The CWE Top 25 Most Dangerous Software Weaknesses identifies the software defects most frequently exploited to compromise systems. MergeGuide ships with detection rules covering all 25 weaknesses — enforcing them across all 14 supported languages from the first line of code.
The Common Weakness Enumeration (CWE) is a community-developed list of software and hardware weakness types, maintained by MITRE. The CWE Top 25 is compiled annually from CVE data — representing the weaknesses that produce the most real-world exploits across all software categories.
Unlike OWASP (which focuses on web applications), CWE Top 25 covers weaknesses across all software types including systems software, embedded systems, and enterprise applications. It's referenced by NIST NVD, CISA KEV, and used by security researchers globally as the canonical weakness taxonomy.
MergeGuide's Free tier includes full CWE Top 25 detection — bundled with OWASP Top 10 coverage in the baseline tier. 106 Semgrep rules and 237 regex patterns enforce CWE Top 25 across all 14 supported languages with no subscription required.
| CWE ID | What MergeGuide Detects | Severity |
|---|---|---|
| CWE-89 — SQL Injection | Unparameterized database queries concatenating user-controlled input | Critical |
| CWE-79 — XSS | User-controlled data rendered in HTML output without encoding | Critical |
| CWE-78 — OS Command Injection | Shell execution calls with unsanitized arguments from user input | Critical |
| CWE-798 — Hardcoded Credentials | Passwords, API keys, and secrets embedded in source code | Critical |
| CWE-22 — Path Traversal | File system operations with user-controlled path components | High |
| CWE-352 — CSRF | State-changing endpoints missing CSRF token validation | High |
| CWE-434 — Unrestricted Upload | File upload handlers without type or size validation | High |
Full CWE Top 25 detection is included in MergeGuide's Free tier alongside OWASP Top 10. Every developer gets detection coverage for the most exploited software weaknesses with no subscription required — because baseline security shouldn't be a paid feature.
CWE Top 25 is compiled from CVE data and aligns directly with CISA's Known Exploited Vulnerabilities catalog. MergeGuide's detection rules target the code patterns that produce these weaknesses — preventing the bugs that become CVEs before they ship.
CWE Top 25 weaknesses appear across all programming languages. MergeGuide's detection rules cover all 25 weaknesses across 14 languages — Go, Python, JavaScript, TypeScript, Java, C#, Ruby, PHP, Swift, Kotlin, Rust, C/C++, Terraform, and Dockerfile.
Start free — full CWE Top 25 and OWASP Top 10 detection included, no credit card required.