Vulnerability Taxonomies
CWE
CWE (Common Weakness Enumeration) is the community-developed catalog of software and hardware weakness types. Maintained by MITRE, CWE provides a hierarchical taxonomy that classifies the **kind** of flaw underlying a vulnerability — for example CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), CWE-787 (Out-of-Bounds Write).
Definition
CWE (Common Weakness Enumeration) is the community-developed catalog of software and hardware weakness types. Maintained by MITRE, CWE provides a hierarchical taxonomy that classifies the **kind** of flaw underlying a vulnerability — for example CWE-79 (Cross-Site Scripting), CWE-89 (SQL Injection), CWE-787 (Out-of-Bounds Write).
What it means
Where CVE identifies a specific vulnerability in a specific product, CWE identifies the underlying weakness category. A single CVE often maps to one or more CWE entries; conversely, a single CWE category appears across thousands of CVE entries.
CWE is the basis for the annual "Top 25 Most Dangerous Software Weaknesses" list and informs developer-training programs, secure-coding standards, and static-analysis tool taxonomy mappings. The CWE View hierarchy includes specialized subsets — CWE-1000 (Research Concepts), CWE-699 (Software Development), CWE-1194 (Hardware Design) — that group weaknesses by analyst perspective.
For Melina reporting, every finding is mapped to one or more CWE IDs. This lets the client correlate our findings with their internal secure-coding standards, static-analysis tooling, and remediation guidance.
Related terms
- CVE - CVSS - OWASP LLM Top 10
Authoritative sources
- CWE program (MITRE) - CWE Top 25 (2025)
---