The 10 most dangerous software vulnerabilities

CISA and MITRE have published their annual list of the most dangerous software vulnerabilities to help manufacturers and companies protect themselves against attacks

A few days ago, the US agency in charge of cybersecurity (CISA) and the Homeland Security Systems Engineering and Development Institute (HSSEDI), managed by MITRE, released the 2025 version of their top 25 most dangerous software vulnerabilities.

Both CISA and MITRE are leading players in cybersecurity methodology, and this ranking highlights the most dangerous software vulnerabilities and the consequences of their successful exploitation by malicious actors.

Below, we will break down the 10 most dangerous software vulnerabilities according to the list and explain which cybersecurity services are critical to successfully mitigating them and staying ahead of attackers.

The most dangerous software vulnerabilities in the last year

1. Cross-Site Scripting (XSS)

Cross-Site Scripting is a vulnerability that allows a hostile actor to execute malicious code in a web application.

As explained in the ranking of the most dangerous software weaknesses, the program is unable to correctly neutralize user-entered text when generating web pages.

What can malicious actors achieve by exploiting this weakness?

• Bypass the software’s protection mechanisms.
• Read or alter application data.
• Execute unauthorized code that allows them to steal information from users who access the application or force them to perform actions unknowingly, among other things.

Recently, vulnerabilities of this type have been detected in AI assistants (CVE-2024-49038), in database software such as OpenAtlas (CVE-2025-40702 to 40709), and in security solutions such as GlobalProtect (CVE-2025-0133).

Given the seriousness of the consequences and the fact that vulnerabilities of this type are relatively common, Cross-Site Scripting ranks first among the most dangerous software weaknesses, according to CISA and HSSEDI.

2. SQL injection

Another of the most dangerous software weaknesses, which has sadly become a classic, is SQL injection.

In this case, we are dealing with a security flaw that allows arbitrary SQL queries to be executed. Why? The web application is unable to adequately filter the data entered by a user, which means that there is “a risk that the SQL statement to be executed may be altered by database engine control characters such as single or double quotation marks.”

What are the most common consequences of exploiting this weakness present in some web applications?

• Unauthorized execution of code or commands.
• Reading application data jeopardizes its confidentiality.
• Modification of application data.

The list of the most dangerous software weaknesses focuses on how this weakness appears in programs:

• In applications with database functionality (login, data storage, etc.).
• In applications that use databases and allow users to interact with them (save, query, edit).

Vulnerabilities of this type have recently been detected in AI chatbots (CVE-2024-6847), firewalls (CVE-2025-25257), and management software (CVE-2025-25181).

This vulnerability has risen one place in the ranking of the most dangerous software weaknesses compared to last year’s top.

3. CSRF

Cross-Site Request Forgery (CSRF) vulnerabilities occur when web applications cannot distinguish between requests initiated by a legitimate user and those initiated by an unauthorized agent.

This is possible because an attacker, “despite not knowing the value of a user’s cookies on a website, is able to force requests to it from an external domain (cross-site requests) that contain the appropriate values.”

Thus, if the application lacks adequate protection mechanisms, a hostile actor can carry out CSRF attacks and impersonate the victim, performing any operation in the application as if they were the victim. This could open the door to data theft or the execution of malicious code.

Furthermore, if the victim has an administrator role or elevated privileges, the consequences are even more severe, and the hostile actor could gain complete control of the application. This could result in the deletion, modification, or theft of information or the malicious use of the product to launch attacks against all users. The same would happen if the malicious actor is able to escalate the privileges of a regular user.

In the last year, CSRF vulnerabilities have been detected in software such as Telegram (CVE-2025-58794), WordPress plugins such as Style Admin (CVE-2025-23801) or Quick Interest Slider (CVE-2025-64237), and the e-commerce platform Selldone (CVE-2025-26206). This weakness has also moved up one place in the ranking of the most dangerous software weaknesses compared to the previous top.

4. Lack of authorization

This weakness is that when an actor attempts to access a software resource or perform an action, the application does not perform the relevant authorization check.

This means that a malicious actor could:

• Read confidential data from the application and from documents or directories.
• Modify sensitive information, documents, and directories.
• Elevate their privileges to read or modify data directly, or to access critical functionalities.
• Carry out denial-of-service (DoS) attacks by accessing system resources and consuming those resources excessively.

