CVE | CWE

#CWE 4.19 is now available! This latest release includes 1 new view to support the release of the “2021 CWE Top 25 Most Dangerous Software Weaknesses,” 1 new view for the “OWASP Top Ten 2025,” + continued CWE content usability improvements    https://lnkd.in/erGfHHDV

📢 👀 The 2025 CWE Top 25 is here, and there’s lots to dive into! 📢 👀 If you are like me, the Top 25 often a reminder of an important duality… that we’re getting better at understanding software weaknesses – and that we still have significant work to do. Every year, the Top 25 gives us a snapshot of where the vulnerability landscape is actually moving – and 2025 shows several bright spots worth celebrating, including: CNA-driven root-cause mapping is not only increasing – it’s getting BETTER. ✅ In last year’s dataset, 53% of published CVE Records included a CWE mapping provided directly by the publishing CNA. In 2025’s dataset, that climbed to 67% – a 14% year-over-year increase. ✅ And importantly: it’s not just MORE mappings, but MORE PRECISE ones. CNAs are selecting lower-abstraction CWEs, using the recommended usage notes more effectively, and contributing richer, more actionable root-cause insight into the global vulnerability corpus. This is exactly the kind of progress the ecosystem needs: better upstream clarity leading to better downstream decisions for defenders, developers, tool vendors, and policymakers. The 2025 Top 25 also highlights the areas where our collective improvement must accelerate: ☑️ The same families of weaknesses reappear – injection, access control, and memory safety errors aren’t just “Top 25 items” they’re symptoms of deeper structural and architectural decisions across the software supply chain. ☑️ Root-cause insight is improving, but not yet universal, and many environments still treat CWE as an afterthought rather than a strategic tool for preventing entire classes of vulnerabilities. 💡 These are targets for coordinated action. And the 2025 CWE Top 25 gives us the data to focus that action where it will have the greatest impact (and there’ll be more vulnerability trend analyses to come from CWE in the near future)... 🎉 HUGE THANKS to everyone across the CWE and CVE communities who made this year’s list possible – from the contributors who refined the data, to the CNAs who continue to raise the bar with more precise, actionable root-cause mappings. Your work directly strengthens the entire vulnerability-management ecosystem. For more information, see: https://lnkd.in/edShtBaR #CVE #CWE #CWETop25 #VulnerabilityManagement #RiskManagement #Cybersecurity #Infosec #SecureByDesign #AppSec #InfoSec #CISA

The 2025 #CWE Top 25 Most Dangerous #Software Weaknesses list is now available!   See the the most severe and prevalent weaknesses behind the 39,080 #CVE Records in this year’s dataset. Take a look and share your thoughts!    https://lnkd.in/dMSCdGkH

🚨 The 2025 Common Weakness Enumeration (CWE) Most Dangerous Software Weaknesses has been published! #MITRE’s list highlights the most critical weaknesses that attackers can exploit to compromise systems, steal data and disrupt services. The CWE Top 25 helps: ✔️ Support Vulnerability Reduction ✔️ Drive Cost Efficiency ✔️ Strengthen Customer and Stakeholder Trust ✔️ Promote Consumer Awareness Review the list & evaluate mitigations to reduce your organization’s #cybersecurity risks. 👉 https://lnkd.in/dbgAPMEJ

runZero is now a CVE Numbering Authority (CNA) assigning CVE IDs for vulnerabilities in runZero products, as well as vulnerabilities discovered by, or reported to, runZero that are not in another CNA’s scope    https://lnkd.in/edMkCcen   #cve #cna #vulnerability #vulnerabilitymanagement #cybersecurity

468 CVE Records + severity scores when available in CISA’s Vulnerability Summary bulletin for the week of November 24, 2025    https://lnkd.in/g_R7wiwP      #CVE #CVEID #CVSS #CWE #Vulnerability #VulnerabilityManagement #HSSEDI #CISA

There’s been a lot of conversation lately about “centralization” in vulnerability data and what a more decentralized future should look like. It’s a valuable discussion – and it helps to clarify how CVE actually works today. CVE has long been a federated, decentralized system. Hundreds of CNAs worldwide assign and publish CVE Records directly, supported by regional and sector-based Roots and a global Council of Roots. This structure distributes stewardship, prevents bottlenecks, and strengthens ecosystem resilience. A common misconception centers on conflating the NVD with CVE. While NVD has historically provided CVE data enrichment and propagation, it has never been the CVE Program. Many may draw their data from NVD as a trusted downstream partner providing CVE information, and they may also choose to pull directly from CVE. CVE policy, rules, assignment, and publication are managed through a community-driven, global federation – and the system is intentionally designed so no single enrichment provider is a point of failure. This model is accelerating as the CVE Program moves deeper into its Quality Era, which emphasizes richer, more complete records produced at the source: 📢 More supplier CNAs are enriching their own CVE Records directly and consistently – in fact... this year's (upcoming 👀 ) CWE Top 25 dataset had a 14% year-over-year increase in Suppler CNA-provided CWE mappings! 🔊 New program capabilities are enabling greater automation and higher-quality metadata for downstream consumers (and more are on the way…) 🌐 Global participation continues to expand – most recently with ENISA becoming a CVE Root, strengthening European representation and further decentralizing program operations In many ways, the “future” people are imagining is already well underway: a more resilient, globally distributed, and quality-driven CVE ecosystem where accuracy at the source and broad regional involvement continue to grow.

Call for Speakers for "VulnCon 2026" is open!    * Closes: December 22, 2025  * Submission process, timeline, & other details:   https://lnkd.in/dv4CwapR    #cve #first #vulnerabilities #vulnerabilitymanagement #technology #infosec #informationsecurity #cybersecurity

“CNA Enrichment Recognition” - 256 CNAs on the list for December 1, 2025 Published monthly, this list recognizes those CVE Numbering Authorities (#CNAs) actively providing #CVSS and #CWE vulnerability data in their #CVE Records https://lnkd.in/e8gEMs6K ability-data-enrichment-for-cve-records-256-cnas-on-the-enrichment-recognition-list-for-2e488b7c9062

New on the CVE Blog:  “CVE Program Report for Quarter 3 Calendar Year (Q3 CY) 2025”    https://lnkd.in/eNabF_Ez    #CVE #Vulnerability #VulnerabilityManagement #HSSEDI #CISA #Infosec #CyberSecurity