The following PDF files provide graphical representations of various CWE views, which provides a way of quickly seeing the structure implied by the parent relationships in those views. Some files provide "coverage graphs," in which the members of a smaller view are highlighted within the context of a larger view. This provides a way to see how the entries of the smaller view are organized by the larger view.
| The Research View with varying levels of weakness abstractions and entry types colored as specified below. | ||
|---|---|---|
| Research View with Abstractions Highlighted | Weakness Pillar | |
| Weakness Class | ||
| Weakness Base | ||
| Weakness Variant | ||
| Compound Elements | ||
| The Development View with the varying levels of weakness abstractions and entry types colored as specified below. | ||
| Development View with Abstractions Highlighted | Category | |
| Weakness Pillar | ||
| Weakness Class | ||
| Weakness Base | ||
| Weakness Variant | ||
| Compound Elements | ||
| The Hardware View with the varying levels of weakness abstractions and entry types colored as specified below. | ||
| Hardware View with Abstractions Highlighted | Category | |
| Weakness Pillar | ||
| Weakness Class | ||
| Weakness Base | ||
| Weakness Variant | ||
| Compound Elements | ||
| The Weaknesses for Simplified Mapping of Published Vulnerabilities View with the varying levels of weakness abstractions and entry types colored as specified below. | ||
| Weaknesses for Simplified Mapping of Published Vulnerabilities View with Abstractions Highlighted | Weakness Pillar | |
| Weakness Class | ||
| Weakness Base | ||
| Weakness Variant | ||
| Compound Elements | ||
| The Comprehensive Categorization View with the Category entry types colored as specified below. | ||
| Comprehensive Categorization View with Categories Highlighted | Category | |
| The Development View with the Category entry types colored as specified below. | ||
| Development View with Categories Highlighted | Category | |
| The OWASP Top 10 (2021) View with entries colored as specified below. | ||
| OWASP Top 10 (2021) | A01 - Broken Access Control | |
| A02 - Cryptographic Failures | ||
| A03 - Injection | ||
| A04 - Insecure Design | ||
| A05 - Security Misconfiguration | ||
| A06 - Vulnerable and Outdated Components | ||
| A07 - Identification and Authentication Failures | ||
| A08 - Software and Data Integrity Failures | ||
| A09 - Security Logging and Monitoring Failures | ||
| A10 - Server-Side Request Forgery (SSRF) | ||
| Other visualizations of the OWASP Top 10 (2021), with entries colored as specified below. | ||
| A01 - Broken Access Control | ||
| A02 - Cryptographic Failures | ||
| A03 - Injection | ||
| A04 - Insecure Design | ||
| A05 - Security Misconfiguration | ||
| A06 - Vulnerable and Outdated Components | ||
| A07 - Identification and Authentication Failures | ||
| A08 - Software and Data Integrity Failures | ||
| A09 - Security Logging and Monitoring Failures | ||
| A10 - Server-Side Request Forgery (SSRF) | ||
| Visualizations related to the OWASP Top 10 (2004) entries, colored as specified below. | ||
| A1 - Unvalidated Input | ||
| A2 - Broken Access Control | ||
| A3 - Broken Authentication and Session Management | ||
| A4 - Cross-Site Scripting (XSS) Flaws | ||
| A5 - Buffer Overflows | ||
| A6 - Injection Flaws | ||
| A7 - Improper Error Handling | ||
| A8 - Insecure Storage | ||
| A9 - Denial of Service | ||
| A10 - Insecure Configuration Management | ||
| Red highlight, visible from a distance | ||
| The OWASP Top 10 (2007) entries that have been mapped to CWE entries. | ||
| OWASP Top 10 (2007) in CWE | A1 - Cross Site Scripting (XSS) | |
| A2 - Injection Flaws | ||
| A3 - Malicious File Execution | ||
| A4 - Insecure Direct Object Reference | ||
| A5 - Cross Site Request Forgery (CSRF) | ||
| A6 - Information Leakage and Improper Error Handling | ||
| A7 - Broken Authentication and Session Management | ||
| A8 - Insecure Cryptographic Storage | ||
| A9 - Insecure Communications | ||
