🛡️ CWE MITRE Scraper

🚀 Export the Common Weakness Enumeration catalogue in seconds. Pull single weaknesses, the full ~900-record catalogue, CWE Categories, or curated CWE Views like the Top 25 Most Dangerous Software Weaknesses. No sign-up, no manual scraping, no XML parsing.

🕒 Last updated: 2026-05-15 · 📊 25+ fields per record · 🛡️ 900+ weaknesses · 🗂️ Categories + Views (Top 25) · 🌐 Official MITRE catalogue

The CWE MITRE Scraper exports the official MITRE Common Weakness Enumeration catalogue and returns up to 25+ structured fields per record, including ID, name, abstraction, structure, status, exploit likelihood, descriptions, applicable platforms, common consequences, detection methods, potential mitigations, demonstrative + observed examples, taxonomy mappings (OWASP, CAPEC, NVD), related weaknesses, and references. The CWE catalogue is the de-facto reference for software weakness classification used by NIST, OWASP, vendors, and the wider AppSec community.

The catalogue covers 900+ weaknesses, dozens of CWE Categories, and curated CWE Views including the annual CWE Top 25 Most Dangerous Software Weaknesses. This Actor delivers the data as CSV, Excel, JSON, or XML in under a minute, so you skip the catalogue parsing, the cross-referencing, and the manual lookups.

🎯 Target Audience	💡 Primary Use Cases
AppSec engineers, vulnerability researchers, GRC analysts, SOC teams, security tooling vendors, academic researchers	Vulnerability triage, security training, CWE-to-CVE mapping, secure SDLC checklists, threat modelling, compliance reports

---

📋 What the CWE MITRE Scraper does

Four lookup modes in a single run:

• 🎯 Single CWE. Pull one weakness by numeric ID (e.g. 79 for XSS, 89 for SQL Injection, 787 for Out-of-bounds Write), or batch up to 100 IDs in one run.
• 🌐 All CWEs. Export the full catalogue of ~900 weaknesses with optional substring filter on the Name (e.g. "Cross-Site", "Buffer Overflow", "Authentication").
• 🗂️ Category. Resolve every weakness inside a CWE Category (e.g. 699 Software Development, 1000 Research Concepts).
• 🏆 View. Resolve curated CWE Views like 1387 (CWE Top 25 Most Dangerous Software Weaknesses, 2024) or 1003 (Weaknesses for Simplified Mapping).

Each record includes the canonical CWE identifiers, structured prose descriptions, modes of introduction, common consequences with impact and likelihood, detection methods, mitigation guidance, demonstrative and observed code examples, taxonomy mappings to OWASP / WASC / CAPEC, and references with bibliographies.

💡 Why it matters: modern AppSec, vulnerability management, and secure-SDLC pipelines all map findings back to CWE. Building the lookup yourself means parsing official XML dumps, normalising HTML in descriptions, and refreshing on every catalogue revision. This Actor skips all of that.

---

🎬 Full Demo

🚧 Coming soon: a 3-minute walkthrough showing how to go from sign-up to a downloaded CWE dataset.

---

⚙️ Input

Input	Type	Default	Behavior
mode	string	"single"	One of single, all, category, view.
cweId	string	"79"	CWE numeric ID for single mode (e.g. 79 = XSS, 89 = SQL Injection).
cweIds	string[]	[]	Batch lookup. Takes precedence over cweId.
categoryId	string	""	CWE Category ID for category mode (e.g. 699 = Software Development).
viewId	string	""	CWE View ID for view mode (e.g. 1387 = Top 25 (2024)).
category	string	""	Substring filter on Name (case-insensitive, "all" mode only).
maxItems	integer	10	Free plan caps at 10, paid plan at 1,000,000.

Example: pull the OWASP-classic XSS weakness.

{
    "mode": "single",
    "cweId": "79"
}

Example: export the CWE Top 25 Most Dangerous Software Weaknesses (2024).

{
    "mode": "view",
    "viewId": "1387",
    "maxItems": 25
}

⚠️ Good to Know: descriptions in the source can include lightweight HTML markup. The Actor preserves the original markup in description / extendedDescription and also exposes a clean text version in extendedDescriptionText so you can use either.

---

📊 Output

Each CWE record contains up to 25+ fields. Download the dataset as CSV, Excel, JSON, or XML.