Why does this type of weakness arise? As with most categories in this ranking of the most dangerous software weaknesses, the origin lies in the omission of security measures during the program’s architectural design.

In addition, deficiencies in the authorization process can arise when a single-user application is moved to a multi-user environment, or when a developer lacks a robust understanding of the underlying technologies and therefore fails to implement appropriate security measures during development.

Just a few weeks ago, an authorization bypass vulnerability in Barn2 Plugins Document Library Lite (CVE-2025-67985) was made public. However, we have seen several vulnerabilities of this type over the past year: CVE-2025-41232 (in the Spring Security framework), CVE-2025-26378 (in the Q-Free MaxTime traffic management software), and the recently published CVE-2025-0836 (in the Milestone Systems XProtect VMS video surveillance management platform).

This weakness has seen the most notable rise in the ranking of the most dangerous software weaknesses, moving from 9th to 4th place.

5. Out-of-bounds writing

The software writes data outside the intended memory buffer limits or to invalid memory. Hence, this vulnerability is also known as memory corruption or buffer overflow. What are the possible consequences of this vulnerability?

• Damage to the program’s memory, as a result of a hostile actor modifying control data, such as return addresses, and thus executing malicious code.
• Software crashes when attempting to access out-of-range or invalid memory.
• Unexpected or undefined results caused by subsequent write operations.

Recent examples of vulnerabilities of this type include CVE-2025-60015 (affecting the F5OS network device operating system), CVE-2025-53367 (present in DjVuLibre document creation and manipulation software), and CVE-2025-9242 (detected in WatchGuard Fireware).

Unlike the previous category, this weakness drops three positions from the previous ranking of the most dangerous software weaknesses.

6. Path Traversal

This weakness occurs when software uses external inputs to construct the access path intended to identify a file or directory located within a restricted root directory, but is unable to neutralize special elements within the path that can cause it to resolve outside the restricted directory.

In this way, malicious actors can leave the restricted location and access files stored elsewhere in the program’s system.

The consequences of exploiting this vulnerability are that the malicious actor could:

• Create and overwrite critical files used to execute code. In addition, if the overwritten file is used in a security mechanism, it could be bypassed.
• Read the contents of files and expose confidential software data. Furthermore, if the file is used in a security mechanism, it could also be bypassed.
• Overwrite, delete, or damage critical files, thereby preventing the software from functioning properly or blocking user access.

Some examples of Path Traversal vulnerabilities are CVE-2023-2825, which affected Gitlab and allowed arbitrary files on the server to be read; CVE-2024-53677, detected in the Apache Struts framework, which allowed remote code execution; and, more recently, CVE-2025-64446, present in the FortiWeb firewall.

This weakness has fallen one place in the ranking compared to last year.

7. Use After Free

The Use-After-Free (UAF) weakness occurs when a program continues to use a pointer after the memory it points to has been freed and reassigned to another pointer.

Any operation performed using the original pointer is invalid because the memory now belongs to the code operating from the new pointer.

What are the consequences of this weakness?

• Memory corruption.
• Arbitrary code execution.
• System crashes.

In early 2025, a UAF vulnerability in the Linux kernel (CVE-2025-21726) was detected, and a couple of months ago, another UAF vulnerability was disclosed in the QuickJS JavaScript Engine standard library (CVE-2025-62491).

In the ranking of the most dangerous software weaknesses, it is one place higher than in the previous top.

8. Out-of-bounds reading

Similar to out-of-bounds writing, the software reads outside the intended limits of the memory buffer. This can cause:

• An attacker could obtain cryptographic keys, personal user information, or memory addresses that could be used in other attacks.
• It becomes possible to bypass ASLR and other security mechanisms by obtaining memory addresses and other information.
• A segmentation fault or crash occurs when memory is accessed outside its allocated bounds.

Some recent examples of this weakness include CVE-2025-58281 (in Huawei-HarmonyOS), CVE-2025-29834 (affecting Microsoft Edge), and CVE-2025-5777 (in Citrix NetScaler). This vulnerability has dropped two places in the ranking of the most dangerous software vulnerabilities.

9. OS Command Injection

The software constructs an operating system (OS) command using externally influenced inputs from an upstream component. However, it does not adequately neutralize special elements that could modify the OS command when it is sent to a downstream component.

