colored as specified below.
Software Fault Pattern (SFP) Clusters View in CWE
Primary SFP Cluster
Secondary SFP Cluster
Weakness
The Development View weaknesses who have defined Software Fault Pattern (SFP) entries highlighted in red for visibility at a distance.
Development View weaknesses with Software Fault Patterns (SFP) in Red
Software Fault Pattern (SFP)
Research View weaknesses who have defined Software Fault Pattern (SFP) entries highlighted in red for visibility at a distance.
Research View weaknesses with Software Fault Patterns (SFP) in Red
Software Fault Pattern (SFP)
The 2011 CWE/SANS Top 25 entries colored as specified below.
2011 CWE/SANS Top 25
Insecure Interaction Between Components
Risky Resource Management
Porous Defenses
Weaknesses On the Cusp
The 2010 CWE/SANS Top 25 entries colored as specified below.
2010 CWE/SANS Top 25
Insecure Interaction Between Components
Risky Resource Management
Porous Defenses
Weaknesses On the Cusp
The Development View with the 2010 CWE/SANS Top 25 entries highlighted in red for visibility at a distance.
Development View with 2010 CWE/SANS Top 25 in Red
2010 CWE/SANS Top 25 Entry
The Research View with the 2010 CWE/SANS Top 25 entries highlighted in red for visibility at a distance.
Research View with 2010 CWE/SANS Top 25 in Red
2010 CWE/SANS Top 25 Entry
The 2009 CWE/SANS Top 25 entries colored as specified below.
2009 CWE/SANS Top 25
Insecure Interaction Between Components
Risky Resource Management
Porous Defenses

See the Visualization Archive page to see visualizations from older CWE versions.

Please contact [email protected] with suggestions for additional views.

Page Last Updated: February 29, 2024