Cyber Resilience

Cross-walk release · 10 June 2026

OWASP Top 10 Web 2025 ↔ CWE

A two-way mapping between OWASP Top 10 Web 2025 and CWE: 258 related pairs, 516 directional rows, LLM-authored (generalizes · specializes) and human-QA’d (cohort bulk_after_review_2026_06_08 where applicable). ← all releases

The original mapping — and where we differ

The authoritative reference is MITRE OWASP-category → member CWEs, a one-way mapping. We compared our two-way reading against it on a pair-presence basis (do we relate the same two entities at all?):

Authoritative pairs249
Agreement (we relate it too)220
Conflict (authority relates it, we found no link) 29
Addition (we relate it, authority omits) 38

Authority maps, we found no link: A01:2025 ↔ CWE-377; A01:2025 ↔ CWE-540; A01:2025 ↔ CWE-615; A02:2025 ↔ CWE-16; A02:2025 ↔ CWE-315; A02:2025 ↔ CWE-547

We map, authority omits: A01:2025 ↔ CWE-1299; A01:2025 ↔ CWE-37; A01:2025 ↔ CWE-38; A01:2025 ↔ CWE-39; A01:2025 ↔ CWE-40; A01:2025 ↔ CWE-57

Reliability

OWASP Top 10 Web 2025 → CWECWE → OWASP Top 10 Web 2025
Completeness (full + mostly) 84.5% 0.5%
Scope — no counterpart (none) 0.0% 20.2%
Counterpart coverage 10 of 10 (100.0%) 253 mapped
Reverse-presence (bidirectionality) 79.8%
Extent-rank correlation (forward vs reverse) 0.666

Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.

Abstraction

OWASP Top 10 Web 2025CWE
Breadth (avg counterparts per entity) 25.81.01
Depth (avg coverage strength, 0–3) 2.281.0

Verdict: OWASP Top 10 Web 2025 sits at a higher level of abstraction (fans out more).

CWE abstraction: Base 141, Variant 56, Class 50, Pillar 3, Compound 3

Raw data

Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX

JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.