| A10 - Failure to Restrict URL Access | ||
| The OWASP Top 10 (2013) entries that have been mapped to CWE entries. | ||
| OWASP Top 10 (2013) in CWE | A1 - Injection | |
| A2 - Broken Authentication and Session Management | ||
| A3 - Cross-Site Scripting (XSS) | ||
| A4 - Insecure Direct Object References | ||
| A5 - Security Misconfiguration | ||
| A6 - Sensitive Data Exposure | ||
| A7 - Missing Function Level Access Control | ||
| A8 - Cross-Site Request Forgery (CSRF) | ||
| A9 - Using Components with Known Vulnerabilities | ||
| A10 - Unvalidated Redirects and Forwards | ||
| The Seven Pernicious Kingdoms View with entries colored as specified below. | ||
| Environment | ||
| Input Validation | ||
| API Abuse | ||
| Security Features | ||
| Time and State | ||
| Error Handling | ||
| Code Quality | ||
| Encapsulation | ||
| Red highlight, visible from a distance | ||
| The CERT C Secure Coding Standard (2008) view. | ||
| Preprocessor (PRE), Signals (SIG) | ||
| Declarations and Initialization (DCL), Error Handling (ERR) | ||
| Expressions (EXP), Miscellaneous (MSC) | ||
| Integers (INT) | ||
| Floating Point (FLP) | ||
| Arrays (ARR) | ||
| Characters and Strings (STR) | ||
| Memory Management (MEM) | ||
| Input Output (FIO) | ||
| Environment (ENV), POSIX (POS) | ||
| Red highlight, visible from a distance | ||
| The Research View with the CWE Cross-section entries highlighted in red for visibility at a distance. | ||
| Research View with CWE Cross-section in Red | CWE Cross-section Entry | |
| The Development View with the CWE Cross-section entries highlighted in red for visibility at a distance. | ||
| Development View with CWE Cross-section in Red | CWE Cross-section Entry | |
| Software Fault Pattern (SFP) Clusters in CWE colored as specified below. | ||
| Software Fault Pattern (SFP) Clusters View in CWE | Primary SFP Cluster | |
| Secondary SFP Cluster | ||
| Weakness | ||
| The Development View weaknesses who have defined Software Fault Pattern (SFP) entries highlighted in red for visibility at a distance. | ||
| Development View weaknesses with Software Fault Patterns (SFP) in Red | Software Fault Pattern (SFP) | |
| Research View weaknesses who have defined Software Fault Pattern (SFP) entries highlighted in red for visibility at a distance. | ||
| Research View weaknesses with Software Fault Patterns (SFP) in Red | Software Fault Pattern (SFP) | |
| The 2011 CWE/SANS Top 25 entries colored as specified below. | ||
| 2011 CWE/SANS Top 25 | Insecure Interaction Between Components | |
| Risky Resource Management | ||
| Porous Defenses | ||
| Weaknesses On the Cusp | ||
| The 2010 CWE/SANS Top 25 entries colored as specified below. | ||
| 2010 CWE/SANS Top 25 | Insecure Interaction Between Components | |
| Risky Resource Management | ||
| Porous Defenses | ||
| Weaknesses On the Cusp | ||
| The Development View with the 2010 CWE/SANS Top 25 entries highlighted in red for visibility at a distance. | ||
| Development View with 2010 CWE/SANS Top 25 in Red | 2010 CWE/SANS Top 25 Entry | |
| The Research View with the 2010 CWE/SANS Top 25 entries highlighted in red for visibility at a distance. | ||
| Research View with 2010 CWE/SANS Top 25 in Red | 2010 CWE/SANS Top 25 Entry | |
| The 2009 CWE/SANS Top 25 entries colored as specified below. | ||
| 2009 CWE/SANS Top 25 | Insecure Interaction Between Components | |
| Risky Resource Management | ||
| Porous Defenses | ||
See the Visualization Archive page to see visualizations from older CWE versions.
Please contact cwe@mitre.org with suggestions for additional views.
Use of the Common Weakness Enumeration (CWE™) and the associated references from this website are subject to the Terms of Use. CWE is sponsored by the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and managed by the Homeland Security Systems Engineering and Development Institute (HSSEDI) which is operated by The MITRE Corporation (MITRE). Copyright © 2006–2025, The MITRE Corporation. CWE, CWSS, CWRAF, and the CWE logo are trademarks of The MITRE Corporation.