Common Weakness Enumeration is a standardized catalog of software weakness types used to classify recurring design, implementation, and architecture problems in security terms.
Common Weakness Enumeration, usually called CWE, is a standardized catalog of software weakness types. In plain language, it gives security and development teams a shared way to name recurring software problems such as unsafe input handling, weak access control, or poor secret management.
CWE matters because recurring weakness patterns show up across many codebases, frameworks, vendors, and architectures. A shared taxonomy helps teams talk about root causes instead of treating every security issue as a one-off surprise.
It also matters because prevention improves when teams can recognize patterns. If multiple findings all map back to the same weakness family, security work can shift from symptom-fixing to process improvement, design changes, and better developer guidance.
CWE appears in Static Application Security Testing, secure code review, development training, security reporting, root-cause analysis, and remediation planning. Security teams use it to classify findings, look for repeated patterns, and communicate with developers in a more systematic way.
It connects closely to Common Vulnerabilities and Exposures, Common Vulnerability Scoring System, Secure Coding, Broken Access Control, and Threat Modeling.
It is most useful when it helps teams move from isolated bug cleanup to understanding the underlying weakness family that keeps reappearing in the codebase.
A development team sees several findings across different services: unsafe object access in one API, inconsistent permission checks in another, and overbroad admin actions in a third. Mapping those findings to a shared weakness family helps the team see that the deeper problem is recurring access-control design, not just three unrelated bugs.
CWE is not the same as CVE. CWE describes a class of weakness, while CVE identifies a specific disclosed vulnerability instance in a real product or component.
It is also different from CVSS. CVSS describes severity, not weakness category.
It is not a guarantee that every issue will fit neatly into one label either. The value of CWE is consistent classification and learning, not forcing reality into an oversimplified taxonomy.