InfoSecBulletin Cybersecurity for mankind
MITRE identified Cross-site scripting as the most critical software flaw in its recent published report of the past year. The nonprofit published its latest ranking of the Top 25 Most Dangerous Software Weaknesses on November 20, highlighting critical flaws from the Common Weakness Enumeration (CWEs) catalog between June 2023 and June 2024.
CWE is a list of common software weaknesses in code, design, or architecture that can lead to vulnerabilities, which are cataloged in the CVE database.
AWS SNS misused for Data Exfiltration and Phishing
Researcher found non protected database form ESHYFT containig 86000 records
CVE-2024-55591 and CVE-2025-24472
New SuperBlack ransomware exploits Fortinet flaws
CVE-2025-25291 & CVE-2025-25292
Attention! GitLab Patched Critical Authentication Bypass Flaws
CVE-2025-20138
Cisco released High Security Alert for IOS XR Software
400+ IPs Exploiting Multiple SSRF Vulnerabilities
NVIDIA has released update for NVIDIA Riva
CVE-2025-24201
Apple fixes 0-day exploited in “extremely sophisticated attack”
Microsoft’s March 2025 updates fix 7 zero-day, 57 flaws
Ballista Botnet infects 6000 Unpatched TP-Link Routers
MITRE reviewed 31,770 CVEs from 2023 and 2024 to determine the criticality level of software weaknesses that needed re-mapping analysis.
MITRE assigned scores to each weakness based on severity and how often they are exploited, particularly focusing on security flaws in the CISA’s Known Exploited Vulnerabilities (KEV) catalog.
Cross-site scripting, or CWE-79, ranked first this year with a score of 56.92 and three known exploited vulnerabilities. It replaced last year’s most dangerous CWE, ‘Out-of-bounds Write’ (CWE-787), which had 18 known exploited vulnerabilities and a score of 45.20.
SQL Injection, or ‘Improper Neutralization of Special Elements used in an SQL Command’ (CWE-89), ranks third with a score of 35.88 and has four known exploited vulnerabilities.
MITRE stated that the ranking is a useful resource for developers and security professionals and acts as a strategic guide for organizations looking to make informed decisions about software, security, and risk management investments.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle,” the organization added.
The nonprofit works with CISA on the CVE and CWE programs. CISA regularly issues alerts highlighting common software vulnerabilities, despite effective solutions being available.
