Cyber Resilience

CWEs

Which weakness types show up in our CVE corpus, and which controls address them?

This index covers all 748 CWEs cited by at least one CVE across the NVD records we ingest — split into frequent (420, cited ≥10 times) and rare (328, 1–9 times). Frequent weaknesses link to a detail page with the NIST 800-53 r5 controls that address them (LLM-proposed) and their top CVEs ranked by Risk Priority; rarer ones link out to MITRE. Below the search, the blind spot — 206 live weaknesses no CVE has ever been tagged with.

321,047CVE→CWE tags in the corpus
748distinct weaknesses cited (≥1 CVE)
64.1%of all tags land on just the top 20 CWEs
206live weaknesses no CVE has ever cited

Search CWEs

The blind spot: 206 weaknesses no CVE reports

These are live (non-deprecated) weakness types in the MITRE catalogue that no CVE in our corpus has ever been tagged with. Many are design-level weaknesses NVD analysts rarely reach for — the kind of systemic flaw that never gets its own advisory. Each links to MITRE's canonical definition.

Show all 206 never-cited weaknesses

Class-level 11

Base-level 104

Variant-level 91

Catalogue summary

Mapped weaknesses by abstraction level. Coverage is heavily concentrated: 64.1% of all 321,047 CVE→CWE tags land on just the top 20 CWEs. A further 14,280 tags point at 42 retired category ids MITRE prohibits for mapping (e.g. CWE-264, CWE-399) — those CVEs carry no usable weakness mapping and are excluded here.

Abstraction levelCWEs
Base423
Variant205
Class103
Pillar10
Compound7