| Rank | ID | Name | Score |
|---|---|---|---|
| [1] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 46.82 |
| [2] | CWE-787 | Out-of-bounds Write | 46.17 |
| [3] | CWE-20 | Improper Input Validation | 33.47 |
| [4] | CWE-125 | Out-of-bounds Read | 26.50 |
| [5] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 23.73 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 20.69 |
| [7] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 19.16 |
| [8] | CWE-416 | Use After Free | 18.87 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 17.29 |
| [10] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 16.44 |
| [11] | CWE-190 | Integer Overflow or Wraparound | 15.81 |
| [12] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 13.67 |
| [13] | CWE-476 | NULL Pointer Dereference | 8.35 |
| [14] | CWE-287 | Improper Authentication | 8.17 |
| [15] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 7.38 |
| [16] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.95 |
| [17] | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 6.53 |
| [18] | CWE-522 | Insufficiently Protected Credentials | 5.49 |
| [19] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.33 |
| [20] | CWE-798 | Use of Hard-coded Credentials | 5.19 |
| [21] | CWE-502 | Deserialization of Untrusted Data | 4.93 |
| [22] | CWE-269 | Improper Privilege Management | 4.87 |
| [23] | CWE-400 | Uncontrolled Resource Consumption | 4.14 |
| [24] | CWE-306 | Missing Authentication for Critical Function | 3.85 |
| [25] | CWE-862 | Missing Authorization | 3.77 |
https://cwe.mitre.org/top25/archive/2020/2020_cwe_top25.html