The MITRE Corporation has updated its Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list, which reflects the latest trends in the cyber threat landscape.

The list provides information on the most common and impactful weaknesses that threat actors exploit in attacks to take over systems, steal sensitive information, and cause disruptions.

Cross-site scripting (XSS) vulnerabilities are at the top of this year’s CWE Top 25 list, up from the second position last year, with out-of-bounds write flaws dropping to the second place.

While SQL injection bugs have remained on the third position, cross-site request forgery (CSRF), path traversal, and out-of-bounds read defects went up by five, three, and one place, respectively, displacing OS command injection and use-after-free issues.

The top 10 is rounded by missing authorization, which was eleventh last year, and unrestricted file uploads, stationary on the tenth position. Code injection, which ranked 23 in last year’s list, landed on 11 in the updated one.

New entries on the 2024 CWE Top 25 list include exposure of sensitive information on 14, up from 30 last year, and uncontrolled resource consumption on 24, up from 37 last year. Incorrect default permissions and race condition flaws dropped from the top 25 most dangerous software weaknesses.

The US cybersecurity CISA, which worked with the Homeland Security Systems Engineering and Development Institute (HSSEDI), operated by MITRE, in updating 2024 CWE Top 25, urges organizations to review the list and prioritize these weaknesses in development and procurement processes.

CISA urges software manufacturers and organizations to adopt Secure by Design practices, apply Secure by Demand guidelines, and incorporate the CWE Top 25 list in their vulnerability management and application security processes.

“By following CISA’s initiatives, organizations can reduce vulnerabilities and strengthen application and infrastructure security. Incorporating the 2024 CWE Top 25 into cybersecurity and procurement strategies will enhance overall resilience,” the agency says.

Related: How Intelligence Sharing Can Help Keep Major Worldwide Sporting Events on Track

Related: MITRE Updates CWE Top 25 Most Dangerous Software Weaknesses

Related: MITRE Publishes 2022 List of 25 Most Dangerous Vulnerabilities

Related: Researcher Earns $2 Million for Critical Vulnerability in Polygon