🧾 Schema

Field	Type	Example
🆔 id	string	"79"
🏷️ name	string	"Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
🧱 abstraction	string	"Base"
🧩 structure	string	"Simple"
📌 status	string	"Stable"
⚠️ likelihoodOfExploit	string | null	"High"
📝 description	string	"The product does not neutralize..."
📖 extendedDescription	string | null	"Cross-site scripting (XSS) vulnerabilities..."
📜 extendedDescriptionText	string | null	Plain-text version of the above
🔁 alternateTerms	array | null	XSS, HTML Injection
🚪 modesOfIntroduction	array | null	Architecture, Implementation phases
💻 applicablePlatforms	array | null	Languages, OS, architectures
💥 commonConsequences	array | null	Impact, scope, likelihood per scenario
🔍 detectionMethods	array | null	Manual analysis, fuzzing, SAST, DAST
🛡️ potentialMitigations	array | null	Mitigation phase + description
🧪 demonstrativeExamples	array | null	Annotated code snippets
🌍 observedExamples	array | null	Real CVE references
🗺️ taxonomyMappings	array | null	OWASP, CAPEC, WASC, ISA mappings
🔗 relatedWeaknesses	array | null	ChildOf / ParentOf / PeerOf links
🗒️ notes	array | null	Maintainer notes
📚 references	array | null	Bibliography entries
🔗 url	string	"https://cwe.mitre.org/data/definitions/79.html"
🕒 scrapedAt	ISO 8601	"2026-05-15T00:00:00.000Z"

📦 Sample record

---

✨ Why choose this Actor

	Capability
🛡️	Full catalogue. 900+ weaknesses plus every CWE Category and CWE View, including the annual Top 25.
🎯	Four lookup modes. Single ID, batch IDs, category resolution, or full export with substring filter.
🗺️	Taxonomy joins. Mappings to OWASP, CAPEC, WASC, ISA-62443, NIST SP 800-53, and more for cross-system reporting.
💥	Operational fields. Common consequences, detection methods, and mitigation guidance ready to drop into security tickets.
🧪	Code examples. Demonstrative snippets and observed CVE references for training and triage.
🔁	Always fresh. Each run pulls the latest catalogue revision, so MITRE's changes propagate to your dataset automatically.
🚫	No sign-up. Works against the public catalogue. No login or token required.

📊 Reliable CWE data is the backbone of every vulnerability management programme, secure SDLC pipeline, and AppSec dashboard.

---

📈 How it compares to alternatives

Approach	Cost	Coverage	Refresh	Filters	Setup
⭐ CWE MITRE Scraper (this Actor)	$5 free credit, then pay-per-use	900+ weaknesses, Categories, Views	Live per run	mode, ID, category, view, substring	⚡ 2 min
Hand-parse the official XML dump	Free	Full catalogue	Manual	Whatever you build	🐢 Days
Commercial AppSec platforms	$$$$/year	Full + extras	Vendor schedule	Many	⏳ Weeks
Stale community CSVs	Free	Subset, often outdated	Rarely	None	🕒 Variable

Pick this Actor when you want clean structured records, modern fields, and zero pipeline maintenance.

---

🚀 How to use

1. 📝 Sign up. Create a free account w/ $5 credit (takes 2 minutes).
2. 🌐 Open the Actor. Go to the CWE MITRE Scraper page on the Apify Store.
3. 🎯 Set input. Choose mode (single, all, category, view), provide the relevant ID, set maxItems.
4. 🚀 Run it. Click Start and let the Actor collect your data.
5. 📥 Download. Grab your results in the Dataset tab as CSV, Excel, JSON, or XML.

⏱️ Total time from signup to downloaded dataset: 3-5 minutes. No coding required.

---

💼 Business use cases

🛡️ AppSec & Vulnerability Management Auto-tag tickets with CWE name, abstraction, exploit likelihood Build CWE-to-CVE bridges for triage workflows Surface mitigations directly in pull-request review Power vulnerability scoring dashboards with consequence data	📋 GRC & Compliance Map findings to OWASP Top 10 / CAPEC / NIST controls Evidence packs for SOC 2, ISO 27001, PCI DSS audits Quarterly Top 25 trend reports for the board Coverage matrices for ASVS / SAMM programmes
🧑‍💻 Developer Education & Secure SDLC Inline CWE explainers in code-review bots Just-in-time security training tied to ticket weaknesses Curated learning paths from CWE Categories Internal wiki content auto-refreshed on each catalogue release	🏢 Security Tooling Vendors Embed canonical CWE data in your scanner UI Build an offline reference snapshot for air-gapped customers Drive heuristics from observed-example code patterns Localise mitigation guidance into your customer dashboards

---

🔌 Automating CWE MITRE Scraper

Control the scraper programmatically for scheduled runs and pipeline integrations:

• 🟢 Node.js. Install the apify-client NPM package.
• 🐍 Python. Use the apify-client PyPI package.
• 📚 See the Apify documentation for full details.

The Apify Schedules feature lets you trigger this Actor on any cron interval. Quarterly Top 25 refreshes, monthly catalogue mirrors, or on-demand triage lookups are all one click.

---

🌟 Beyond business use cases

Structured CWE data powers more than enterprise pipelines. The same records support research, education, civic security, and personal initiatives.

