Browse 991 CWE entries organized by abstraction level. Explore Pillars, Classes, Base weaknesses, Variants, and Compound weaknesses.
CWE entries are organized into abstraction levels from most general (Pillars) to most specific (Variants). This hierarchy helps you understand weakness relationships and find the right level of detail.
Highest-level weaknesses that represent the most abstract categorization of software security issues.
Abstract weakness types that are typically described independent of any specific language or technology.
Specific weakness types that are more concrete and often describe the actual issue found in code.
Platform, language, or technology-specific weaknesses that are variants of base weaknesses.
Complex weaknesses that involve multiple underlying weaknesses or attack patterns.
When mapping CVEs or real vulnerabilities, use Base or Variant level weaknesses. These provide specific enough detail to accurately describe the issue.
Start with Pillar and Class level weaknesses to understand broad categories, then drill down to specific examples.
Get a free security assessment from our experts. We'll identify vulnerabilities and create a protection plan tailored to your business.
Common questions about the CWE Browse by Abstraction Level
CWE uses abstraction levels to organize weaknesses from the most general (Pillars) to the most specific (Variants). This hierarchy helps developers understand how weaknesses relate to each other and find relevant information.
Pillar weaknesses are the highest level abstractions representing broad categories of security issues. Base weaknesses are more specific and concrete, describing actual issues found in code that can be directly mapped to vulnerabilities.
For CVE and vulnerability mapping, Base and Variant level weaknesses are recommended as they provide sufficient detail. Pillar and Class level weaknesses are too abstract for direct vulnerability mapping.
Continue with these related tools
This tool is provided for educational and authorized security testing purposes only. Always ensure you have proper authorization before testing any systems or networks you do not own. All processing happens client-side in your browser — no data is sent to our servers.