This way, a malicious actor could execute unauthorized commands on the operating system to disable the software or read and modify sensitive data.

Furthermore, because the operating system executes the commands, it may appear that the malicious activity is originating from the software, thereby going unnoticed and potentially causing greater damage.

Some examples of this weakness are CVE-2025-24971 (present in DumbDrop, an application for uploading documents to server folders), CVE-2025-3022 (which affected the e-management project management program), and CVE-2024-3400 and CVE-2025-0127 (vulnerabilities detected in PAN-OS software that runs firewalls and acts as the first layer of defense for thousands of companies).

10. Code injection

This weakness consists of the inability of software security mechanisms to neutralize special elements in the inputs with which all or part of a code segment is constructed. This allows these special elements to modify the syntax and behavior of the intended code segment.

The consequences of exploiting this weakness include:

• Remote access by attackers because the injectable code is able to control the authentication process.
• Illegitimate access to program resources using the injected code.
• Alteration of the intended control flow of the software. This can facilitate the injection of arbitrary code, thereby compromising data integrity.
• Inability to log the actions executed by the injected code.

These types of vulnerabilities have been detected in the last year in software such as SAP S/4HANA ERP (CVE-2025-42957) and the WordPress Code Engine plugin (CVE-2025-48169).

In addition, of course, we cannot fail to mention React2Shell (CVE-2025-55182), one of the most significant vulnerabilities of 2025, discovered at the end of the year.

Unlike last year’s ranking of the most dangerous software weaknesses, this year’s ranking places this weakness in the top 10, up one place from last year.

Security by design is critical to preventing the most dangerous software weaknesses

From our brief review of the most dangerous software weaknesses today, we can conclude that:

1. Security must be a central element when designing the architecture of a program. To mitigate many software weaknesses, it is essential to have robust security mechanisms built into the architecture.
2. It is essential to ensure software security throughout its entire life cycle (SDLC) to detect new vulnerabilities and fix them before malicious actors can successfully exploit them.

Precisely, this ranking of the most dangerous software weaknesses seeks to strengthen the security of programs from the design stage through to market. To this end, it focuses on:

1. Facilitating the reduction of vulnerabilities through secure architectural planning that allows for the elimination of families of defects.
2. The cost savings of avoiding weaknesses in program development. This reduces the vulnerabilities that will need to be managed in the future.
3. Analyzing trends in vulnerabilities to help companies detect systemic problems and implement best security practices in software development and maintenance.

Key cybersecurity services to protect against the most dangerous software weaknesses

When it comes to avoiding the most dangerous software weaknesses and mitigating vulnerabilities in programs, both companies that develop software and those that use third-party programs need to have key cybersecurity services in place:

• Source code audits. Through static analysis of source code, security issues can be detected without executing the code. In this way, weaknesses and poor development practices can be discovered quickly and at an early stage. In addition, it is possible to analyze in depth all possible execution paths through the source code to prevent weaknesses in the program’s architecture.
• Continuous security audits. This type of audit allows weaknesses in applications to be identified and verifies various injection and advanced-technique attacks at their entry points. It is also key for identifying vulnerabilities in software or frameworks, as well as weaknesses in the software’s business logic, which may go unnoticed by automated analysis tools.
• Penetration testing services. Advanced intrusion tests are offensive security tests that simulate real cyberattacks in controlled environments to identify weaknesses that could be exploited by malicious actors and check whether specific threats against companies can be carried out, such as access to confidential information or disruption of software operations. In addition, pentesters
• Vulnerability management. Managing vulnerabilities that affect corporate software is an essential task in any company’s cybersecurity strategy. Through vulnerability management, it is possible to minimize the risk of security incidents, continuously monitor programs, and design a mitigation plan that prioritizes vulnerabilities that pose the greatest risk of exploitation and/or could cause the most damage to the company’s business model.

Conclusions

The most dangerous software weaknesses open the door to programs having vulnerabilities that, if exploited, can trigger serious consequences for the companies that manufacture and/or use them.

Therefore, it is critical that both developers and companies using third-party software have security strategies in place to eliminate weaknesses and detect and mitigate vulnerabilities.

The ranking of the most dangerous software weaknesses allows us to:

1. Focus on the areas where programs are most insecure.
2. Emphasize the need to address software security from the design of its architecture and throughout its entire life cycle.