{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,24]],"date-time":"2026-05-24T05:04:15Z","timestamp":1779599055978,"version":"3.53.1"},"reference-count":31,"publisher":"MDPI AG","issue":"6","license":[{"start":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T00:00:00Z","timestamp":1779408000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100009110","name":"Natural Science Foundation of Xinjiang Uygur Autonomous Region","doi-asserted-by":"crossref","award":["2023D01A46"],"award-info":[{"award-number":["2023D01A46"]}],"id":[{"id":"10.13039\/100009110","id-type":"DOI","asserted-by":"crossref"}]},{"name":"2025 Special Research Project on Education Network Security","award":["CAETCS25006"],"award-info":[{"award-number":["CAETCS25006"]}]},{"name":"National Key R&D Program","award":["2024YFF0908203-3"],"award-info":[{"award-number":["2024YFF0908203-3"]}]},{"name":"Shanghai Cooperation Organization Science and Technology Partnership Program","award":["2025E01038"],"award-info":[{"award-number":["2025E01038"]}]},{"name":"Xinjiang \u201cTianshan Talent\u201d Training Program for Outstanding Engineers","award":["EB0210"],"award-info":[{"award-number":["EB0210"]}]}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Information"],"abstract":"<jats:p>To address the rapid growth of software vulnerabilities, the latency of manual expert classification, and the limitations of existing methods restricted to fixed categories, this paper proposes V2W-LLM, an automated vulnerability-to-weakness mapping model based on Large Language Models (LLMs). First, a dataset of CVE-CWE description pairs is constructed based on established expert correlations from MITRE. Subsequently, the LLM is instruction-tuned on this dataset to leverage its reasoning capabilities in generating CWE-style descriptive text for newly disclosed, unmapped vulnerabilities. Finally, using a BAAI-based embedding model, the semantic representations of the generated text and official CWE descriptions are computed to identify the optimal mapping via cosine similarity (Top-1). Experimental results indicate that V2W-LLM achieves an accuracy of 90.18% and a Macro-F1 of 87.64% in common categories. Furthermore, on the public ChatGPT-VDMEval and the latest 2024 NVD datasets, the model attains F1 scores of 86.02% and 94.02% respectively, validating its effectiveness in automating the vulnerability-to-weakness mapping process.<\/jats:p>","DOI":"10.3390\/info17060513","type":"journal-article","created":{"date-parts":[[2026,5,22]],"date-time":"2026-05-22T09:17:09Z","timestamp":1779441429000},"page":"513","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["V2W-LLM: Automated Vulnerability to Weakness Mapping Based on Large Language Model"],"prefix":"10.3390","volume":"17","author":[{"given":"Ziguo","family":"Wang","sequence":"first","affiliation":[{"name":"College of Computer Science & Technology, Xinjiang Normal University, Urumqi 830054, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Mei","family":"Nian","sequence":"additional","affiliation":[{"name":"College of Computer Science & Technology, Xinjiang Normal University, Urumqi 830054, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Yaling","family":"Jing","sequence":"additional","affiliation":[{"name":"College of Computer Science & Technology, Xinjiang Normal University, Urumqi 830054, China"}],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Jun","family":"Zhang","sequence":"additional","affiliation":[{"name":"Xinjiang Technical Institute of Physics and Chemistry, Chinese Academy of Sciences, Urumqi 830011, China"}],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"1968","published-online":{"date-parts":[[2026,5,22]]},"reference":[{"key":"ref_1","unstructured":"MITRE (2024, September 15). Common Vulnerabilities and Exploits (CVE). Available online: https:\/\/cve.mitre.org\/."},{"key":"ref_2","first-page":"981","article-title":"AI-driven vulnerability management and automated threat mitigation","volume":"10","author":"Komaragiri","year":"2022","journal-title":"Int. J. Sci. Res. Manag."},{"key":"ref_3","unstructured":"MITRE (2024, September 15). Common Weakness Enumeration (CWE). Available online: https:\/\/cwe.mitre.org\/."},{"key":"ref_4","doi-asserted-by":"crossref","first-page":"44","DOI":"10.1109\/TSE.2022.3140868","article-title":"The secret life of software vulnerabilities: A large-scale empirical study","volume":"49","author":"Iannone","year":"2022","journal-title":"IEEE Trans. Softw. Eng."