🎓 Research and academia Empirical AppSec studies grounded in canonical taxonomy Reproducible meta-analyses across CWE revisions Coursework on secure programming and threat modelling Cross-taxonomy research bridging CAPEC, ATT&CK, and OWASP	🎨 Personal and creative Indie security blog write-ups with cited weaknesses CTF challenge generators seeded by CWE categories Training cards and flashcards for AppSec interviews Portfolio side projects that visualise the full taxonomy
🤝 Non-profit and civic Open-source security guidance for under-resourced teams Civic-tech audits enriched with mitigation playbooks Public-interest research on common breach root causes Community wiki refreshes maintained by volunteers	🧪 Experimentation Train classifiers that suggest CWE IDs from bug reports Prototype LLM agents that explain weaknesses in plain English Build retrieval pipelines for CVE root-cause analysis Validate AppSec product hypotheses with real reference data

---

🤖 Ask an AI assistant about this scraper

Open a ready-to-send prompt about this ParseForge actor in the AI of your choice:

• 💬 ChatGPT
• 🧠 Claude
• 🔍 Perplexity
• 🅒 Copilot

---

❓ Frequently Asked Questions

🧩 How does it work?

Pick a mode (single, all, category, view), provide the relevant ID, and click Start. The Actor pulls the catalogue, normalises each record, and emits a clean structured row per weakness. No browser automation, no captcha, no setup.

📏 Is the data official?

Yes. The catalogue is the official MITRE CWE source of truth. Each record links back to its canonical cwe.mitre.org/data/definitions/{id}.html page in the url field for cross-checking.

🔁 How often is the catalogue refreshed?

MITRE publishes catalogue revisions on a regular cadence. Every Actor run pulls the current live state, so your dataset always reflects the most recent revision available.

🏆 Can I export the CWE Top 25?

Yes. Set mode to view and viewId to 1387 to pull the 2024 Top 25 Most Dangerous Software Weaknesses. Other Views like 1003 (Simplified Mapping) work the same way.

🗂️ What's the difference between Category and View?

A Category groups weaknesses by an attribute (e.g. "Software Development"). A View is a curated lens for a specific audience or purpose (e.g. CWE Top 25, Simplified Mapping for vulnerability disclosures). The Actor supports both.

🔗 Can I batch many CWE IDs in one run?

Yes. Set mode to single and supply cweIds as an array (e.g. ["79", "89", "787"]). Up to 100 IDs per run.

⏰ Can I schedule regular runs?

Yes. Use Apify Schedules to run this Actor on any cron interval (hourly, daily, weekly) and keep a downstream catalogue snapshot in sync.

⚖️ Is this data legal to use?

The CWE catalogue is published by MITRE for public use under its standard terms. Review MITRE's terms of use for your specific use case, but reference catalogue data is generally cleared for commercial and non-commercial reuse.

💳 Do I need a paid Apify plan to use this Actor?

No. The free Apify plan is enough for testing and small runs (10 records per run). A paid plan lifts the limit and gives you scheduling, higher concurrency, and larger datasets.

🔁 What happens if a run fails or gets interrupted?

Apify automatically retries transient errors. If a run still fails, you can inspect the log in the Runs tab, fix the input, and re-run. Partial datasets from failed runs are preserved so you never lose progress.

🆘 What if I need help?

Our support team is here to help. Contact us through the Apify platform or use the Tally form linked below.

---

🔌 Integrate with any app

CWE MITRE Scraper connects to any cloud service via Apify integrations:

• Make - Automate multi-step workflows
• Zapier - Connect with 5,000+ apps
• Slack - Get run notifications in your channels
• n8n - Self-hosted workflow automation
• Pipedream - Event-driven serverless workflows
• Airbyte - Pipe weakness data into your warehouse
• GitHub - Trigger runs on pull requests and releases
• Google Drive - Export datasets straight to Sheets

You can also use webhooks to trigger downstream actions when a run finishes. Push fresh CWE data into your AppSec dashboard, or alert your team in Slack when the Top 25 is refreshed.

---

🔗 Recommended Actors

• 🏆 Sofascore Live Events Scraper - Live + scheduled events across 13 sports
• ⚾ MLB Stats Scraper - Schedules, teams, rosters, and live game feeds
• 🏒 NHL Stats Scraper - 32-team standings, schedules, and player profiles
• 🥅 TheSportsDB Scraper - Open sports database across multiple leagues
• 📊 OurAirports Scraper - Global airport reference dataset

💡 Pro Tip: browse the complete ParseForge collection for more reference-data scrapers.

---

🆘 Need Help? Open our contact form to request a new scraper, propose a custom data project, or report an issue.

---

⚠️ Disclaimer: this Actor is an independent tool and is not affiliated with, endorsed by, or sponsored by MITRE Corporation. CWE and Common Weakness Enumeration are trademarks of The MITRE Corporation. All trademarks mentioned are the property of their respective owners. Only publicly available reference data is collected.