Failed when validating user through authentication service
This year's Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence, importance, and likelihood of exploit.
It uses the Common Weakness Scoring System (CWSS) to score and rank the final results.
For data-rich software applications, SQL injection is the means to steal the keys to the kingdom.
Cross-site scripting (CWE-79) is the bane of web applications everywhere.
Rounding out the top 5 is Missing Authentication (CWE-306) for critical functionality.
See if they reflect any of the associated weaknesses on the Top 25 (or your own custom list), and if so, contact your vendor to determine what processes the vendor is undertaking to minimize the risk that these weaknesses will continue to be introduced into the code.
See the On the Cusp summary for other weaknesses that did not make the final Top 25; this will include weaknesses that are only starting to grow in prevalence or importance, so they may become your problem in the future.
Consider using the Top 25 as part of contract language during the software acquisition process.