},{"key":"ref_5","unstructured":"Haddad, O.A., Ikram, M., Ahmed, E., and Lee, Y. (2025). Prompting the Priorities: A First Look at Evaluating LLMs for Vulnerability Triage and Prioritization. arXiv."},{"key":"ref_6","unstructured":"Uddin, M.N., Zhang, Y., and Hei, X. (2025). Deep learning aided software vulnerability detection: A survey. arXiv."},{"key":"ref_7","unstructured":"Risse, N., and B\u00f6hme, M. (2024, January 14\u201316). Uncovering the limits of machine learning for automatic vulnerability detection. Proceedings of the 33rd USENIX Security Symposium (USENIX Security 24), Philadelphia, PA, USA."},{"key":"ref_8","first-page":"238","article-title":"Software design level vulnerability classification model","volume":"6","author":"Rehman","year":"2012","journal-title":"Int. J. Comput. Sci. Secur. IJCSS"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Aota, M., Kanehara, H., Kubo, M., Murata, N., Sun, B., and Takahashi, T. (2020, January 8\u201310). Automation of vulnerability classification from its description using machine learning. Proceedings of the 2020 IEEE Symposium on Computers and Communications (ISCC), Rennes, France.","DOI":"10.1109\/ISCC50000.2020.9219568"},{"key":"ref_10","doi-asserted-by":"crossref","unstructured":"Davari, M., Zulkernine, M., and Jaafar, F. (2017, January 24\u201325). An automatic software vulnerability classification framework. Proceedings of the 2017 International Conference on Software Security and Assurance (ICSSA), Altoona, PA, USA.","DOI":"10.1109\/ICSSA.2017.27"},{"key":"ref_11","doi-asserted-by":"crossref","unstructured":"Na, S., Kim, T., and Kim, H. (2016, January 5\u20137). A study on the classification of common vulnerabilities and exposures using na\u00efve bayes. Proceedings of the International Conference on Broadband and Wireless Computing, Communication and Applications, Asan, Republic of Korea.","DOI":"10.1007\/978-3-319-49106-6_65"},{"key":"ref_12","doi-asserted-by":"crossref","unstructured":"Terdchanakul, P., Hata, H., Phannachitta, P., and Matsumoto, K. (2017, January 17\u201322). Bug or not? Bug report classification using n-gram idf. Proceedings of the 2017 IEEE International Conference on Software Maintenance and Evolution (ICSME), Shanghai, China.","DOI":"10.1109\/ICSME.2017.14"},{"key":"ref_13","doi-asserted-by":"crossref","unstructured":"Albanese, M., Adebiyi, O., and Onovae, F. (2024, January 8\u201310). CVE2CWE: Automated Mapping of Software Vulnerabilities to Weaknesses Based on CVE Descriptions. Proceedings of the 21st International Conference on Security and Cryptography (SECRYPT), Dijon, France.","DOI":"10.5220\/0012770400003767"},{"key":"ref_14","doi-asserted-by":"crossref","first-page":"1679","DOI":"10.1587\/transinf.2018OFL0006","article-title":"Character-level convolutional neural network for predicting severity of software vulnerability from vulnerability description","volume":"102","author":"Nakagawa","year":"2019","journal-title":"IEICE Trans. Inf. Syst."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"613","DOI":"10.1108\/ICS-10-2024-0265","article-title":"Severity prediction of software vulnerabilities using convolutional neural networks","volume":"33","author":"Saklani","year":"2025","journal-title":"Inf. Comput. Secur."},{"key":"ref_16","doi-asserted-by":"crossref","first-page":"e2508","DOI":"10.1002\/smr.2508","article-title":"Automatic software vulnerability classification by extracting vulnerability triggers","volume":"36","author":"Sun","year":"2024","journal-title":"J. Softw. Evol. Process"},{"key":"ref_17","first-page":"446","article-title":"Research on Automatic Vulnerability Classification Technology Based on BiGRU-TextCNN Framework","volume":"10","author":"Zhang","year":"2024","journal-title":"J. Inf. Secur. Res."},{"key":"ref_18","unstructured":"Devlin, J., Chang, M.-W., Lee, K., and Toutanova, K. (2019). BERT: Pre-training of Deep Bidirectional Transformers for Language Understanding. Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers), Association for Computational Linguistics."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Das, S.S., Serra, E., Halappanavar, M., Pothen, A., and Al-Shaer, E. (2021, January 6\u20139). V2W-BERT: A framework for effective hierarchical multiclass classification of software vulnerabilities. Proceedings of the 2021 IEEE 8th International Conference on Data Science and Advanced Analytics (DSAA), Porto, Portugal.","DOI":"10.1109\/DSAA53316.2021.9564227"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Zhu, C., Du, G., Wu, T., Cui, N., Chen, L., and Shi, G. (2022, January 7\u20139). BERT-based vulnerability type identification with effective program representation. Proceedings of the International Conference on Wireless Algorithms, Systems, and Applications, Dalian, China.","DOI":"10.1007\/978-3-031-19208-1_23"},{"key":"ref_21","first-page":"3447","article-title":"Vulnerability Classification Method Based on Dual Attention Mechanism and Improved Adversarial Training","volume":"41","author":"Yang","year":"2024","journal-title":"Appl. Res. Comput."},{"key":"ref_22","doi-asserted-by":"crossref","unstructured":"Wang, T., Qin, S., and Chow, K.P. (2021, January 20\u201322). Towards vulnerability types classification using pure self-attention: A common weakness enumeration based approach. Proceedings of the 2021 IEEE 24th International Conference on Computational Science and Engineering (CSE), Shenyang, China.","DOI":"10.1109\/CSE53436.2021.00030"},{"key":"ref_23","unstructured":"Simonetto, S., van Ede, T.S., Bosch, P., Jonker, W., and Oostveen, R. (2024, January 26). Text2Weak: Mapping CVEs to CWEs using description embeddings analysis. Proceedings of the 4th Workshop on Artificial Intelligence-Enabled Cybersecurity Analytics, Barcelona, Spain."},{"key":"ref_24","unstructured":"Neelakantan, A., Xu, T., Puri, R., Radford, A., Han, J.M., Tworek, J., Yuan, Q., Tezak, N., Kim, J.W., and Hallacy, C. (2022). Text and code embeddings by contrastive pre-training. arXiv."},{"key":"ref_25","unstructured":"Hu, E.J., Shen, Y., Wallis, P., Allen-Zhu, Z., Li, Y., Wang, S., Wang, L., and Chen, W. (2022, January 25\u201329). LoRA: Low-rank adaptation of large language models. Proceedings of the International Conference on Learning Representations (ICLR), Virtual."},{"key":"ref_26","doi-asserted-by":"crossref","unstructured":"Chen, J., Xiao, S., Zhang, P., Luo, K., Lian, D., and Liu, Z. (2024, January 11\u201316). M3-embedding: Multi-linguality, multi-functionality, multi-granularity text embeddings through self-knowledge distillation. Proceedings of the Findings of the Association for Computational Linguistics: ACL 2024, Bangkok, Thailand.","DOI":"10.18653\/v1\/2024.findings-acl.137"},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Muennighoff, N., Tazi, N., Magne, L., and Reimers, N. (2023, January 2\u20136). MTEB: Massive text embedding benchmark. Proceedings of the 17th Conference of the European Chapter of the Association for Computational Linguistics (EACL), Dubrovnik, Croatia.","DOI":"10.18653\/v1\/2023.eacl-main.148"},{"key":"ref_28","doi-asserted-by":"crossref","first-page":"535","DOI":"10.1109\/TBDATA.2019.2921572","article-title":"Billion-scale similarity search with GPUs","volume":"7","author":"Johnson","year":"2019","journal-title":"IEEE Trans. Big Data"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Liu, X., Tan, Y., Xiao, Z., Zhuge, J., and Zhou, R. (2023, January 9\u201314). Not the end of story: An evaluation of ChatGPT-driven vulnerability description mappings. Proceedings of the Findings of the Association for Computational Linguistics: ACL 2023, Toronto, ON, Canada.","DOI":"10.18653\/v1\/2023.findings-acl.229"},{"key":"ref_30","unstructured":"Vaswani, A., Shazeer, N., Parmar, N., Uszkoreit, J., Jones, L., Gomez, A.N., Kaiser, \u0141., and Polosukhin, I. (2017). Attention is all you need. Adv. Neural Inf. Process. Syst., 30."},{"key":"ref_31","doi-asserted-by":"crossref","first-page":"103070","DOI":"10.1016\/j.cose.2022.103070","article-title":"An automatic classification algorithm for software vulnerability based on weighted word vector and fusion neural network","volume":"126","author":"Wang","year":"2023","journal-title":"Comput. Secur."}],"container-title":["Information"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2078-2489\/17\/6\/513\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,5,24]],"date-time":"2026-05-24T04:12:29Z","timestamp":1779595949000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2078-2489\/17\/6\/513"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026,5,22]]},"references-count":31,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2026,6]]}},"alternative-id":["info17060513"],"URL":"https:\/\/doi.org\/10.3390\/info17060513","relation":{},"ISSN":["2078-2489"],"issn-type":[{"value":"2078-2489","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026,5,22]]}}}